Play interactive tour

Edit tour

Windows Analysis Report Payment.exe

Overview

General Information

Sample Name:	Payment.exe
Analysis ID:	483531
MD5:	933cedbe56bd04acdbbb183a0004162b
SHA1:	9a255a7eaa2dd334dcde3f9c8f73e8c25e3a8a65
SHA256:	a57534ac7570e5be7e25f1c0d9745dc549d56b193ed7b1547e61ae79485edc1c
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Payment.exe (PID: 5232 cmdline: 'C:\Users\user\Desktop\Payment.exe' MD5: 933CEDBE56BD04ACDBBB183A0004162B)

Payment.exe (PID: 1848 cmdline: C:\Users\user\Desktop\Payment.exe MD5: 933CEDBE56BD04ACDBBB183A0004162B)

Payment.exe (PID: 5352 cmdline: C:\Users\user\Desktop\Payment.exe MD5: 933CEDBE56BD04ACDBBB183A0004162B)

explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cscript.exe (PID: 6280 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

cmd.exe (PID: 6500 cmdline: /c del 'C:\Users\user\Desktop\Payment.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rafaelcristino.com/pm7s/"], "decoy": ["angrypeacocks.site", "theindependentartlable.com", "coachingforthewin.com", "localbizsc.com", "drive-a-supercar.com", "mewsette.com", "scinuh.com", "gurugramaffordablehomes.com", "riamedefarm.com", "richfitzfashions.com", "u9j1o.info", "dife-rent.com", "talesfromthequadrat.com", "dandfmotors.com", "springtexasdentist.com", "gobakala.store", "earlyeducationglobal.com", "sdrxsb.site", "dreamlifebiz.com", "theurbancaveshop.com", "rojkikhabar.com", "honeycreek-vision.com", "robinnicholsrealty.com", "orilliatownhouseteam.com", "ipedal.xyz", "ropemillcreekpaddleboarding.com", "monbeauchien.com", "achtsamkeit-in-der-schule.com", "towtruckperth.com", "shijijiaoyou.com", "belangespiritualstore.com", "gmignitionswitcheconomicset.com", "tracelanelog.com", "infiniteavionics.com", "kornfelder.com", "unnsa.xyz", "billonblocjs.com", "savingcambodia.com", "darienkitchens.com", "ecetonline.com", "softcenchina.com", "eu-global.space", "americajustsayit.com", "getverthanger.com", "arrowlankaexports.com", "xn--uds17hya4f549f40d.com", "btlbusinesscoaching.com", "aktive.net", "awkamga.com", "borostamas.com", "tuolum.net", "tnshomebuyers.com", "signatureperformace.com", "s16.solutions", "thethoughtrecord.com", "onexotyland.com", "deintuning.com", "wellrecognizewell.com", "rugpat.com", "shellieclarksonsbeautique.com", "cevicheatl.com", "usasbe.com", "listenonrepear.com", "qanoonpharmacy.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc74b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc7732:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf3cd8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf3f52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd3255:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xffa75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd2d41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xff561:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd3357:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xffb77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd34cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xffcef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc814a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf496a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd1fbc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xfe7dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc8e43:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf5663:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd8ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x105717:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd9efa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd5fd9:$sqlite3step: 68 34 1C 7B E1 0xd60ec:$sqlite3step: 68 34 1C 7B E1 0x1027f9:$sqlite3step: 68 34 1C 7B E1 0x10290c:$sqlite3step: 68 34 1C 7B E1 0xd6008:$sqlite3text: 68 38 2A 90 C5 0xd612d:$sqlite3text: 68 38 2A 90 C5 0x102828:$sqlite3text: 68 38 2A 90 C5 0x10294d:$sqlite3text: 68 38 2A 90 C5 0xd601b:$sqlite3blob: 68 53 D8 7F 8C 0xd6143:$sqlite3blob: 68 53 D8 7F 8C 0x10283b:$sqlite3blob: 68 53 D8 7F 8C 0x102963:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Payment.exe PID: 5232	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Payment.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.Payment.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.Payment.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
6.2.Payment.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.Payment.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.Payment.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rafaelcristino.com/pm7s/"], "decoy": ["angrypeacocks.site", "theindependentartlable.com", "coachingforthewin.com", "localbizsc.com", "drive-a-supercar.com", "mewsette.com", "scinuh.com", "gurugramaffordablehomes.com", "riamedefarm.com", "richfitzfashions.com", "u9j1o.info", "dife-rent.com", "talesfromthequadrat.com", "dandfmotors.com", "springtexasdentist.com", "gobakala.store", "earlyeducationglobal.com", "sdrxsb.site", "dreamlifebiz.com", "theurbancaveshop.com", "rojkikhabar.com", "honeycreek-vision.com", "robinnicholsrealty.com", "orilliatownhouseteam.com", "ipedal.xyz", "ropemillcreekpaddleboarding.com", "monbeauchien.com", "achtsamkeit-in-der-schule.com", "towtruckperth.com", "shijijiaoyou.com", "belangespiritualstore.com", "gmignitionswitcheconomicset.com", "tracelanelog.com", "infiniteavionics.com", "kornfelder.com", "unnsa.xyz", "billonblocjs.com", "savingcambodia.com", "darienkitchens.com", "ecetonline.com", "softcenchina.com", "eu-global.space", "americajustsayit.com", "getverthanger.com", "arrowlankaexports.com", "xn--uds17hya4f549f40d.com", "btlbusinesscoaching.com", "aktive.net", "awkamga.com", "borostamas.com", "tuolum.net", "tnshomebuyers.com", "signatureperformace.com", "s16.solutions", "thethoughtrecord.com", "onexotyland.com", "deintuning.com", "wellrecognizewell.com", "rugpat.com", "shellieclarksonsbeautique.com", "cevicheatl.com", "usasbe.com", "listenonrepear.com", "qanoonpharmacy.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Payment.exe	Virustotal: Detection: 52%	Perma Link
Source: Payment.exe	Metadefender: Detection: 31%	Perma Link
Source: Payment.exe	ReversingLabs: Detection: 67%

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY

Source: 6.2.Payment.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Payment.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment.exe, 00000006.00000002.321552044.00000000010BF000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment.exe, cscript.exe
Source:	Binary string: cscript.pdb source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49812 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49812 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49812 -> 34.98.99.30:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.earlyeducationglobal.com
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cevicheatl.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.rafaelcristino.com/pm7s/

Source: Joe Sandbox View

ASN Name: SEDO-ASDE SEDO-ASDE

Source: global traffic	HTTP traffic detected: GET /pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL HTTP/1.1Host: www.cevicheatl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pm7s/?-Zi=lvCYA3THHwf3zrDy6Hq/UQWt6LGRVtHVYfKCQGlaiZ/7JUYV8wEH0lTBDrKh23L7whpy&v2J83=dDHD9XVxev94 HTTP/1.1Host: www.earlyeducationglobal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 91.195.240.94 91.195.240.94

Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.cevicheatl.com

Source: global traffic	HTTP traffic detected: GET /pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL HTTP/1.1Host: www.cevicheatl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pm7s/?-Zi=lvCYA3THHwf3zrDy6Hq/UQWt6LGRVtHVYfKCQGlaiZ/7JUYV8wEH0lTBDrKh23L7whpy&v2J83=dDHD9XVxev94 HTTP/1.1Host: www.earlyeducationglobal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Payment.exe

Source: Payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_001F2211	1_2_001F2211
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00DBC104	1_2_00DBC104
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00DBE550	1_2_00DBE550
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00DBE540	1_2_00DBE540
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_06BEB00C	1_2_06BEB00C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_06BE7A18	1_2_06BE7A18
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_06BED2A1	1_2_06BED2A1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_06BEB1C0	1_2_06BEB1C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 5_2_00362211	5_2_00362211
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041D84D	6_2_0041D84D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041D215	6_2_0041D215
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041DB06	6_2_0041DB06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041DC38	6_2_0041DC38
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00409E40	6_2_00409E40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00409E3F	6_2_00409E3F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00542211	6_2_00542211
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF20A0	6_2_00FF20A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDB090	6_2_00FDB090
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081002	6_2_01081002
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0109E824	6_2_0109E824
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010920A8	6_2_010920A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE4120	6_2_00FE4120
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010928EC	6_2_010928EC
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCF900	6_2_00FCF900
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01092B28	6_2_01092B28
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010803DA	6_2_010803DA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108DBD2	6_2_0108DBD2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0107FA2B	6_2_0107FA2B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFEBB0	6_2_00FFEBB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010922AE	6_2_010922AE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEAB40	6_2_00FEAB40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01092D07	6_2_01092D07
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01091D55	6_2_01091D55
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010925DD	6_2_010925DD
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD841F	6_2_00FD841F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDD5E0	6_2_00FDD5E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108D466	6_2_0108D466
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2581	6_2_00FF2581
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC0D20	6_2_00FC0D20
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0109DFCE	6_2_0109DFCE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE6E30	6_2_00FE6E30
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01091FF1	6_2_01091FF1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108D616	6_2_0108D616
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01092EF7	6_2_01092EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486B090	19_2_0486B090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048820A0	19_2_048820A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049220A8	19_2_049220A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911002	19_2_04911002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486841F	19_2_0486841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882581	19_2_04882581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486D5E0	19_2_0486D5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485F900	19_2_0485F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04922D07	19_2_04922D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04850D20	19_2_04850D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04874120	19_2_04874120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04921D55	19_2_04921D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049222AE	19_2_049222AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04922EF7	19_2_04922EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04876E30	19_2_04876E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488EBB0	19_2_0488EBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04921FF1	19_2_04921FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04922B28	19_2_04922B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081D84D	19_2_0081D84D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081DB06	19_2_0081DB06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081DC38	19_2_0081DC38
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00802D87	19_2_00802D87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00802D90	19_2_00802D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00809E3F	19_2_00809E3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00809E40	19_2_00809E40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00802FB0	19_2_00802FB0

Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0485B150 appears 35 times
Source: C:\Users\user\Desktop\Payment.exe	Code function: String function: 00FCB150 appears 48 times

Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419D60 NtCreateFile,	6_2_00419D60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419E10 NtReadFile,	6_2_00419E10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419E90 NtClose,	6_2_00419E90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419F40 NtAllocateVirtualMemory,	6_2_00419F40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419D5A NtCreateFile,	6_2_00419D5A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419DB2 NtReadFile,	6_2_00419DB2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419E8B NtClose,	6_2_00419E8B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00419F3A NtAllocateVirtualMemory,	6_2_00419F3A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01009910
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010099A0 NtCreateSection,LdrInitializeThunk,	6_2_010099A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009840 NtDelayExecution,LdrInitializeThunk,	6_2_01009840
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01009860
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010098F0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_010098F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009A00 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01009A00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009A20 NtResumeThread,LdrInitializeThunk,	6_2_01009A20
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009A50 NtCreateFile,LdrInitializeThunk,	6_2_01009A50
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009540 NtReadFile,LdrInitializeThunk,	6_2_01009540
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010095D0 NtClose,LdrInitializeThunk,	6_2_010095D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009710 NtQueryInformationToken,LdrInitializeThunk,	6_2_01009710
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009780 NtMapViewOfSection,LdrInitializeThunk,	6_2_01009780
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010097A0 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_010097A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01009660
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010096E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_010096E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009950 NtQueueApcThread,	6_2_01009950
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010099D0 NtCreateProcessEx,	6_2_010099D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009820 NtEnumerateKey,	6_2_01009820
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0100B040 NtSuspendThread,	6_2_0100B040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010098A0 NtWriteVirtualMemory,	6_2_010098A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009B00 NtSetValueKey,	6_2_01009B00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0100A3B0 NtGetContextThread,	6_2_0100A3B0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009A10 NtQuerySection,	6_2_01009A10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009A80 NtOpenDirectoryObject,	6_2_01009A80
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009520 NtWaitForSingleObject,	6_2_01009520
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0100AD30 NtSetContextThread,	6_2_0100AD30
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009560 NtWriteFile,	6_2_01009560
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010095F0 NtQueryInformationFile,	6_2_010095F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0100A710 NtOpenProcessToken,	6_2_0100A710
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009730 NtQueryVirtualMemory,	6_2_01009730
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009760 NtOpenProcess,	6_2_01009760
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0100A770 NtOpenThread,	6_2_0100A770
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009770 NtSetInformationFile,	6_2_01009770
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009FE0 NtCreateMutant,	6_2_01009FE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009610 NtEnumerateValueKey,	6_2_01009610
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009650 NtQueryValueKey,	6_2_01009650
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01009670 NtQueryInformationProcess,	6_2_01009670
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010096D0 NtCreateKey,	6_2_010096D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899840 NtDelayExecution,LdrInitializeThunk,	19_2_04899840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_04899860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048999A0 NtCreateSection,LdrInitializeThunk,	19_2_048999A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048995D0 NtClose,LdrInitializeThunk,	19_2_048995D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_04899910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899540 NtReadFile,LdrInitializeThunk,	19_2_04899540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048996D0 NtCreateKey,LdrInitializeThunk,	19_2_048996D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048996E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_048996E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899A50 NtCreateFile,LdrInitializeThunk,	19_2_04899A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899650 NtQueryValueKey,LdrInitializeThunk,	19_2_04899650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_04899660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899780 NtMapViewOfSection,LdrInitializeThunk,	19_2_04899780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899FE0 NtCreateMutant,LdrInitializeThunk,	19_2_04899FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899710 NtQueryInformationToken,LdrInitializeThunk,	19_2_04899710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048998A0 NtWriteVirtualMemory,	19_2_048998A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048998F0 NtReadVirtualMemory,	19_2_048998F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899820 NtEnumerateKey,	19_2_04899820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0489B040 NtSuspendThread,	19_2_0489B040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048999D0 NtCreateProcessEx,	19_2_048999D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048995F0 NtQueryInformationFile,	19_2_048995F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899520 NtWaitForSingleObject,	19_2_04899520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0489AD30 NtSetContextThread,	19_2_0489AD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899950 NtQueueApcThread,	19_2_04899950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899560 NtWriteFile,	19_2_04899560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899A80 NtOpenDirectoryObject,	19_2_04899A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899A00 NtProtectVirtualMemory,	19_2_04899A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899610 NtEnumerateValueKey,	19_2_04899610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899A10 NtQuerySection,	19_2_04899A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899A20 NtResumeThread,	19_2_04899A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899670 NtQueryInformationProcess,	19_2_04899670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048997A0 NtUnmapViewOfSection,	19_2_048997A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0489A3B0 NtGetContextThread,	19_2_0489A3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899B00 NtSetValueKey,	19_2_04899B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0489A710 NtOpenProcessToken,	19_2_0489A710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899730 NtQueryVirtualMemory,	19_2_04899730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899760 NtOpenProcess,	19_2_04899760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04899770 NtSetInformationFile,	19_2_04899770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0489A770 NtOpenThread,	19_2_0489A770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819D60 NtCreateFile,	19_2_00819D60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819E90 NtClose,	19_2_00819E90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819E10 NtReadFile,	19_2_00819E10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819F40 NtAllocateVirtualMemory,	19_2_00819F40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819DB2 NtReadFile,	19_2_00819DB2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819D5A NtCreateFile,	19_2_00819D5A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819E8B NtClose,	19_2_00819E8B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_00819F3A NtAllocateVirtualMemory,	19_2_00819F3A

Source: Payment.exe, 00000001.00000002.247268783.00000000072F0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Payment.exe
Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Payment.exe
Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Payment.exe
Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Payment.exe
Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEnvoySinks.dll6 vs Payment.exe
Source: Payment.exe, 00000001.00000002.241622342.0000000000270000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe
Source: Payment.exe, 00000005.00000000.239308017.00000000003E0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe
Source: Payment.exe, 00000006.00000000.240548929.00000000005C0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe
Source: Payment.exe, 00000006.00000002.321552044.00000000010BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe
Source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs Payment.exe
Source: Payment.exe	Binary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe

Source: Payment.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Payment.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Payment.exe	Virustotal: Detection: 52%
Source: Payment.exe	Metadefender: Detection: 31%
Source: Payment.exe	ReversingLabs: Detection: 67%

Source: Payment.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment.exe 'C:\Users\user\Desktop\Payment.exe'
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@2/2

Source: C:\Users\user\Desktop\Payment.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01

Source: Payment.exe, u0006u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.Payment.exe.1f0000.0.unpack, u0006u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Payment.exe.1f0000.0.unpack, u0006u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Payment.exe.360000.0.unpack, u0006u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.Payment.exe.360000.0.unpack, u0006u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.Payment.exe.540000.1.unpack, u0006u2001.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment.exe, 00000006.00000002.321552044.00000000010BF000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment.exe, cscript.exe
Source:	Binary string: cscript.pdb source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Payment.exe, u0006u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Payment.exe.1f0000.0.unpack, u0006u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Payment.exe.1f0000.0.unpack, u0006u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Payment.exe.360000.0.unpack, u0006u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Payment.exe.360000.0.unpack, u0006u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.Payment.exe.540000.1.unpack, u0006u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.Payment.exe.540000.0.unpack, u0006u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_001F42B3 push 00000036h; iretd	1_2_001F42C3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_001F4321 push 00000036h; iretd	1_2_001F42C3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_06BEF733 pushad ; iretd	1_2_06BEF739
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_06BEDF80 push esp; ret	1_2_06BEDF81
Source: C:\Users\user\Desktop\Payment.exe	Code function: 5_2_003642B3 push 00000036h; iretd	5_2_003642C3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 5_2_00364321 push 00000036h; iretd	5_2_003642C3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041E06E push edx; ret	6_2_0041E074
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041CEB5 push eax; ret	6_2_0041CF08
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041CF6C push eax; ret	6_2_0041CF72
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041CF02 push eax; ret	6_2_0041CF08
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0041CF0B push eax; ret	6_2_0041CF72
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_005442B3 push 00000036h; iretd	6_2_005442C3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00544321 push 00000036h; iretd	6_2_005442C3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0101D0D1 push ecx; ret	6_2_0101D0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048AD0D1 push ecx; ret	19_2_048AD0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081E06E push edx; ret	19_2_0081E074
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081CEB5 push eax; ret	19_2_0081CF08
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081CF02 push eax; ret	19_2_0081CF08
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081CF0B push eax; ret	19_2_0081CF72
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0081CF6C push eax; ret	19_2_0081CF72

Source: initial sample

Static PE information: section name: .text entropy: 7.91580879316

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\cscript.exe	Process created: /c del 'C:\Users\user\Desktop\Payment.exe'
Source: C:\Windows\SysWOW64\cscript.exe	Process created: /c del 'C:\Users\user\Desktop\Payment.exe'			Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 5232, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Payment.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Payment.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000008098E4 second address: 00000000008098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000809B5E second address: 0000000000809B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Payment.exe TID: 5652	Thread sleep time: -35939s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 4308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5760	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 6284	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment.exe

Code function: 6_2_00409A90 rdtsc

6_2_00409A90

Source: C:\Users\user\Desktop\Payment.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_001F32D9 sldt word ptr [eax]

1_2_001F32D9

Source: C:\Users\user\Desktop\Payment.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 35939			Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000000.272966817.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.272966817.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000007.00000000.257080636.0000000008907000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.256178106.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.351304956.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000007.00000000.272966817.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000007.00000000.272966817.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.273120802.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000007.00000000.351410971.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.263918274.0000000001398000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.277265202.000000000F5C0000.00000004.00000001.sdmp	Binary or memory string: qeMusic
Source: Payment.exe, 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\Payment.exe

Code function: 6_2_00409A90 rdtsc

6_2_00409A90

Source: C:\Users\user\Desktop\Payment.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC58EC mov eax, dword ptr fs:[00000030h]	6_2_00FC58EC
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC40E1 mov eax, dword ptr fs:[00000030h]	6_2_00FC40E1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC40E1 mov eax, dword ptr fs:[00000030h]	6_2_00FC40E1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC40E1 mov eax, dword ptr fs:[00000030h]	6_2_00FC40E1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFF0BF mov ecx, dword ptr fs:[00000030h]	6_2_00FFF0BF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFF0BF mov eax, dword ptr fs:[00000030h]	6_2_00FFF0BF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFF0BF mov eax, dword ptr fs:[00000030h]	6_2_00FFF0BF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF20A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF20A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF20A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF20A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF20A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF20A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF20A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9080 mov eax, dword ptr fs:[00000030h]	6_2_00FC9080
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010469A6 mov eax, dword ptr fs:[00000030h]	6_2_010469A6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010849A4 mov eax, dword ptr fs:[00000030h]	6_2_010849A4
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010849A4 mov eax, dword ptr fs:[00000030h]	6_2_010849A4
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010849A4 mov eax, dword ptr fs:[00000030h]	6_2_010849A4
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010849A4 mov eax, dword ptr fs:[00000030h]	6_2_010849A4
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE0050 mov eax, dword ptr fs:[00000030h]	6_2_00FE0050
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE0050 mov eax, dword ptr fs:[00000030h]	6_2_00FE0050
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010451BE mov eax, dword ptr fs:[00000030h]	6_2_010451BE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010451BE mov eax, dword ptr fs:[00000030h]	6_2_010451BE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010451BE mov eax, dword ptr fs:[00000030h]	6_2_010451BE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010451BE mov eax, dword ptr fs:[00000030h]	6_2_010451BE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF002D mov eax, dword ptr fs:[00000030h]	6_2_00FF002D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF002D mov eax, dword ptr fs:[00000030h]	6_2_00FF002D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF002D mov eax, dword ptr fs:[00000030h]	6_2_00FF002D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF002D mov eax, dword ptr fs:[00000030h]	6_2_00FF002D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF002D mov eax, dword ptr fs:[00000030h]	6_2_00FF002D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDB02A mov eax, dword ptr fs:[00000030h]	6_2_00FDB02A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDB02A mov eax, dword ptr fs:[00000030h]	6_2_00FDB02A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDB02A mov eax, dword ptr fs:[00000030h]	6_2_00FDB02A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDB02A mov eax, dword ptr fs:[00000030h]	6_2_00FDB02A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010541E8 mov eax, dword ptr fs:[00000030h]	6_2_010541E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01047016 mov eax, dword ptr fs:[00000030h]	6_2_01047016
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01047016 mov eax, dword ptr fs:[00000030h]	6_2_01047016
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01047016 mov eax, dword ptr fs:[00000030h]	6_2_01047016
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01094015 mov eax, dword ptr fs:[00000030h]	6_2_01094015
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01094015 mov eax, dword ptr fs:[00000030h]	6_2_01094015
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCB1E1 mov eax, dword ptr fs:[00000030h]	6_2_00FCB1E1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCB1E1 mov eax, dword ptr fs:[00000030h]	6_2_00FCB1E1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCB1E1 mov eax, dword ptr fs:[00000030h]	6_2_00FCB1E1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF61A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF61A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF61A0 mov eax, dword ptr fs:[00000030h]	6_2_00FF61A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2990 mov eax, dword ptr fs:[00000030h]	6_2_00FF2990
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFA185 mov eax, dword ptr fs:[00000030h]	6_2_00FFA185
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01082073 mov eax, dword ptr fs:[00000030h]	6_2_01082073
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEC182 mov eax, dword ptr fs:[00000030h]	6_2_00FEC182
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01091074 mov eax, dword ptr fs:[00000030h]	6_2_01091074
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01043884 mov eax, dword ptr fs:[00000030h]	6_2_01043884
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01043884 mov eax, dword ptr fs:[00000030h]	6_2_01043884
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCB171 mov eax, dword ptr fs:[00000030h]	6_2_00FCB171
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCB171 mov eax, dword ptr fs:[00000030h]	6_2_00FCB171
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCC962 mov eax, dword ptr fs:[00000030h]	6_2_00FCC962
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010090AF mov eax, dword ptr fs:[00000030h]	6_2_010090AF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEB944 mov eax, dword ptr fs:[00000030h]	6_2_00FEB944
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEB944 mov eax, dword ptr fs:[00000030h]	6_2_00FEB944
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF513A mov eax, dword ptr fs:[00000030h]	6_2_00FF513A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF513A mov eax, dword ptr fs:[00000030h]	6_2_00FF513A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0105B8D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_0105B8D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0105B8D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0105B8D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0105B8D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0105B8D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE4120 mov eax, dword ptr fs:[00000030h]	6_2_00FE4120
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE4120 mov eax, dword ptr fs:[00000030h]	6_2_00FE4120
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE4120 mov eax, dword ptr fs:[00000030h]	6_2_00FE4120
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE4120 mov eax, dword ptr fs:[00000030h]	6_2_00FE4120
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE4120 mov ecx, dword ptr fs:[00000030h]	6_2_00FE4120
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9100 mov eax, dword ptr fs:[00000030h]	6_2_00FC9100
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9100 mov eax, dword ptr fs:[00000030h]	6_2_00FC9100
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9100 mov eax, dword ptr fs:[00000030h]	6_2_00FC9100
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108131B mov eax, dword ptr fs:[00000030h]	6_2_0108131B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2AE4 mov eax, dword ptr fs:[00000030h]	6_2_00FF2AE4
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2ACB mov eax, dword ptr fs:[00000030h]	6_2_00FF2ACB
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDAAB0 mov eax, dword ptr fs:[00000030h]	6_2_00FDAAB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDAAB0 mov eax, dword ptr fs:[00000030h]	6_2_00FDAAB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFFAB0 mov eax, dword ptr fs:[00000030h]	6_2_00FFFAB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01098B58 mov eax, dword ptr fs:[00000030h]	6_2_01098B58
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_00FC52A5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_00FC52A5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_00FC52A5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_00FC52A5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC52A5 mov eax, dword ptr fs:[00000030h]	6_2_00FC52A5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFD294 mov eax, dword ptr fs:[00000030h]	6_2_00FFD294
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFD294 mov eax, dword ptr fs:[00000030h]	6_2_00FFD294
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108138A mov eax, dword ptr fs:[00000030h]	6_2_0108138A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0107D380 mov ecx, dword ptr fs:[00000030h]	6_2_0107D380
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01095BA5 mov eax, dword ptr fs:[00000030h]	6_2_01095BA5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9240 mov eax, dword ptr fs:[00000030h]	6_2_00FC9240
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9240 mov eax, dword ptr fs:[00000030h]	6_2_00FC9240
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9240 mov eax, dword ptr fs:[00000030h]	6_2_00FC9240
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC9240 mov eax, dword ptr fs:[00000030h]	6_2_00FC9240
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010453CA mov eax, dword ptr fs:[00000030h]	6_2_010453CA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010453CA mov eax, dword ptr fs:[00000030h]	6_2_010453CA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEA229 mov eax, dword ptr fs:[00000030h]	6_2_00FEA229
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE3A1C mov eax, dword ptr fs:[00000030h]	6_2_00FE3A1C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCAA16 mov eax, dword ptr fs:[00000030h]	6_2_00FCAA16
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCAA16 mov eax, dword ptr fs:[00000030h]	6_2_00FCAA16
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC5210 mov eax, dword ptr fs:[00000030h]	6_2_00FC5210
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC5210 mov ecx, dword ptr fs:[00000030h]	6_2_00FC5210
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC5210 mov eax, dword ptr fs:[00000030h]	6_2_00FC5210
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC5210 mov eax, dword ptr fs:[00000030h]	6_2_00FC5210
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD8A0A mov eax, dword ptr fs:[00000030h]	6_2_00FD8A0A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEDBE9 mov eax, dword ptr fs:[00000030h]	6_2_00FEDBE9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_00FF03E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_00FF03E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_00FF03E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_00FF03E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_00FF03E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF03E2 mov eax, dword ptr fs:[00000030h]	6_2_00FF03E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108AA16 mov eax, dword ptr fs:[00000030h]	6_2_0108AA16
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108AA16 mov eax, dword ptr fs:[00000030h]	6_2_0108AA16
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01004A2C mov eax, dword ptr fs:[00000030h]	6_2_01004A2C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01004A2C mov eax, dword ptr fs:[00000030h]	6_2_01004A2C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF4BAD mov eax, dword ptr fs:[00000030h]	6_2_00FF4BAD
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF4BAD mov eax, dword ptr fs:[00000030h]	6_2_00FF4BAD
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF4BAD mov eax, dword ptr fs:[00000030h]	6_2_00FF4BAD
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01054257 mov eax, dword ptr fs:[00000030h]	6_2_01054257
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108EA55 mov eax, dword ptr fs:[00000030h]	6_2_0108EA55
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0107B260 mov eax, dword ptr fs:[00000030h]	6_2_0107B260
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0107B260 mov eax, dword ptr fs:[00000030h]	6_2_0107B260
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2397 mov eax, dword ptr fs:[00000030h]	6_2_00FF2397
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01098A62 mov eax, dword ptr fs:[00000030h]	6_2_01098A62
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFB390 mov eax, dword ptr fs:[00000030h]	6_2_00FFB390
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD1B8F mov eax, dword ptr fs:[00000030h]	6_2_00FD1B8F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD1B8F mov eax, dword ptr fs:[00000030h]	6_2_00FD1B8F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0100927A mov eax, dword ptr fs:[00000030h]	6_2_0100927A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF3B7A mov eax, dword ptr fs:[00000030h]	6_2_00FF3B7A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF3B7A mov eax, dword ptr fs:[00000030h]	6_2_00FF3B7A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCDB60 mov ecx, dword ptr fs:[00000030h]	6_2_00FCDB60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCF358 mov eax, dword ptr fs:[00000030h]	6_2_00FCF358
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCDB40 mov eax, dword ptr fs:[00000030h]	6_2_00FCDB40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108E539 mov eax, dword ptr fs:[00000030h]	6_2_0108E539
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0104A537 mov eax, dword ptr fs:[00000030h]	6_2_0104A537
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01098D34 mov eax, dword ptr fs:[00000030h]	6_2_01098D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01003D43 mov eax, dword ptr fs:[00000030h]	6_2_01003D43
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01043540 mov eax, dword ptr fs:[00000030h]	6_2_01043540
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01073D40 mov eax, dword ptr fs:[00000030h]	6_2_01073D40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD849B mov eax, dword ptr fs:[00000030h]	6_2_00FD849B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE746D mov eax, dword ptr fs:[00000030h]	6_2_00FE746D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010905AC mov eax, dword ptr fs:[00000030h]	6_2_010905AC
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010905AC mov eax, dword ptr fs:[00000030h]	6_2_010905AC
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFA44B mov eax, dword ptr fs:[00000030h]	6_2_00FFA44B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046DC9 mov eax, dword ptr fs:[00000030h]	6_2_01046DC9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046DC9 mov eax, dword ptr fs:[00000030h]	6_2_01046DC9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046DC9 mov eax, dword ptr fs:[00000030h]	6_2_01046DC9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046DC9 mov ecx, dword ptr fs:[00000030h]	6_2_01046DC9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046DC9 mov eax, dword ptr fs:[00000030h]	6_2_01046DC9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046DC9 mov eax, dword ptr fs:[00000030h]	6_2_01046DC9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFBC2C mov eax, dword ptr fs:[00000030h]	6_2_00FFBC2C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0108FDE2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0108FDE2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0108FDE2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0108FDE2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01078DF1 mov eax, dword ptr fs:[00000030h]	6_2_01078DF1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0109740D mov eax, dword ptr fs:[00000030h]	6_2_0109740D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0109740D mov eax, dword ptr fs:[00000030h]	6_2_0109740D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0109740D mov eax, dword ptr fs:[00000030h]	6_2_0109740D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081C06 mov eax, dword ptr fs:[00000030h]	6_2_01081C06
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046C0A mov eax, dword ptr fs:[00000030h]	6_2_01046C0A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046C0A mov eax, dword ptr fs:[00000030h]	6_2_01046C0A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046C0A mov eax, dword ptr fs:[00000030h]	6_2_01046C0A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046C0A mov eax, dword ptr fs:[00000030h]	6_2_01046C0A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDD5E0 mov eax, dword ptr fs:[00000030h]	6_2_00FDD5E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDD5E0 mov eax, dword ptr fs:[00000030h]	6_2_00FDD5E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF1DB5 mov eax, dword ptr fs:[00000030h]	6_2_00FF1DB5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF1DB5 mov eax, dword ptr fs:[00000030h]	6_2_00FF1DB5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF1DB5 mov eax, dword ptr fs:[00000030h]	6_2_00FF1DB5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105C450 mov eax, dword ptr fs:[00000030h]	6_2_0105C450
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105C450 mov eax, dword ptr fs:[00000030h]	6_2_0105C450
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF35A1 mov eax, dword ptr fs:[00000030h]	6_2_00FF35A1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFFD9B mov eax, dword ptr fs:[00000030h]	6_2_00FFFD9B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFFD9B mov eax, dword ptr fs:[00000030h]	6_2_00FFFD9B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_00FC2D8A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_00FC2D8A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_00FC2D8A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_00FC2D8A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC2D8A mov eax, dword ptr fs:[00000030h]	6_2_00FC2D8A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2581 mov eax, dword ptr fs:[00000030h]	6_2_00FF2581
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2581 mov eax, dword ptr fs:[00000030h]	6_2_00FF2581
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2581 mov eax, dword ptr fs:[00000030h]	6_2_00FF2581
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF2581 mov eax, dword ptr fs:[00000030h]	6_2_00FF2581
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEC577 mov eax, dword ptr fs:[00000030h]	6_2_00FEC577
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEC577 mov eax, dword ptr fs:[00000030h]	6_2_00FEC577
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FE7D50 mov eax, dword ptr fs:[00000030h]	6_2_00FE7D50
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF4D3B mov eax, dword ptr fs:[00000030h]	6_2_00FF4D3B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF4D3B mov eax, dword ptr fs:[00000030h]	6_2_00FF4D3B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF4D3B mov eax, dword ptr fs:[00000030h]	6_2_00FF4D3B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD3D34 mov eax, dword ptr fs:[00000030h]	6_2_00FD3D34
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCAD30 mov eax, dword ptr fs:[00000030h]	6_2_00FCAD30
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01098CD6 mov eax, dword ptr fs:[00000030h]	6_2_01098CD6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010814FB mov eax, dword ptr fs:[00000030h]	6_2_010814FB
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046CF0 mov eax, dword ptr fs:[00000030h]	6_2_01046CF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046CF0 mov eax, dword ptr fs:[00000030h]	6_2_01046CF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01046CF0 mov eax, dword ptr fs:[00000030h]	6_2_01046CF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0109070D mov eax, dword ptr fs:[00000030h]	6_2_0109070D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0109070D mov eax, dword ptr fs:[00000030h]	6_2_0109070D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105FF10 mov eax, dword ptr fs:[00000030h]	6_2_0105FF10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105FF10 mov eax, dword ptr fs:[00000030h]	6_2_0105FF10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF16E0 mov ecx, dword ptr fs:[00000030h]	6_2_00FF16E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD76E2 mov eax, dword ptr fs:[00000030h]	6_2_00FD76E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF36CC mov eax, dword ptr fs:[00000030h]	6_2_00FF36CC
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01098F6A mov eax, dword ptr fs:[00000030h]	6_2_01098F6A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_00FEAE73
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_00FEAE73
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_00FEAE73
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_00FEAE73
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEAE73 mov eax, dword ptr fs:[00000030h]	6_2_00FEAE73
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD766D mov eax, dword ptr fs:[00000030h]	6_2_00FD766D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01047794 mov eax, dword ptr fs:[00000030h]	6_2_01047794
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01047794 mov eax, dword ptr fs:[00000030h]	6_2_01047794
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01047794 mov eax, dword ptr fs:[00000030h]	6_2_01047794
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_00FD7E41
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_00FD7E41
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_00FD7E41
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_00FD7E41
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_00FD7E41
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD7E41 mov eax, dword ptr fs:[00000030h]	6_2_00FD7E41
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCE620 mov eax, dword ptr fs:[00000030h]	6_2_00FCE620
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFA61C mov eax, dword ptr fs:[00000030h]	6_2_00FFA61C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFA61C mov eax, dword ptr fs:[00000030h]	6_2_00FFA61C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010037F5 mov eax, dword ptr fs:[00000030h]	6_2_010037F5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCC600 mov eax, dword ptr fs:[00000030h]	6_2_00FCC600
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCC600 mov eax, dword ptr fs:[00000030h]	6_2_00FCC600
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FCC600 mov eax, dword ptr fs:[00000030h]	6_2_00FCC600
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FF8E00 mov eax, dword ptr fs:[00000030h]	6_2_00FF8E00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01081608 mov eax, dword ptr fs:[00000030h]	6_2_01081608
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0107FE3F mov eax, dword ptr fs:[00000030h]	6_2_0107FE3F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108AE44 mov eax, dword ptr fs:[00000030h]	6_2_0108AE44
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0108AE44 mov eax, dword ptr fs:[00000030h]	6_2_0108AE44
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FD8794 mov eax, dword ptr fs:[00000030h]	6_2_00FD8794
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0105FE87 mov eax, dword ptr fs:[00000030h]	6_2_0105FE87
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDFF60 mov eax, dword ptr fs:[00000030h]	6_2_00FDFF60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_010446A7 mov eax, dword ptr fs:[00000030h]	6_2_010446A7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01090EA5 mov eax, dword ptr fs:[00000030h]	6_2_01090EA5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01090EA5 mov eax, dword ptr fs:[00000030h]	6_2_01090EA5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01090EA5 mov eax, dword ptr fs:[00000030h]	6_2_01090EA5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FDEF40 mov eax, dword ptr fs:[00000030h]	6_2_00FDEF40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_0107FEC0 mov eax, dword ptr fs:[00000030h]	6_2_0107FEC0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01008EC7 mov eax, dword ptr fs:[00000030h]	6_2_01008EC7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFE730 mov eax, dword ptr fs:[00000030h]	6_2_00FFE730
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC4F2E mov eax, dword ptr fs:[00000030h]	6_2_00FC4F2E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FC4F2E mov eax, dword ptr fs:[00000030h]	6_2_00FC4F2E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_01098ED6 mov eax, dword ptr fs:[00000030h]	6_2_01098ED6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FEF716 mov eax, dword ptr fs:[00000030h]	6_2_00FEF716
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFA70E mov eax, dword ptr fs:[00000030h]	6_2_00FFA70E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 6_2_00FFA70E mov eax, dword ptr fs:[00000030h]	6_2_00FFA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859080 mov eax, dword ptr fs:[00000030h]	19_2_04859080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D3884 mov eax, dword ptr fs:[00000030h]	19_2_048D3884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D3884 mov eax, dword ptr fs:[00000030h]	19_2_048D3884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486849B mov eax, dword ptr fs:[00000030h]	19_2_0486849B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048990AF mov eax, dword ptr fs:[00000030h]	19_2_048990AF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048820A0 mov eax, dword ptr fs:[00000030h]	19_2_048820A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048820A0 mov eax, dword ptr fs:[00000030h]	19_2_048820A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048820A0 mov eax, dword ptr fs:[00000030h]	19_2_048820A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048820A0 mov eax, dword ptr fs:[00000030h]	19_2_048820A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048820A0 mov eax, dword ptr fs:[00000030h]	19_2_048820A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048820A0 mov eax, dword ptr fs:[00000030h]	19_2_048820A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488F0BF mov ecx, dword ptr fs:[00000030h]	19_2_0488F0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488F0BF mov eax, dword ptr fs:[00000030h]	19_2_0488F0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488F0BF mov eax, dword ptr fs:[00000030h]	19_2_0488F0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04928CD6 mov eax, dword ptr fs:[00000030h]	19_2_04928CD6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048EB8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EB8D0 mov ecx, dword ptr fs:[00000030h]	19_2_048EB8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048EB8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048EB8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048EB8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048EB8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048558EC mov eax, dword ptr fs:[00000030h]	19_2_048558EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049114FB mov eax, dword ptr fs:[00000030h]	19_2_049114FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6CF0 mov eax, dword ptr fs:[00000030h]	19_2_048D6CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6CF0 mov eax, dword ptr fs:[00000030h]	19_2_048D6CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6CF0 mov eax, dword ptr fs:[00000030h]	19_2_048D6CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04924015 mov eax, dword ptr fs:[00000030h]	19_2_04924015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04924015 mov eax, dword ptr fs:[00000030h]	19_2_04924015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6C0A mov eax, dword ptr fs:[00000030h]	19_2_048D6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6C0A mov eax, dword ptr fs:[00000030h]	19_2_048D6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6C0A mov eax, dword ptr fs:[00000030h]	19_2_048D6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6C0A mov eax, dword ptr fs:[00000030h]	19_2_048D6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911C06 mov eax, dword ptr fs:[00000030h]	19_2_04911C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D7016 mov eax, dword ptr fs:[00000030h]	19_2_048D7016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D7016 mov eax, dword ptr fs:[00000030h]	19_2_048D7016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D7016 mov eax, dword ptr fs:[00000030h]	19_2_048D7016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0492740D mov eax, dword ptr fs:[00000030h]	19_2_0492740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0492740D mov eax, dword ptr fs:[00000030h]	19_2_0492740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0492740D mov eax, dword ptr fs:[00000030h]	19_2_0492740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488BC2C mov eax, dword ptr fs:[00000030h]	19_2_0488BC2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488002D mov eax, dword ptr fs:[00000030h]	19_2_0488002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488002D mov eax, dword ptr fs:[00000030h]	19_2_0488002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488002D mov eax, dword ptr fs:[00000030h]	19_2_0488002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488002D mov eax, dword ptr fs:[00000030h]	19_2_0488002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488002D mov eax, dword ptr fs:[00000030h]	19_2_0488002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486B02A mov eax, dword ptr fs:[00000030h]	19_2_0486B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486B02A mov eax, dword ptr fs:[00000030h]	19_2_0486B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486B02A mov eax, dword ptr fs:[00000030h]	19_2_0486B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486B02A mov eax, dword ptr fs:[00000030h]	19_2_0486B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488A44B mov eax, dword ptr fs:[00000030h]	19_2_0488A44B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04870050 mov eax, dword ptr fs:[00000030h]	19_2_04870050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04870050 mov eax, dword ptr fs:[00000030h]	19_2_04870050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EC450 mov eax, dword ptr fs:[00000030h]	19_2_048EC450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EC450 mov eax, dword ptr fs:[00000030h]	19_2_048EC450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04912073 mov eax, dword ptr fs:[00000030h]	19_2_04912073
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04921074 mov eax, dword ptr fs:[00000030h]	19_2_04921074
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487746D mov eax, dword ptr fs:[00000030h]	19_2_0487746D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487C182 mov eax, dword ptr fs:[00000030h]	19_2_0487C182
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882581 mov eax, dword ptr fs:[00000030h]	19_2_04882581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882581 mov eax, dword ptr fs:[00000030h]	19_2_04882581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882581 mov eax, dword ptr fs:[00000030h]	19_2_04882581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882581 mov eax, dword ptr fs:[00000030h]	19_2_04882581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488A185 mov eax, dword ptr fs:[00000030h]	19_2_0488A185
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04852D8A mov eax, dword ptr fs:[00000030h]	19_2_04852D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04852D8A mov eax, dword ptr fs:[00000030h]	19_2_04852D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04852D8A mov eax, dword ptr fs:[00000030h]	19_2_04852D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04852D8A mov eax, dword ptr fs:[00000030h]	19_2_04852D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04852D8A mov eax, dword ptr fs:[00000030h]	19_2_04852D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488FD9B mov eax, dword ptr fs:[00000030h]	19_2_0488FD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488FD9B mov eax, dword ptr fs:[00000030h]	19_2_0488FD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882990 mov eax, dword ptr fs:[00000030h]	19_2_04882990
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048861A0 mov eax, dword ptr fs:[00000030h]	19_2_048861A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048861A0 mov eax, dword ptr fs:[00000030h]	19_2_048861A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048835A1 mov eax, dword ptr fs:[00000030h]	19_2_048835A1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D69A6 mov eax, dword ptr fs:[00000030h]	19_2_048D69A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D51BE mov eax, dword ptr fs:[00000030h]	19_2_048D51BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D51BE mov eax, dword ptr fs:[00000030h]	19_2_048D51BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D51BE mov eax, dword ptr fs:[00000030h]	19_2_048D51BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D51BE mov eax, dword ptr fs:[00000030h]	19_2_048D51BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04881DB5 mov eax, dword ptr fs:[00000030h]	19_2_04881DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04881DB5 mov eax, dword ptr fs:[00000030h]	19_2_04881DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04881DB5 mov eax, dword ptr fs:[00000030h]	19_2_04881DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049205AC mov eax, dword ptr fs:[00000030h]	19_2_049205AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049205AC mov eax, dword ptr fs:[00000030h]	19_2_049205AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048D6DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048D6DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048D6DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6DC9 mov ecx, dword ptr fs:[00000030h]	19_2_048D6DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048D6DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048D6DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04908DF1 mov eax, dword ptr fs:[00000030h]	19_2_04908DF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0485B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0485B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0485B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048E41E8 mov eax, dword ptr fs:[00000030h]	19_2_048E41E8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0486D5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0486D5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859100 mov eax, dword ptr fs:[00000030h]	19_2_04859100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859100 mov eax, dword ptr fs:[00000030h]	19_2_04859100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859100 mov eax, dword ptr fs:[00000030h]	19_2_04859100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04928D34 mov eax, dword ptr fs:[00000030h]	19_2_04928D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04874120 mov eax, dword ptr fs:[00000030h]	19_2_04874120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04874120 mov eax, dword ptr fs:[00000030h]	19_2_04874120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04874120 mov eax, dword ptr fs:[00000030h]	19_2_04874120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04874120 mov eax, dword ptr fs:[00000030h]	19_2_04874120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04874120 mov ecx, dword ptr fs:[00000030h]	19_2_04874120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488513A mov eax, dword ptr fs:[00000030h]	19_2_0488513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488513A mov eax, dword ptr fs:[00000030h]	19_2_0488513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04863D34 mov eax, dword ptr fs:[00000030h]	19_2_04863D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04884D3B mov eax, dword ptr fs:[00000030h]	19_2_04884D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04884D3B mov eax, dword ptr fs:[00000030h]	19_2_04884D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04884D3B mov eax, dword ptr fs:[00000030h]	19_2_04884D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485AD30 mov eax, dword ptr fs:[00000030h]	19_2_0485AD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048DA537 mov eax, dword ptr fs:[00000030h]	19_2_048DA537
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487B944 mov eax, dword ptr fs:[00000030h]	19_2_0487B944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487B944 mov eax, dword ptr fs:[00000030h]	19_2_0487B944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04893D43 mov eax, dword ptr fs:[00000030h]	19_2_04893D43
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D3540 mov eax, dword ptr fs:[00000030h]	19_2_048D3540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04877D50 mov eax, dword ptr fs:[00000030h]	19_2_04877D50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485C962 mov eax, dword ptr fs:[00000030h]	19_2_0485C962
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487C577 mov eax, dword ptr fs:[00000030h]	19_2_0487C577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487C577 mov eax, dword ptr fs:[00000030h]	19_2_0487C577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485B171 mov eax, dword ptr fs:[00000030h]	19_2_0485B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485B171 mov eax, dword ptr fs:[00000030h]	19_2_0485B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048EFE87 mov eax, dword ptr fs:[00000030h]	19_2_048EFE87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488D294 mov eax, dword ptr fs:[00000030h]	19_2_0488D294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488D294 mov eax, dword ptr fs:[00000030h]	19_2_0488D294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048552A5 mov eax, dword ptr fs:[00000030h]	19_2_048552A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048552A5 mov eax, dword ptr fs:[00000030h]	19_2_048552A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048552A5 mov eax, dword ptr fs:[00000030h]	19_2_048552A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048552A5 mov eax, dword ptr fs:[00000030h]	19_2_048552A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048552A5 mov eax, dword ptr fs:[00000030h]	19_2_048552A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D46A7 mov eax, dword ptr fs:[00000030h]	19_2_048D46A7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486AAB0 mov eax, dword ptr fs:[00000030h]	19_2_0486AAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486AAB0 mov eax, dword ptr fs:[00000030h]	19_2_0486AAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04920EA5 mov eax, dword ptr fs:[00000030h]	19_2_04920EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04920EA5 mov eax, dword ptr fs:[00000030h]	19_2_04920EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04920EA5 mov eax, dword ptr fs:[00000030h]	19_2_04920EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488FAB0 mov eax, dword ptr fs:[00000030h]	19_2_0488FAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882ACB mov eax, dword ptr fs:[00000030h]	19_2_04882ACB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04928ED6 mov eax, dword ptr fs:[00000030h]	19_2_04928ED6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048836CC mov eax, dword ptr fs:[00000030h]	19_2_048836CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04898EC7 mov eax, dword ptr fs:[00000030h]	19_2_04898EC7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0490FEC0 mov eax, dword ptr fs:[00000030h]	19_2_0490FEC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048676E2 mov eax, dword ptr fs:[00000030h]	19_2_048676E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048816E0 mov ecx, dword ptr fs:[00000030h]	19_2_048816E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04882AE4 mov eax, dword ptr fs:[00000030h]	19_2_04882AE4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485C600 mov eax, dword ptr fs:[00000030h]	19_2_0485C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485C600 mov eax, dword ptr fs:[00000030h]	19_2_0485C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485C600 mov eax, dword ptr fs:[00000030h]	19_2_0485C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04888E00 mov eax, dword ptr fs:[00000030h]	19_2_04888E00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04868A0A mov eax, dword ptr fs:[00000030h]	19_2_04868A0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485AA16 mov eax, dword ptr fs:[00000030h]	19_2_0485AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485AA16 mov eax, dword ptr fs:[00000030h]	19_2_0485AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488A61C mov eax, dword ptr fs:[00000030h]	19_2_0488A61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488A61C mov eax, dword ptr fs:[00000030h]	19_2_0488A61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04855210 mov eax, dword ptr fs:[00000030h]	19_2_04855210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04855210 mov ecx, dword ptr fs:[00000030h]	19_2_04855210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04855210 mov eax, dword ptr fs:[00000030h]	19_2_04855210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04855210 mov eax, dword ptr fs:[00000030h]	19_2_04855210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04911608 mov eax, dword ptr fs:[00000030h]	19_2_04911608
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04873A1C mov eax, dword ptr fs:[00000030h]	19_2_04873A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0485E620 mov eax, dword ptr fs:[00000030h]	19_2_0485E620
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04894A2C mov eax, dword ptr fs:[00000030h]	19_2_04894A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04894A2C mov eax, dword ptr fs:[00000030h]	19_2_04894A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0490FE3F mov eax, dword ptr fs:[00000030h]	19_2_0490FE3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859240 mov eax, dword ptr fs:[00000030h]	19_2_04859240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859240 mov eax, dword ptr fs:[00000030h]	19_2_04859240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859240 mov eax, dword ptr fs:[00000030h]	19_2_04859240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04859240 mov eax, dword ptr fs:[00000030h]	19_2_04859240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04867E41 mov eax, dword ptr fs:[00000030h]	19_2_04867E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04867E41 mov eax, dword ptr fs:[00000030h]	19_2_04867E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04867E41 mov eax, dword ptr fs:[00000030h]	19_2_04867E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04867E41 mov eax, dword ptr fs:[00000030h]	19_2_04867E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04867E41 mov eax, dword ptr fs:[00000030h]	19_2_04867E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04867E41 mov eax, dword ptr fs:[00000030h]	19_2_04867E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048E4257 mov eax, dword ptr fs:[00000030h]	19_2_048E4257
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0486766D mov eax, dword ptr fs:[00000030h]	19_2_0486766D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0490B260 mov eax, dword ptr fs:[00000030h]	19_2_0490B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0490B260 mov eax, dword ptr fs:[00000030h]	19_2_0490B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04928A62 mov eax, dword ptr fs:[00000030h]	19_2_04928A62
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0489927A mov eax, dword ptr fs:[00000030h]	19_2_0489927A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487AE73 mov eax, dword ptr fs:[00000030h]	19_2_0487AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487AE73 mov eax, dword ptr fs:[00000030h]	19_2_0487AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487AE73 mov eax, dword ptr fs:[00000030h]	19_2_0487AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487AE73 mov eax, dword ptr fs:[00000030h]	19_2_0487AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0487AE73 mov eax, dword ptr fs:[00000030h]	19_2_0487AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04861B8F mov eax, dword ptr fs:[00000030h]	19_2_04861B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04861B8F mov eax, dword ptr fs:[00000030h]	19_2_04861B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0490D380 mov ecx, dword ptr fs:[00000030h]	19_2_0490D380
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04868794 mov eax, dword ptr fs:[00000030h]	19_2_04868794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0488B390 mov eax, dword ptr fs:[00000030h]	19_2_0488B390

Source: C:\Users\user\Desktop\Payment.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Code function: 6_2_0040ACD0 LdrLoadDll,

6_2_0040ACD0

Source: C:\Users\user\Desktop\Payment.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.earlyeducationglobal.com
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cevicheatl.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Payment.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: EB0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Payment.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment.exe

Memory written: C:\Users\user\Desktop\Payment.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Payment.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Payment.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3388			Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000000.263918274.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000007.00000000.249798738.0000000001980000.00000002.00020000.sdmp, cscript.exe, 00000013.00000002.478899017.00000000030E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.249798738.0000000001980000.00000002.00020000.sdmp, cscript.exe, 00000013.00000002.478899017.00000000030E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.249798738.0000000001980000.00000002.00020000.sdmp, cscript.exe, 00000013.00000002.478899017.00000000030E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.249798738.0000000001980000.00000002.00020000.sdmp, cscript.exe, 00000013.00000002.478899017.00000000030E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Users\user\Desktop\Payment.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion41	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information11	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment.exe	53%	Virustotal		Browse
Payment.exe	31%	Metadefender		Browse
Payment.exe	68%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.Payment.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
www.rafaelcristino.com/pm7s/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.cevicheatl.com/pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.earlyeducationglobal.com/pm7s/?-Zi=lvCYA3THHwf3zrDy6Hq/UQWt6LGRVtHVYfKCQGlaiZ/7JUYV8wEH0lTBDrKh23L7whpy&v2J83=dDHD9XVxev94	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.cevicheatl.com	91.195.240.94	true	true	unknown
earlyeducationglobal.com	34.98.99.30	true	false	unknown
www.earlyeducationglobal.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.rafaelcristino.com/pm7s/	true	Avira URL Cloud: safe	low
http://www.cevicheatl.com/pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL	true	Avira URL Cloud: safe	unknown
http://www.earlyeducationglobal.com/pm7s/?-Zi=lvCYA3THHwf3zrDy6Hq/UQWt6LGRVtHVYfKCQGlaiZ/7JUYV8wEH0lTBDrKh23L7whpy&v2J83=dDHD9XVxev94	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.fonts.com	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.195.240.94	www.cevicheatl.com	Germany		47846	SEDO-ASDE	true
34.98.99.30	earlyeducationglobal.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483531
Start date:	15.09.2021
Start time:	08:26:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/1@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.5% (good quality ratio 5.7%) Quality average: 72.2% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 158
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.82.210.154, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208 Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:27:14	API Interceptor	1x Sleep call for process: Payment.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.195.240.94	pronto per il pagamento.exe	Get hash	malicious	Browse	www.kosha2030.com/cb3b/?hV2=rqbUo6j2KmhlDLlvmj6v60cfZ8/2Wb9u+KYnQWuAInoB2FLYYFx1yPNzvLEIuH4s1sVu&2d_HDh=b4KXxR6XiV5lmHh0
	PO-PT. Hextar-Sept21.xlsx	Get hash	malicious	Browse	www.garfld.com/imi7/?bVx=AFMvowp2dypQPpLZR6/sAbLaaLiFVzdlH2gx+8GSqBhOmfQ8NBa2GdB0GH1Hzk2pvxNNYQ==&Nx=8pFdqHyxnZUl
	P.O100%uFFFDpayment.doc__.rtf	Get hash	malicious	Browse	www.cis-thailand.com/crg3/?9rWP=SnroaQgsYxMLiTImvCpI1Gl07kg1+3LZiriLgRT6WM6KSYrus5bHWYAPsUyD9HyCzSS3+w==&wTcHGb=ylr8U6ypj
	Quotation Required Details.exe	Get hash	malicious	Browse	www.promosplace.com/p4se/?l2Mdnb=g+K9AOIBn0/VHfOvEruut/gc0uElQ8afuAuUP1bYE2eC/PWXrO3ELwGMR3TL6eUTg0Vn&fFQL=6lZPcVbxGH
	DUE INVOICES.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?R2MD6=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7fmeqANspZbM&BT=2dhhnfvPB6f8zBxp
	Order_confirmation_ SMKT 09062021_.exe	Get hash	malicious	Browse	www.preaked.com/h2m4/?2d=HxKWzMaF1BWGIaYUxE2WWBBllJBIGc2hs3LD5EFS7XDw0kpNhCyQgmCJtlxKKPUpl4+d&D2MH9=9rWdhfN8M
	nFzJnfmTNh.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?aT=jvQLaT&MD=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL
	0039234_00533MXS2.exe	Get hash	malicious	Browse	www.dandhgh.com/m64e/?H2MDD=hQTNvBW47KQ9P36N1I31K6xMq6TLiyTboYpfo/Bbm9l3Z3kS2jzEmMODUoxriuOWTqDJ&DxoLn=7nU4v4ghr2A8WLZ
	Unpaid Invoice.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?WFN=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL&Sjlpi=9ruD_h9
	174jAWlXyW.exe	Get hash	malicious	Browse	www.bharathub.net/b6cu/?f2M=_v-HI&9r=vUP3bPk6qVMFSBZsu0WoakUB9ZLAJM2aLct125UMa7nObtIS9UcRmSBQP/rfZ6EDwLD9
	Payment Advice.xlsx	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?O8=-ZcPjPvhqPppnvL&bzu4_=dqsOYsWVq5FXUo6DYO7UsXHrG00vcvVIPPqXZD6UV3Cojp7qddL1qZML45qYhxZn8/v7Kg==
	RFQ_PO_009890_pdf.exe	Get hash	malicious	Browse	www.swipehawk.com/a6hg/?Gz=UharbDuqOmkTaf35LjnpLxSjggODaklpW9Y+tG2s+LMkdYLf42pUDMwAxcb4x47jVGJ2VGfNbQ==&-ZsLG=3ff8xpG0DPWtZdZ
	Swift Copy.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?2dSpM=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL&PVvtW=7nWhA
	LC copy, Terms conditions.xlsx	Get hash	malicious	Browse	www.wqfilter.com/i7dg/?BBJ43b=f8iD9L4afkGSBNeT1a2zV06Ib9jyqzB9Ki8lcYXtvMA4ssIJMUtZ9Lijkg3d2xO4598lPA==&4hExr=GBXdRHy8-0z0
	Order sheet 31082021.exe	Get hash	malicious	Browse	www.promosplace.com/p4se/?H0D=v48Tu4dpfV5&F8R8gJ=g+K9AOIBn0/VHfOvEruut/gc0uElQ8afuAuUP1bYE2eC/PWXrO3ELwGMR3TL6eUTg0Vn
	PAYMENT INSTRUCTIONS COPY.exe	Get hash	malicious	Browse	www.hostings.company/n58i/?7nxhvxdX=m2fUwKHXntk7+v0FXrNTEkwXJjJFTAENR7+CI2dV9M7+9BuBSatPMImaRSslo8DZxWmb&z0D83b=1butZX4hMzCL_
	Shipment Advise 20035506.exe	Get hash	malicious	Browse	www.hostings.company/n58i/?CRmti4J=m2fUwKHXntk7+v0FXrNTEkwXJjJFTAENR7+CI2dV9M7+9BuBSatPMImaRRAm0MPh83bNGIKsaA==&EDHH=SL3Xb8KPdN
	PO 4100066995.exe	Get hash	malicious	Browse	www.vaca.travel/bp39/?nVR=5Qm4YdS9nP4uT06ysd2e9bB4EWW6DLhAof8Noh1nKxRE1PX3o+aVuPjzTEVLAN9Xs7Ly&fFNDaX=7nmPgJPxr
	uXNn71mPwRw5qVi.exe	Get hash	malicious	Browse	www.anacshops.com/z01e/?9rgLWb38=UkWWCKefa2QBOILDZj1DEjSIa8P8jMrEvFnGp+Vhsnwupfyaki4wDZ8Hwm0s3MMh54tn&Sjlpd=9ruDZ
	New order.exe	Get hash	malicious	Browse	www.vaca.travel/bp39/?2dolsL=5Qm4YdS9nP4uT06ysd2e9bB4EWW6DLhAof8Noh1nKxRE1PX3o+aVuPjzTEVLAN9Xs7Ly&z6Al=bDKp-H4phJ

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SEDO-ASDE	PAYSLIP.exe	Get hash	malicious	Browse	91.195.240.117
	UPDATED e-STATEMENT.exe	Get hash	malicious	Browse	91.195.240.87
	2021091400983746_pdf.exe	Get hash	malicious	Browse	91.195.240.13
	pronto per il pagamento.exe	Get hash	malicious	Browse	91.195.240.94
	ENQUIRYSMRT119862021-ERW PIPES.pdf.exe	Get hash	malicious	Browse	91.195.240.13
	ryfAIJHmKETyAPz.exe	Get hash	malicious	Browse	91.195.240.87
	NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe	Get hash	malicious	Browse	91.195.240.117
	PO-PT. Hextar-Sept21.xlsx	Get hash	malicious	Browse	91.195.240.94
	P.O100%uFFFDpayment.doc__.rtf	Get hash	malicious	Browse	91.195.240.94
	Data Sheet and Profile.exe	Get hash	malicious	Browse	91.195.240.117
	Order 45789011.exe	Get hash	malicious	Browse	91.195.240.13
	Quotation Required Details.exe	Get hash	malicious	Browse	91.195.240.94
	54U89TvWvD.exe	Get hash	malicious	Browse	91.195.240.87
	Order no.1480-G22-21202109.xlsx	Get hash	malicious	Browse	91.195.240.117
	BK8476699_BOOKING.exe	Get hash	malicious	Browse	91.195.240.87
	Swift 07.09.21.exe	Get hash	malicious	Browse	91.195.240.87
	Required quantity.doc	Get hash	malicious	Browse	91.195.240.117
	chUG6brzt9.exe	Get hash	malicious	Browse	91.195.240.117
	BahcfFNy25bmV1c.exe	Get hash	malicious	Browse	91.195.240.13
	grace $$.exe	Get hash	malicious	Browse	91.195.240.117

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment.exe.log Download File
Process:	C:\Users\user\Desktop\Payment.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6391078740652345
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Payment.exe
File size:	631296
MD5:	933cedbe56bd04acdbbb183a0004162b
SHA1:	9a255a7eaa2dd334dcde3f9c8f73e8c25e3a8a65
SHA256:	a57534ac7570e5be7e25f1c0d9745dc549d56b193ed7b1547e61ae79485edc1c
SHA512:	42cce5f2e1d9a96bddd3312c7433a2620a3aef84c612501728f77fca159620ff4c69885933e7a2a15c72d7e8a44a0d2e76d41bb2ba6ccb7ec9be04d10cd72545
SSDEEP:	12288:kZRWjIa6R35YU4dWyvFDLCVdwmel0saKp2YYQUsxz9hz8gf:gamNZKLCTvKfbUsFxf
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?a............................:.... ........@.. ....................................@................................

File Icon


Icon Hash:	b4b4a4aca4a4ecea

Static PE Info

General
Entrypoint:	0x47d43a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x613FA9A7 [Mon Sep 13 19:42:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7d3e0	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x1e6ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7b440	0x7b600	False	0.92501147733	data	7.91580879316	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x7e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x1e6ac	0x1e800	False	0.254842789447	data	5.24648335599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x802e0	0x3a21	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x83d04	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x9452c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4292400329, next used block 4292400329
RT_ICON	0x98754	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4293124051, next used block 4292400329
RT_ICON	0x9acfc	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294045408, next used block 4293979615
RT_ICON	0x9bda4	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x9c20c	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x9d2b4	0x988	data
RT_ICON	0x9dc3c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x9e0a4	0x5a	data
RT_GROUP_ICON	0x9e100	0x84	data
RT_VERSION	0x9e184	0x374	data
RT_MANIFEST	0x9e4f8	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Ventelo 2012
Assembly Version	1.2.8.0
InternalName	IObjectHand.exe
FileVersion	1.2.0.0
CompanyName	Ventelo
LegalTrademarks
Comments	ServiceManager
ProductName	ServiceManager
ProductVersion	1.2.0.0
FileDescription	ServiceManager
OriginalFilename	IObjectHand.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/15/21-08:28:42.639394	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49807	80	192.168.2.3	91.195.240.94
09/15/21-08:28:42.639394	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49807	80	192.168.2.3	91.195.240.94
09/15/21-08:28:42.639394	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49807	80	192.168.2.3	91.195.240.94
09/15/21-08:29:02.940460	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.3	34.98.99.30
09/15/21-08:29:02.940460	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.3	34.98.99.30
09/15/21-08:29:02.940460	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.3	34.98.99.30
09/15/21-08:29:03.057670	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49812	34.98.99.30	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 08:28:42.618949890 CEST	49807	80	192.168.2.3	91.195.240.94
Sep 15, 2021 08:28:42.639127016 CEST	80	49807	91.195.240.94	192.168.2.3
Sep 15, 2021 08:28:42.639367104 CEST	49807	80	192.168.2.3	91.195.240.94
Sep 15, 2021 08:28:42.639394045 CEST	49807	80	192.168.2.3	91.195.240.94
Sep 15, 2021 08:28:42.660855055 CEST	80	49807	91.195.240.94	192.168.2.3
Sep 15, 2021 08:28:42.677712917 CEST	80	49807	91.195.240.94	192.168.2.3
Sep 15, 2021 08:28:42.677736998 CEST	80	49807	91.195.240.94	192.168.2.3
Sep 15, 2021 08:28:42.677918911 CEST	49807	80	192.168.2.3	91.195.240.94
Sep 15, 2021 08:28:42.677942038 CEST	49807	80	192.168.2.3	91.195.240.94
Sep 15, 2021 08:28:42.699718952 CEST	80	49807	91.195.240.94	192.168.2.3
Sep 15, 2021 08:29:02.920936108 CEST	49812	80	192.168.2.3	34.98.99.30
Sep 15, 2021 08:29:02.939723969 CEST	80	49812	34.98.99.30	192.168.2.3
Sep 15, 2021 08:29:02.939899921 CEST	49812	80	192.168.2.3	34.98.99.30
Sep 15, 2021 08:29:02.940459967 CEST	49812	80	192.168.2.3	34.98.99.30
Sep 15, 2021 08:29:02.959929943 CEST	80	49812	34.98.99.30	192.168.2.3
Sep 15, 2021 08:29:03.057670116 CEST	80	49812	34.98.99.30	192.168.2.3
Sep 15, 2021 08:29:03.057703018 CEST	80	49812	34.98.99.30	192.168.2.3
Sep 15, 2021 08:29:03.057926893 CEST	49812	80	192.168.2.3	34.98.99.30
Sep 15, 2021 08:29:03.058140039 CEST	49812	80	192.168.2.3	34.98.99.30
Sep 15, 2021 08:29:03.076752901 CEST	80	49812	34.98.99.30	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 08:26:59.719727993 CEST	49199	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:26:59.761390924 CEST	53	49199	8.8.8.8	192.168.2.3
Sep 15, 2021 08:27:30.799715042 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:27:30.862610102 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 15, 2021 08:27:33.643492937 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:27:33.680874109 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 15, 2021 08:27:58.663142920 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:27:58.717433929 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 15, 2021 08:27:59.335663080 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:27:59.362508059 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 15, 2021 08:27:59.883431911 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:27:59.988786936 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:00.436861992 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:00.464894056 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:00.607726097 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:00.650060892 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:00.970088959 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:01.005880117 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:01.559946060 CEST	63492	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:01.633064985 CEST	53	63492	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:02.098645926 CEST	60831	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:02.126622915 CEST	53	60831	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:03.078897953 CEST	60100	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:03.112123966 CEST	53	60100	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:04.580115080 CEST	53195	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:04.610657930 CEST	53	53195	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:05.073050976 CEST	50141	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:05.156244040 CEST	53	50141	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:16.750987053 CEST	53023	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:16.781303883 CEST	53	53023	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:42.578107119 CEST	49563	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:42.612447977 CEST	53	49563	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:44.900768042 CEST	51352	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:44.940752983 CEST	53	51352	8.8.8.8	192.168.2.3
Sep 15, 2021 08:28:46.816235065 CEST	59349	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:28:46.858810902 CEST	53	59349	8.8.8.8	192.168.2.3
Sep 15, 2021 08:29:02.887496948 CEST	57084	53	192.168.2.3	8.8.8.8
Sep 15, 2021 08:29:02.918489933 CEST	53	57084	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 08:28:42.578107119 CEST	192.168.2.3	8.8.8.8	0x93d1	Standard query (0)	www.cevicheatl.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:29:02.887496948 CEST	192.168.2.3	8.8.8.8	0xc881	Standard query (0)	www.earlyeducationglobal.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 08:28:42.612447977 CEST	8.8.8.8	192.168.2.3	0x93d1	No error (0)	www.cevicheatl.com		91.195.240.94	A (IP address)	IN (0x0001)
Sep 15, 2021 08:29:02.918489933 CEST	8.8.8.8	192.168.2.3	0xc881	No error (0)	www.earlyeducationglobal.com	earlyeducationglobal.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 08:29:02.918489933 CEST	8.8.8.8	192.168.2.3	0xc881	No error (0)	earlyeducationglobal.com		34.98.99.30	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.cevicheatl.com

www.earlyeducationglobal.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49807	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 08:28:42.639394045 CEST	5973	OUT	GET /pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL HTTP/1.1 Host: www.cevicheatl.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 08:28:42.677712917 CEST	5974	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.cevicheatl.com/pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL Date: Wed, 15 Sep 2021 06:28:42 GMT Content-Length: 163 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 65 76 69 63 68 65 61 74 6c 2e 63 6f 6d 2f 70 6d 37 73 2f 3f 76 32 4a 38 33 3d 64 44 48 44 39 58 56 78 65 76 39 34 26 61 6d 70 3b 2d 5a 69 3d 56 61 50 70 63 78 38 6e 33 54 70 38 44 39 78 67 62 4e 74 6c 38 76 75 6c 58 67 42 76 77 38 6a 46 49 76 70 55 4c 56 43 51 68 49 6c 68 30 57 34 48 6a 75 63 36 71 72 51 53 66 59 70 46 6c 5a 6f 6c 6c 43 55 4c 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.cevicheatl.com/pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49812	34.98.99.30	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 08:29:02.940459967 CEST	5995	OUT	GET /pm7s/?-Zi=lvCYA3THHwf3zrDy6Hq/UQWt6LGRVtHVYfKCQGlaiZ/7JUYV8wEH0lTBDrKh23L7whpy&v2J83=dDHD9XVxev94 HTTP/1.1 Host: www.earlyeducationglobal.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 08:29:03.057670116 CEST	5996	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 15 Sep 2021 06:29:02 GMT Content-Type: text/html Content-Length: 275 ETag: "6139ed55-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xED
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xED
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xED
GetMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xED

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment.exe PID: 5232 Parent PID: 808

General

Start time:	08:27:04
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\Payment.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Payment.exe'
Imagebase:	0x1f0000
File size:	631296 bytes
MD5 hash:	933CEDBE56BD04ACDBBB183A0004162B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.243114794.0000000002621000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Payment.exe PID: 1848 Parent PID: 5232

General

Start time:	08:27:17
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\Payment.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Payment.exe
Imagebase:	0x360000
File size:	631296 bytes
MD5 hash:	933CEDBE56BD04ACDBBB183A0004162B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Payment.exe PID: 5352 Parent PID: 5232

General

Start time:	08:27:18
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\Payment.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment.exe
Imagebase:	0x540000
File size:	631296 bytes
MD5 hash:	933CEDBE56BD04ACDBBB183A0004162B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5352

General

Start time:	08:27:21
Start date:	15/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 6280 Parent PID: 3388

General

Start time:	08:27:47
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0xeb0000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6500 Parent PID: 6280

General

Start time:	08:27:55
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Payment.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6520 Parent PID: 6500

General

Start time:	08:27:56
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Payment.exe PID: 5232 Parent PID: 808 Payment.exeCOMMON

Executed Functions

Function 06BEB1C0, Relevance: 6.4, Strings: 4, Instructions: 1384COMMON

Download Yara Rule

Strings

!, xrefs: 06BEB490
J, xrefs: 06BEB667
x, xrefs: 06BEBB8E
m, xrefs: 06BEC530

Memory Dump Source

Source File: 00000001.00000002.246938549.0000000006BE0000.00000040.00000001.sdmp, Offset: 06BE0000, based on PE: false

Similarity

API ID:
String ID: !$J$m$x
API String ID: 0-3132199468
Opcode ID: f0b5da009e66d93175fa5307e3f5366ea536647434167c760a67cdfabfec9dc1
Instruction ID: 5948184c44a1a88683ee03c76ca16dd7d65c660d67c54c1b2b32179f7424ab7e
Opcode Fuzzy Hash: f0b5da009e66d93175fa5307e3f5366ea536647434167c760a67cdfabfec9dc1
Instruction Fuzzy Hash: E9E22630A00605CFD769EB74C854BADB7B2FF89305F1089A9D15AAB360EF35A985CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BE7A18, Relevance: 6.4, Strings: 4, Instructions: 1383COMMON

Download Yara Rule

Strings

!, xrefs: 06BEB490
J, xrefs: 06BEB667
x, xrefs: 06BEBB8E
m, xrefs: 06BEC530

Memory Dump Source

Source File: 00000001.00000002.246938549.0000000006BE0000.00000040.00000001.sdmp, Offset: 06BE0000, based on PE: false

Similarity

API ID:
String ID: !$J$m$x
API String ID: 0-3132199468
Opcode ID: a144fda56ee52982e8d0d299044b3865e919d7c003a835263bb943c308bc82e1
Instruction ID: adb0da0c0ab3d7846b7255db502b20be59dcf910a63529bb2ccbefbe73ccbcc1
Opcode Fuzzy Hash: a144fda56ee52982e8d0d299044b3865e919d7c003a835263bb943c308bc82e1
Instruction Fuzzy Hash: 17E22630A00605CFD769EB74C854BADB7B2FF89305F1089A9D15AAB360EF35A985CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BEB00C, Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246938549.0000000006BE0000.00000040.00000001.sdmp, Offset: 06BE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546b8b609db1ee0f8acb7dec03a5561f76cddd8d17cdea6808f9b4e5368b7644
Instruction ID: d05866f339da3defec69aab8a8c7131810e3af5e526aa7b1ea1674fc2f126a38
Opcode Fuzzy Hash: 546b8b609db1ee0f8acb7dec03a5561f76cddd8d17cdea6808f9b4e5368b7644
Instruction Fuzzy Hash: CE526C74A00605CFCB14DF68C844B99B7B2FF86314F2586E9D5596F3A2DBB1A982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06BED2A1, Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246938549.0000000006BE0000.00000040.00000001.sdmp, Offset: 06BE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09cee894c0f1cad3bbd97856d196c17739b2fc327279e87ca887fd118edc6a5
Instruction ID: 452e69d6ffca70208656b23574dbd189443a23363a8ca124689ebccac588e202
Opcode Fuzzy Hash: c09cee894c0f1cad3bbd97856d196c17739b2fc327279e87ca887fd118edc6a5
Instruction Fuzzy Hash: FE525A74A00705CFCB14DF64C844B99B7B2BF86314F2586E9D4596F3A2DBB1A986CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB670, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DBB6D0
GetCurrentThread.KERNEL32 ref: 00DBB70D
GetCurrentProcess.KERNEL32 ref: 00DBB74A
GetCurrentThreadId.KERNEL32 ref: 00DBB7A3

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 75ac358199be8965ebaab8b914e1265229555a334465a09782af9d27c96c2662
Instruction ID: 18f31459b1209834d12cbd0644ddefae7445830897aabeddfddeed108d9abaf9
Opcode Fuzzy Hash: 75ac358199be8965ebaab8b914e1265229555a334465a09782af9d27c96c2662
Instruction Fuzzy Hash: 615146B4A00648CFDB14CFAAC548BDEBBF5AB89314F24845AE41AA7350DBB45844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB66F, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DBB6D0
GetCurrentThread.KERNEL32 ref: 00DBB70D
GetCurrentProcess.KERNEL32 ref: 00DBB74A
GetCurrentThreadId.KERNEL32 ref: 00DBB7A3

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 04cea6847c7e40ce369d353b77a77be5f29649de9077bec456e4e7f290bc0a3b
Instruction ID: f4b9569b3603e249f7c3e617659568951e8d6bf8cb6d593d711312054eede310
Opcode Fuzzy Hash: 04cea6847c7e40ce369d353b77a77be5f29649de9077bec456e4e7f290bc0a3b
Instruction Fuzzy Hash: 765157B0E00648CFDB14CFAAC588BDEBBF1AF89314F24845AE41AA7350DBB45844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB661, Relevance: 6.1, APIs: 4, Instructions: 104threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DBB6D0
GetCurrentThread.KERNEL32 ref: 00DBB70D
GetCurrentProcess.KERNEL32 ref: 00DBB74A
GetCurrentThreadId.KERNEL32 ref: 00DBB7A3

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7fad42d76f0fdbc4e2100d1ff18283892c0ab4da7ce7fd209032f89aea4ab89c
Instruction ID: 61464b2b9eadd4ab7b199944c4c58bb26e73fc7fe88804062fce0aa308bd1355
Opcode Fuzzy Hash: 7fad42d76f0fdbc4e2100d1ff18283892c0ab4da7ce7fd209032f89aea4ab89c
Instruction Fuzzy Hash: 98416AB4A00348CFDB14CFA9D5487DEBBF1AF89318F24885AE05AA7351CBB55844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DBFCCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DBFDEA

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1da7a5e958de799a1c1955c6ad8312341b72d49998cf736cebb824f7c1fa1dec
Instruction ID: a58121157f400be1a6d56fcb3eb2dd514f6598a6fb3b944c7e5e88a393338dde
Opcode Fuzzy Hash: 1da7a5e958de799a1c1955c6ad8312341b72d49998cf736cebb824f7c1fa1dec
Instruction Fuzzy Hash: FA51D0B1D00349DFDB14CFA9D884ADEBFB5BF48314F24822AE819AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DBFCD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DBFDEA

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cecd99796fc2ba75f9b7cc5ad6dcd94df22bcf786586c49f20b58ce62a8355cd
Instruction ID: 52a9d2c41e09b776481997fdae3babdc1068cbf999d303d6e38a6d63675f2652
Opcode Fuzzy Hash: cecd99796fc2ba75f9b7cc5ad6dcd94df22bcf786586c49f20b58ce62a8355cd
Instruction Fuzzy Hash: 8041B0B5D00309DFDF14CF9AC984ADEBBB5BF48314F24862AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5344, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00DB5401

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bef3c7b1cb41620ee6cc4bdf6b724e522a8c4e03caa6bb25a762895ad6a9ae9b
Instruction ID: f0bf541e6477f544c4ac34ba5b1b1e9d414cfe19f8b178e2679af78c5832796b
Opcode Fuzzy Hash: bef3c7b1cb41620ee6cc4bdf6b724e522a8c4e03caa6bb25a762895ad6a9ae9b
Instruction Fuzzy Hash: 78410470C00618CFDB24CFA9D8857DEBBB5BF48314F24819AD409AB255DB755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3DE4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00DB5401

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0af6d35cfb48b22e370087b25a546f0aa7c8364912856f2024fedba8427115c0
Instruction ID: 5e0597b8be6fc26e58639aec9d0ddf39894780f31cc64b67bb42921ea6c9f914
Opcode Fuzzy Hash: 0af6d35cfb48b22e370087b25a546f0aa7c8364912856f2024fedba8427115c0
Instruction Fuzzy Hash: 6E41E271C00718CFDB24CFA9D884BCEBBB5BF49304F24856AD409AB255DBB56945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB890, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBB91F

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a8363ff437c6ca6a2d62016816b2bf70898990c2ff3a90f91ec2d270c7b6c085
Instruction ID: a62701163fb768365ecb8372b20a0d5122af757fdb155a8a8dd251f6ed94945d
Opcode Fuzzy Hash: a8363ff437c6ca6a2d62016816b2bf70898990c2ff3a90f91ec2d270c7b6c085
Instruction Fuzzy Hash: 412105B59002489FDF10CFA9D584AEEBFF4EF48324F14841AE955A3310D378A955CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB898, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBB91F

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 980ea364cb766dc813d405afdca2295b712334053524ea29d8741fd2d68408e9
Instruction ID: a1378fd66b4928fadb678355535f2c890626d225957e86df5756a6f327c93c4e
Opcode Fuzzy Hash: 980ea364cb766dc813d405afdca2295b712334053524ea29d8741fd2d68408e9
Instruction Fuzzy Hash: 4921C4B59012099FDB10CF9AD584ADEBBF8EB48324F14841AE955A3350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9458, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DB9931,00000800,00000000,00000000), ref: 00DB9B42

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 110741795b5e451c56baa25b731ec981c2a9a313c9722a52e8fb34f6e9bcd61b
Instruction ID: a6db3e769ce8313d08d1425ac564c4dcfd02e09f4c1fe6113aa95aa66477ebed
Opcode Fuzzy Hash: 110741795b5e451c56baa25b731ec981c2a9a313c9722a52e8fb34f6e9bcd61b
Instruction Fuzzy Hash: B21114B6D00248CFCB10CF9AD494ADEFBF4EB48324F14842AE516A7600C3B4A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9AD1, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DB9931,00000800,00000000,00000000), ref: 00DB9B42

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 39af286f7d6d37e309b1406e6cb9859880c8e0500a4a05aecc8fb63c0555d378
Instruction ID: 8e3307a9e3782338ea1712069acc0bbf8475cc730c243e2f222bd6d1f36be772
Opcode Fuzzy Hash: 39af286f7d6d37e309b1406e6cb9859880c8e0500a4a05aecc8fb63c0555d378
Instruction Fuzzy Hash: 972103B6900248CFCB10CFAAD494ADEFBF4EB98324F14842AE556A7600C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9848, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DB98B6

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b01d91f55b22c844758430c799a16b7cf486da4d55c6dbe0b62f2ad3f2e6a78c
Instruction ID: 812d681cd84408da7b06421798afff19e082e434242c7ff24cef74532f0bd8e9
Opcode Fuzzy Hash: b01d91f55b22c844758430c799a16b7cf486da4d55c6dbe0b62f2ad3f2e6a78c
Instruction Fuzzy Hash: CC1123B6C006498FCB10CF9AD445BDEFBF4EB49324F14846AD45AA7600C379A546CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9850, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DB98B6

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9b62066dbfdefb243caa9c8ebc17d6b45116503198d7cae539058eebbc749088
Instruction ID: 84a5d188b5f350fd81ff4b65623fa972246fad8c98db17c3220ee1b6afabb39e
Opcode Fuzzy Hash: 9b62066dbfdefb243caa9c8ebc17d6b45116503198d7cae539058eebbc749088
Instruction Fuzzy Hash: E31110B6D006498FCB10CF9AD444BDEFBF4EB89324F14842AD91AB7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBFF18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00DBFF7D

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6ed0b4e31e5b113383f0fb1f055e669ba0e3a133c817a149117d6f1b0436b37f
Instruction ID: 5599a72f2a848bd959622efe812c6a5475cf1c75b5dea74a8de6f12171829bbf
Opcode Fuzzy Hash: 6ed0b4e31e5b113383f0fb1f055e669ba0e3a133c817a149117d6f1b0436b37f
Instruction Fuzzy Hash: 0F1103B6900249CFDB10CF99D984BDEFBF8EB48324F14845AE955A7640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBFF20, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00DBFF7D

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ad9e1b2d277430fec6da7c0d8f6ba1f8ae182073c342ad9e355465c511d0d94c
Instruction ID: 275d0f7dffb1eb73dc8291f09405f0a7f78ab97aa4219ba7d848adfe164b9c1a
Opcode Fuzzy Hash: ad9e1b2d277430fec6da7c0d8f6ba1f8ae182073c342ad9e355465c511d0d94c
Instruction Fuzzy Hash: 2E11D0B59002099FDB10CF9AD985BDEBBF8EB48324F24851AE959A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001F2211, Relevance: .4, Instructions: 446
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E001F2211(intOrPtr* __eax, char* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __fp0) {
				intOrPtr* _t434;
				intOrPtr* _t436;
				intOrPtr* _t438;
				intOrPtr* _t439;
				intOrPtr* _t440;
				intOrPtr* _t441;
				signed char _t442;
				signed char _t443;
				signed int _t444;
				signed int _t445;
				intOrPtr* _t446;
				signed int _t447;
				signed char _t448;
				intOrPtr* _t450;
				intOrPtr* _t451;
				signed int _t452;
				signed char _t453;
				signed char _t454;
				signed char _t457;
				intOrPtr* _t458;
				signed int _t460;
				signed char _t461;
				signed char _t463;
				signed char _t464;
				signed char _t466;
				signed char _t467;
				signed int* _t468;
				signed int _t469;
				signed char _t474;
				signed char _t475;
				signed int _t480;
				intOrPtr* _t481;
				intOrPtr* _t482;
				intOrPtr* _t483;
				intOrPtr* _t484;
				intOrPtr* _t485;
				intOrPtr* _t486;
				signed char _t487;
				signed char _t488;
				signed char _t490;
				signed char _t491;
				signed char _t493;
				signed int* _t495;
				signed char _t496;
				signed int _t497;
				signed char _t498;
				signed char _t499;
				signed char _t500;
				signed int _t502;
				signed char _t503;
				intOrPtr* _t504;
				intOrPtr* _t505;
				intOrPtr* _t506;
				intOrPtr* _t507;
				intOrPtr* _t508;
				intOrPtr* _t509;
				intOrPtr* _t510;
				intOrPtr* _t514;
				signed char _t515;
				signed char _t516;
				signed char _t518;
				signed char _t519;
				signed char _t520;
				signed char _t523;
				signed char _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t528;
				signed char _t529;
				signed char _t530;
				signed char _t531;
				signed char _t926;
				signed char _t927;
				intOrPtr* _t928;
				intOrPtr* _t929;
				intOrPtr* _t930;
				intOrPtr* _t931;
				intOrPtr* _t933;
				intOrPtr* _t936;
				signed int* _t937;
				intOrPtr* _t939;
				signed char _t943;
				signed char _t945;
				signed char _t946;
				intOrPtr* _t948;
				void* _t949;
				intOrPtr* _t950;
				signed char _t951;
				signed char _t952;
				signed char _t956;
				signed int _t957;
				signed char _t958;
				char* _t962;
				signed char _t963;
				signed int _t964;
				void* _t965;
				signed char _t1030;
				signed char _t1031;
				signed char _t1032;
				signed char _t1034;
				signed char _t1035;
				signed char _t1036;
				signed char _t1037;
				signed char _t1038;
				signed char _t1039;
				signed char _t1041;
				signed char _t1042;
				signed char _t1043;
				void* _t1044;
				void* _t1045;
				char* _t1047;
				signed char _t1048;
				signed char _t1049;
				signed char _t1050;
				signed char _t1051;
				signed char _t1052;
				signed char _t1053;
				signed char _t1054;
				signed char _t1133;
				signed char _t1135;
				signed int* _t1136;
				signed char _t1137;
				signed char _t1139;
				signed char _t1140;
				signed char _t1142;
				signed char _t1144;
				signed char _t1145;
				signed int* _t1148;
				void* _t1177;
				void* _t1178;
				signed int _t1179;
				signed int _t1198;
				signed int _t1199;
				void* _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				void* _t1214;
				signed int _t1223;
				signed int _t1224;
				signed int _t1225;
				intOrPtr* _t1256;
				void* _t1303;
				void* _t1608;

				_t1608 = __fp0;
				_t1178 = __edi;
				_t1198 =  *__edx * 0x57b02e9;
				 *__eax =  *__eax + __eax;
				_t434 = __eax + 0x6f;
				 *_t434 =  *_t434 - _t434;
				 *__edx =  *__edx + __ecx;
				asm("outsd");
				 *__edx =  *__edx + __ecx;
				 *__ebx =  *__ebx + 1;
				asm("adc eax, [esi]");
				asm("adc [esi], eax");
				_t436 = _t434 - 0xffffffffffffffde;
				 *_t436 =  *_t436 + _t436;
				_t438 = _t436 + 0x6f -  *((intOrPtr*)(_t436 + 0x6f));
				 *__edx =  *__edx + __ecx;
				 *_t438 =  *_t438 + _t438;
				_t439 = _t438 + 0x6f;
				 *_t439 =  *_t439 - _t439;
				 *__edx =  *__edx + __ecx;
				asm("outsd");
				_t440 = _t439 - 0x170a0000;
				asm("outsd");
				 *[cs:eax] =  *[cs:eax] + _t440;
				_t943 = __ebx +  *((intOrPtr*)(__ebx + 5)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 5)) + 5)) | __edx;
				_t1135 = __edx ^  *_t943;
				es = ss;
				 *_t440 =  *_t440 + _t440;
				_t441 = _t440 + 0x6f;
				 *_t441 =  *_t441 - _t441;
				 *_t1135 =  *_t1135 + __ecx;
				asm("outsd");
				 *_t441 =  *_t441 - _t441;
				 *_t1135 =  *_t1135 + __ecx;
				_t945 = _t943 +  *((intOrPtr*)(_t943 + 5)) +  *((intOrPtr*)(_t943 +  *((intOrPtr*)(_t943 + 5)) + 6));
				 *_t441 =  *_t441 + _t441;
				_t442 = _t441 + 0x11;
				es = ss;
				asm("outsd");
				asm("das");
				 *_t442 =  *_t442 + _t442;
				_t1034 = __ecx |  *(__edi + 0x2a);
				 *_t442 =  *_t442 + _t442;
				_t443 = _t442 |  *_t1135;
				if(_t443 == 0) {
					 *_t443 =  *_t443 + _t443;
					_t443 = _t443 + 0x17;
					asm("outsd");
					asm("daa");
				}
				 *_t443 =  *_t443 + _t443;
				_t946 = _t945 | _t1135;
				 *_t1135 =  *_t1135 + _t1034;
				 *_t443 =  *_t443 + _t1135;
				 *_t443 =  *_t443 + _t443;
				 *_t443 =  *_t443 + _t443;
				_pop(_t1035);
				 *((intOrPtr*)(_t443 + 0x3c3200f9)) =  *((intOrPtr*)(_t443 + 0x3c3200f9)) + _t443;
				 *_t443 =  *_t443 + _t443;
				 *_t946 =  *_t946 + _t1135;
				 *0x4a00 =  *0x4a00 ^ _t443;
				 *((intOrPtr*)(_t443 + _t443)) =  *((intOrPtr*)(_t443 + _t443)) + _t443;
				 *_t1035 =  *_t1035 + _t1135;
				 *_t443 =  *_t443 + _t443;
				_t444 = _t443 + 0x6f;
				 *_t444 =  *_t444 - _t444;
				 *_t1135 =  *_t1135 + _t1035;
				asm("sbb [ebp+0x1000059], ecx");
				_t445 = _t444 & 0x226f0316;
				 *_t445 =  *_t445 + _t445;
				_push(es);
				 *0x6f031725 = _t445;
				 *_t445 =  *_t445 & _t445;
				 *_t1198 =  *_t1198 + _t445;
				 *0x6f031825 = _t445;
				_push(ds);
				 *_t445 =  *_t445 + _t445;
				_push(es);
				 *0x306f = _t445;
				_t1036 = _t1035 |  *_t1135;
				_t948 = _t946 +  *((intOrPtr*)(_t946 + 5)) +  *((intOrPtr*)(_t946 +  *((intOrPtr*)(_t946 + 5)) + 5));
				 *_t445 =  *_t445 + _t445;
				_t446 = _t445 + 0x6f;
				 *_t446 =  *_t446 - _t446;
				 *_t1135 =  *_t1135 + _t1036;
				asm("outsd");
				_t447 = _t446 - 0x30a0000;
				asm("outsd");
				 *_t447 =  *_t447 ^ _t447;
				 *_t1135 =  *_t1135 + _t1036;
				_t448 = _t447 -  *_t447;
				 *_t1198 =  *_t1198 + _t948;
				_t1037 = _t1036 +  *_t448;
				es = es;
				 *_t448 =  *_t448 + _t448;
				_push(es);
				_t949 = _t948 -  *_t948;
				 *_t1135 =  *_t1135 ^ _t448;
				_t1136 = _t1135 + _t1037;
				 *_t448 =  *_t448 + _t448;
				 *0x2110000 =  *0x2110000 + _t448;
				if( *0x2110000 == 0) {
					 *_t448 =  *_t448 + _t448;
				}
				 *((intOrPtr*)(_t1136 + _t1223)) =  *((intOrPtr*)(_t1136 + _t1223)) + _t448;
				 *_t1037 =  *_t1037 + 1;
				_t450 = (_t448 |  *_t1198) - 5;
				_t950 = _t949 +  *((intOrPtr*)(_t949 + 1));
				 *_t450 =  *_t450 + _t450;
				_t451 = _t450 + 2;
				if(_t451 == 0) {
					 *_t451 =  *_t451 + _t451;
				}
				_t452 = _t451 + 0x6f;
				_push(0);
				 *_t1198 =  *_t1198 + _t452;
				_t453 = _t452 |  *_t1136;
				 *_t1037 =  *_t1037 - _t1037;
				 *_t453 =  *_t453 + _t453;
				_push(es);
				_t454 = _t453 | 0x00000007;
				 *_t454 =  *_t454 | _t1037;
				 *_t454 =  *_t454 + _t454;
				 *_t950 =  *_t950 + _t1037;
				 *_t1136 =  *_t1136 - _t454;
				 *_t454 =  *_t454 + _t454;
				_t1038 = _t1037 -  *0x1280708;
				 *_t454 =  *_t454 + _t454;
				_t1210 = _t1209 -  *_t454;
				 *_t950 =  *_t950 + _t1038;
				asm("adc eax, [ecx+edx]");
				_t457 = _t454 +  *_t454 + 0x0000006f ^ 0x00000000;
				 *_t1136 =  *_t1136 + _t1038;
				asm("adc eax, [0x512252b]");
				 *0x130a0000 =  *0x130a0000 - _t1136;
				_push(es);
				_t1137 = _t1136 +  *_t1038;
				_push(es);
				 *_t457 =  *_t457 - _t1038;
				 *_t457 =  *_t457 + _t457;
				_push(es);
				asm("adc eax, [edi]");
				_t951 = _t950 +  *((intOrPtr*)(_t950 + 5));
				 *_t457 =  *_t457 + _t457;
				_t458 = _t457 + 0x6f;
				 *_t458 =  *_t458 - _t458;
				 *_t1137 =  *_t1137 + _t1038;
				asm("adc [edi], eax");
				asm("outsd");
				 *[ss:eax] =  *[ss:eax] + _t458;
				_t1039 = _t1038 |  *0x120eded2;
				_t460 = _t458 + 0x84e26;
				 *_t951 =  *_t951 + _t951;
				asm("outsd");
				_push(es);
				 *_t460 =  *_t460 + _t460;
				_t952 = _t951 | _t460;
				 *(_t1178 + 0x34) =  *(_t1178 + 0x34) | _t1210;
				 *_t460 =  *_t460 + _t460;
				_t1139 = _t1137 |  *_t1137 |  *_t952;
				 *_t952 =  *_t952 | _t1039;
				asm("adc [edx], edx");
				 *_t460 =  *_t460 | _t1039;
				_t461 = _t460 ^ 0x130a0000;
				 *_t1139 =  *_t1139 | _t461;
				asm("adc [ecx], ecx");
				 *0x12060000 =  *0x12060000 - _t461;
				 *_t461 =  *_t461 | _t1039;
				asm("aaa");
				 *_t461 =  *_t461 + _t461;
				_t1140 = _t1139 | _t952;
				_push(ss);
				 *_t461 =  *_t461 | _t461;
				 *_t952 =  *_t952 + _t952;
				asm("outsd");
				_push(es);
				 *_t461 =  *_t461 + _t461;
				asm("fiadd word [ebx]");
				asm("fiadd word [es:eax]");
				_t463 = _t461 -  *_t461 |  *(_t1039 |  *0x120edee6);
				 *_t463 =  *_t463 - _t463;
				 *_t1140 =  *_t1140 + _t463;
				 *_t463 =  *_t463 + _t1140;
				_t464 = _t463 ^  *(_t1140 + 0xe00);
				 *_t464 =  *_t464 + _t464;
				_t466 = _t464 +  *_t464;
				 *_t1198 =  *_t1198 + (_t952 | _t461);
				 *_t466 =  *_t466 + _t466;
				 *_t466 =  *_t466 + _t466;
				 *_t466 =  *_t466 + _t466;
				asm("adc eax, [eax]");
				 *0xc6 =  *0xc6 + _t466;
				_t1041 = cs;
				 *_t466 =  *_t466 + _t466;
				 *0xc6 =  *0xc6;
				 *0xc6 =  *0xc6 ^ _t466;
				 *_t1041 =  *_t1041;
				 *_t466 =  *_t466 + _t466;
				 *_t1198 =  *_t1198 + _t466;
				 *_t466 =  *_t466 + _t466;
				asm("adc [ebx+0x17], esi");
				 *_t466 =  *_t466 + _t466;
				_push(es);
				_t467 = _t466 |  *_t1198;
				_t1179 = _t1178 +  *((intOrPtr*)(_t1210 + 0x15));
				 *_t467 =  *_t467 + _t467;
				_t468 = _t467 + 2;
				if(_t468 == 0) {
					 *_t468 = _t468 +  *_t468;
					_t468 =  &(_t468[0x1b]);
					 *_t468 =  *_t468 - _t468;
				}
				 *_t468 = _t468 +  *_t468;
				_t1042 = _t1041 |  *_t468;
				_t469 = _t468 +  *_t468;
				 *0xc6 =  *0xc6 + _t1042;
				_push(es);
				 *_t1198 =  *_t1198 + 1;
				asm("sbb [eax], al");
				 *_t1198 =  *_t1198 + _t469;
				if( *_t1198 >= 0) {
					L13:
					_push(es);
					asm("adc eax, 0x73060000");
				} else {
					 *_t469 =  *_t469 + _t469;
					_t1133 = _t1042 |  *_t469;
					 *0xc6 =  *0xc6 + _t1133;
					_t936 = (_t469 |  *_t1179) -  *(_t469 |  *_t1179);
					 *_t936 =  *_t936 + _t936;
					asm("adc esi, [eax]");
					_t937 = _t936 +  *_t936;
					 *_t937 = _t937 +  *_t937;
					_pop(es);
					 *_t937 = _t937 +  *_t937;
					asm("adc [edx], eax");
					if( *_t937 == 0) {
						 *_t937 = _t937 +  *_t937;
						_t937 =  &(_t937[0x1b]);
						 *_t937 =  *_t937 - _t937;
					}
					 *_t937 = _t937 +  *_t937;
					_t1042 = _t1133 |  *_t937;
					_t469 = _t937 +  *_t937;
					 *0xc6 =  *0xc6 + _t1042;
					if( *0xc6 > 0) {
						 *_t469 =  *_t469 + _t469;
						_t939 = _t469 + 0x25 - 0x127e2617;
						 *_t939 =  *_t939 + _t939;
						_t469 = _t939 + 0xfe;
						goto L13;
					}
				}
				 *0 =  *0 + _t1042;
				 *0xc6 =  *0xc6 + _t1042;
				_t474 = (_t469 & 0x00001380) + 0x282b0028 +  *((intOrPtr*)((_t469 & 0x00001380) + 0x282b0028)) |  *_t1198;
				_t1142 = 0 -  *0xc6;
				 *0xc6 =  *0xc6 ^ _t474;
				 *((intOrPtr*)(_t474 + _t474)) =  *((intOrPtr*)(_t474 + _t474)) + 0xc6;
				 *_t474 =  *_t474 + _t474;
				_pop(es);
				 *_t474 =  *_t474 + _t474;
				asm("adc [edx], eax");
				if( *_t474 == 0) {
					 *_t474 =  *_t474 + _t474;
					_t474 = _t474 + 0x6f;
				}
				 *_t474 =  *_t474 + _t474;
				_t1043 = _t1042 |  *_t474;
				_t475 = _t474 +  *_t474;
				 *0xc6 =  *0xc6 + _t1043;
				if( *0xc6 <= 0) {
					L18:
					 *_t475 =  *_t475 + _t475;
					 *0xc6 =  *0xc6 + _t1043;
					_t480 = (_t475 |  *0x1480) + 0x282b0028 +  *((intOrPtr*)((_t475 |  *0x1480) + 0x282b0028)) |  *_t1198;
					_t1142 = _t1142 -  *0xc6;
					 *_t1142 =  *_t1142 ^ _t480;
					 *0xc6 =  *0xc6 + _t480;
					 *_t480 =  *_t480 + _t480;
					 *_t480 =  *_t480 + _t1043;
					 *_t480 =  *_t480 + _t480;
					asm("adc [edx], eax");
					 *_t1142 =  *_t1142 - _t1043;
					 *_t480 =  *_t480 + _t480;
					_push(es);
					 *_t1198 =  *_t1198 - _t480;
					L19:
					_push(es);
					 *_t480 =  *_t480 + _t480;
					_t1044 = _t1043 -  *_t1142;
					asm("adc al, 0xfe");
					 *0xc6 =  *0xc6 + _t1044;
					es = es;
					_t481 = _t480 - 2;
					_t1043 = _t1044 -  *((intOrPtr*)(_t1142 + _t481));
					if(_t1043 == 0) {
						goto L20;
					}
				} else {
					 *_t475 =  *_t475 + _t475;
					_t933 = _t475 + 0x25 - 0x127e2617;
					 *_t933 =  *_t933 + _t933;
					_t481 = _t933 + 0xfe;
					_push(es);
					_push(ss);
					 *_t481 =  *_t481 + _t481;
					_push(es);
					if( *_t481 >= 0) {
						L20:
						 *_t481 =  *_t481 + _t481;
						_t931 = _t481 + 6;
						asm("outsd");
						 *[es:eax] =  *[es:eax] + _t931;
						_push(es);
						_t481 = _t931 -  *_t931;
						_t1256 = _t481;
					} else {
						goto L18;
					}
				}
				asm("bound eax, [edx]");
				if(_t1256 == 0) {
					 *_t481 =  *_t481 + _t481;
				}
				 *((intOrPtr*)(_t1142 + _t481)) =  *((intOrPtr*)(_t1142 + _t481)) + _t481;
				 *_t1142 =  *_t1142 - _t1043;
				 *_t481 =  *_t481 + _t481;
				_push(es);
				asm("outsd");
				if ( *_t481 < 0) goto L24;
				 *_t1198 =  *_t1198 + _t481;
				_t1045 = _t1043 +  *_t481;
				_t482 = _t481;
				 *_t1198 =  *_t1198 + _t482;
				_t483 = _t482 -  *_t482;
				 *_t483 =  *_t483 + _t483;
				asm("bound eax, [edx]");
				if( *_t483 == 0) {
					 *_t483 =  *_t483 + _t483;
				}
				_t25 = _t1142 + _t483;
				 *_t25 =  *((intOrPtr*)(_t1142 + _t483)) + _t483;
				if( *_t25 == 0) {
					 *_t483 =  *_t483 + _t483;
				}
				_t484 = _t483 + 0x6f;
				if (_t484 >= 0) goto L29;
				 *_t1198 =  *_t1198 + _t484;
				_t1043 = _t1045 +  *_t484;
				_t485 = _t484;
				 *_t1198 =  *_t1198 + _t485;
				_t486 = _t485 -  *_t485;
				 *_t486 =  *_t486 + _t486;
				asm("adc esi, [eax]");
				_t480 = _t486 +  *_t486;
				asm("sbb al, [eax]");
				 *_t480 =  *_t480 + _t480;
				 *_t480 =  *_t480 | _t480;
				 *_t1043 =  *_t1043 + _t1142;
				if( *_t1043 >= 0) {
					goto L19;
				}
				 *_t480 =  *_t480 + _t480;
				_push(es);
				_t487 = _t480 & 0x00017b02;
				 *((intOrPtr*)(_t1179 + _t1210 * 2)) =  *((intOrPtr*)(_t1179 + _t1210 * 2)) + _t487;
				asm("lahf");
				 *_t487 =  *_t487 + _t487;
				_push(es);
				_t488 = _t487 |  *_t1198;
				asm("outsd");
				 *[ds:eax] =  *[ds:eax] + _t488;
				_t490 = (_t488 |  *_t1198) -  *(_t488 |  *_t1198);
				 *0xc6 = 0xc6 +  *0xc6;
				 *0xc6 =  *0xc6 ^ _t490;
				 *_t490 =  *_t490 + _t490;
				 *_t1142 =  *_t1142 + _t1043;
				 *_t490 =  *_t490 + _t490;
				asm("adc [edi+ebp*2], eax");
				asm("aas");
				 *_t490 =  *_t490 + _t490;
				_t956 = 0x18c |  *_t1179;
				 *[cs:ecx] =  *[cs:ecx] + 1;
				_t491 = _t490 | 0x00000008;
				 *_t491 =  *_t491 + _t491;
				 *_t1142 =  *_t1142 + _t491;
				if( *_t1142 == 0) {
					 *_t491 =  *_t491 + _t491;
				}
				_t31 = _t1223 + _t1210;
				 *_t31 =  *((intOrPtr*)(_t1223 + _t1210)) + _t491;
				asm("adc [edx], al");
				if( *_t31 == 0) {
					 *_t491 =  *_t491 + _t491;
				}
				 *((intOrPtr*)(_t1179 + _t1210 * 2)) =  *((intOrPtr*)(_t1179 + _t1210 * 2)) + _t491;
				_pop(_t1211);
				 *_t491 =  *_t491 + _t491;
				_push(es);
				asm("sbb dh, bh");
				 *_t956 =  *_t956 + _t1211;
				 *_t1179 =  *_t1179 + _t1142;
				asm("adc eax, [ecx+edx]");
				_t493 = _t491 + 0xc964;
				 *_t1142 =  *_t1142 + _t493;
				 *_t1142 =  *_t1142 - _t1043;
				 *_t493 =  *_t493 + _t493;
				_push(es);
				asm("outsd");
				_t495 = (_t493 |  *_t1198) + 1;
				do {
					 *_t495 = _t495 +  *_t495;
					 *_t1043 =  *_t1043 + 1;
					asm("adc eax, [0x52c0511]");
					asm("outsd");
					_t495 =  &(_t495[0]);
					 *_t495 = _t495 +  *_t495;
					_t1142 = _t1142 |  *_t1198 |  *_t1179;
					 *_t495 =  *_t495 ^ _t1043;
				} while ( *_t495 != 0);
				asm("iretd");
				asm("stosd");
				 *_t495 =  *_t495 - _t1142;
				 *_t495 = _t495 +  *_t495;
				_push(es);
				_t957 = _t956 -  *_t1198;
				_push(es);
				asm("outsd");
				_t496 =  &(_t495[0]);
				 *_t496 =  *_t496 + _t496;
				_t1144 = _t1142 |  *_t957;
				 *_t1144 =  *_t1144 | _t1144;
				 *_t496 =  *_t496 | _t1043;
				 *_t496 =  *_t496 + _t496;
				_t497 = _t496 |  *_t496;
				_t1047 = _t1043 + 1 - 1;
				asm("jecxz 0xffffffd1");
				asm("stosd");
				 *_t497 =  *_t497 - _t1144;
				 *_t497 =  *_t497 + _t497;
				_push(es);
				 *_t1144 =  *_t1144 - _t497;
				 *_t1144 =  *_t1144 + _t1047;
				_t498 = _t497 | 0xcfe35920;
				asm("stosd");
				 *_t498 =  *_t498 - _t1144;
				 *_t498 =  *_t498 + _t498;
				 *_t498 =  *_t498 | _t1211;
				_t1145 = _t1144 + 1;
				 *_t498 =  *_t498 + _t498;
				_t499 = _t498 |  *_t498;
				_t958 = _t957 & _t1223;
				asm("iretd");
				asm("stosd");
				 *_t499 =  *_t499 - _t1145;
				 *_t499 =  *_t499 + _t499;
				ss = es;
				 *_t958 =  *_t958 - _t499;
				 *_t1145 =  *_t1145 + _t1047;
				ss = es;
				 *_t1047 =  *_t1047 + 1;
				_push(ss);
				 *_t1047 =  *_t1047 + 1;
				asm("adc eax, [esi]");
				asm("adc [esi], eax");
				_t500 = _t499 - 2;
				_t1048 = _t1047 -  *((intOrPtr*)(_t1198 + _t500 + 0x6f));
				 *_t1145 =  *_t1145 + _t1048;
				asm("adc ecx, [ecx]");
				_t1212 = _t1211 -  *_t1048;
				asm("adc cl, [ecx]");
				 *0xb0a0000 =  *0xb0a0000 - _t1145;
				_t502 = (_t500 ^ 0x00000000) +  *_t1179;
				 *_t502 =  *_t502 - _t1048;
				 *_t502 =  *_t502 + _t502;
				asm("adc eax, [edi]");
				es = es;
				asm("outsd");
				_t503 = _t502 & 0x02060000;
				if(_t503 == 0) {
					 *_t503 =  *_t503 + _t503;
					_t503 = _t503 + 0x6f;
					 *_t503 =  *_t503 - _t503;
				}
				 *_t503 =  *_t503 + _t503;
				_pop(es);
				asm("outsd");
				 *[ss:eax] =  *[ss:eax] + _t503;
				 *_t503 =  *_t503 | _t1212;
				asm("aaa");
				 *_t503 =  *_t503 + _t503;
				_t1049 = _t1048 |  *0x120edece;
				_t1199 = _t1198 | _t1179;
				_push(ss);
				 *_t503 =  *_t503 | _t503;
				 *_t958 =  *_t958 + _t958;
				asm("outsd");
				_push(es);
				 *_t503 =  *_t503 + _t503;
				_t504 = _t503 -  *_t503;
				 *_t504 =  *_t504 + (_t1145 |  *_t1048 |  *(_t1145 |  *_t1048));
				 *_t504 =  *_t504 + _t504;
				_t505 = _t504 +  *_t504;
				_t1148 = 0xf03600;
				_push(cs);
				 *_t505 =  *_t505 + _t505;
				 *_t505 =  *_t505 + _t505;
				asm("bound eax, [edx]");
				 *_t505 =  *_t505 + _t505;
				_t506 = _t505 + 0x6f;
				_t1224 = _t1223 + 1;
				 *_t506 =  *_t506 + _t506;
				 *_t506 =  *_t506 + _t506;
				_t507 = _t506 + 2;
				 *((intOrPtr*)(_t507 + _t507)) =  *((intOrPtr*)(_t507 + _t507)) - _t507;
				 *_t1199 =  *_t1199 + _t507;
				_t508 = _t507 -  *_t507;
				 *_t508 =  *_t508 + _t508;
				asm("adc esi, [eax]");
				_t509 = _t508 +  *_t508;
				 *[es:eax] =  *[es:eax] + _t509;
				 *0xf03600 =  *0xf03600 + _t509;
				 *_t509 =  *_t509 + _t509;
				asm("adc [ebx], eax");
				_t510 = _t509 - 0xb;
				_t962 = ((_t958 | _t503) +  *((intOrPtr*)((_t958 | _t503) + 0x11)) |  *(_t1212 + 2)) +  *((intOrPtr*)(((_t958 | _t503) +  *((intOrPtr*)((_t958 | _t503) + 0x11)) |  *(_t1212 + 2)) + 3));
				 *_t510 =  *_t510 + _t510;
				 *_t962 =  *_t962 + 1;
				_push(ss);
				_t514 = (_t510 + 0x00000014 -  *_t1049 |  *_t1199) - 0xb;
				_t963 = _t962 +  *((intOrPtr*)(_t962 + 3));
				 *_t514 =  *_t514 + _t514;
				_t515 = _t514 + 0x6f;
				_push(es);
				 *_t515 =  *_t515 + _t515;
				_t516 = _t515 |  *0xf03600;
				_t1214 = _t1212 +  *_t516 + 1;
				 *_t516 =  *_t516 + _t516;
				_t1050 = _t1049 |  *0xf03600;
				 *_t516 =  *_t516 + _t516;
				asm("adc esi, [eax]");
				_push(es);
				_t518 = _t516 + _t963 |  *(_t516 + _t963);
				 *_t963 =  *_t963 + _t1050;
				 *_t518 =  *_t518 + _t518;
				asm("adc [ebx+0x46], esi");
				 *_t518 =  *_t518 + _t518;
				_t1051 = _t1050 |  *0xf03600;
				if(_t1051 >= 0) {
					L49:
					_t963 = _t963 |  *(_t1214 + 0xe);
					 *_t518 =  *_t518 + _t518;
					_t518 = _t518 + 2;
					goto L50;
				} else {
					 *_t518 =  *_t518 + _t518;
					_t1051 = _t1051 |  *_t963;
					if(_t1051 >= 0) {
						L50:
						_t1148 = _t1148 +  *((intOrPtr*)(_t963 + 0x4a));
					} else {
						 *_t518 =  *_t518 + _t518;
						_t1051 = _t1051 |  *(0xf03600 + _t518);
						if(_t1051 >= 0) {
							 *_t518 =  *_t518 + _t518;
							_t519 = _t518 + 2;
							if(_t519 >= 0) {
								if(_t1303 == 0) {
									 *_t519 =  *_t519 + _t519;
									_t519 = _t519 + 0x6f;
								}
								_t1179 = _t1179 - 1;
								 *_t519 =  *_t519 + _t519;
								_t519 = _t519 |  *_t1148;
								if (_t519 != 0) goto L73;
								goto L71;
							} else {
								 *_t519 =  *_t519 + _t519;
								_t963 = _t963 |  *(_t1214 + 7);
								 *_t519 =  *_t519 + _t519;
								goto L54;
							}
						} else {
							 *_t518 =  *_t518 + _t518;
							_t963 = _t963 |  *(_t1214 + 4);
							 *_t518 =  *_t518 + _t518;
							_t519 = _t518 + 2;
							if(_t519 >= 0) {
								L54:
								_t56 = _t1148 + _t519;
								 *_t56 =  *((intOrPtr*)(_t1148 + _t519)) + _t519;
								if( *_t56 >= 0) {
									L71:
									_t927 = _t519;
								} else {
									 *_t519 =  *_t519 + _t519;
									_t963 = _t963 |  *(_t1214 + 8);
									 *_t519 =  *_t519 + _t519;
									goto L56;
								}
							} else {
								 *_t519 =  *_t519 + _t519;
								_t963 = _t963 |  *(_t1214 + 6);
								 *_t519 =  *_t519 + _t519;
								_t519 = _t519 + 2;
								if(_t519 >= 0) {
									L56:
									_t519 = _t519 + 2;
									if(_t519 >= 0) {
										 *_t1148 =  *_t1148 + _t1051;
										_t964 = _t963 +  *((intOrPtr*)(_t963 + 4));
										_t520 = _t519;
									} else {
										 *_t519 =  *_t519 + _t519;
										_t1030 = _t963 |  *(_t1214 + 9);
										 *_t519 =  *_t519 + _t519;
										_t928 = _t519 + 2;
										goto L58;
									}
								} else {
									 *_t519 =  *_t519 + _t519;
									_t1030 = _t963 |  *(_t1214 + 5);
									 *_t519 =  *_t519 + _t519;
									_t928 = _t519 + 2;
									if(_t928 >= 0) {
										L58:
										_t1148 = _t1148 +  *((intOrPtr*)(_t1030 + 0x4d));
									} else {
										 *_t928 =  *_t928 + _t928;
										_t1031 = _t1030 |  *(_t1214 + 0xc);
										 *_t928 =  *_t928 + _t928;
										_t929 = _t928 + 2;
										if(_t929 >= 0) {
											_t1148 = _t1148 +  *((intOrPtr*)(_t1031 + 0x4d));
										} else {
											 *_t929 =  *_t929 + _t929;
											_t1032 = _t1031 |  *(_t1214 + 0xd);
											 *_t929 =  *_t929 + _t929;
											_t930 = _t929 + 2;
											if(_t930 >= 0) {
												_t1177 = _t1148 +  *((intOrPtr*)(_t1032 + 0x4e));
											} else {
												 *_t930 =  *_t930 + _t930;
												goto L49;
											}
										}
									}
								}
							}
						}
					}
				}
				 *_t523 =  *_t523 + _t523;
				_t524 = _t523 |  *_t1148;
				if(_t524 == 0) {
					 *_t524 =  *_t524 + _t524;
					_t524 = _t524 + 0x6f;
					_push(_t1051);
					 *_t524 =  *_t524 + _t524;
				}
				_t525 = _t524 |  *_t1148;
				if(_t525 == 0) {
					 *_t525 =  *_t525 + _t525;
					_t926 = _t525 + 0x6f;
					_push(_t1051);
					 *_t926 =  *_t926 + _t926;
					_t525 = _t926 |  *_t1148;
				}
				_t1052 = _t1051 +  *_t525;
				_push(_t1052);
				 *_t525 =  *_t525 + _t525;
				_t526 = _t525 |  *_t1148;
				if(_t526 == 0) {
					 *_t526 =  *_t526 + _t526;
					_t526 = _t526 + 0x1b;
				}
				asm("outsd");
				_push(_t964);
				 *_t526 =  *_t526 + _t526;
				_t527 = _t526 |  *_t1148;
				if(_t527 == 0) {
					 *_t527 =  *_t527 + _t527;
					_t527 = _t527 + 0x19;
				}
				_pop(ds);
				 *(_t964 + 0x54) =  *(_t964 + 0x54) & _t1199;
				 *_t527 =  *_t527 + _t527;
				_t1053 = _t1052 |  *(_t1179 + 0x55);
				 *_t527 =  *_t527 + _t527;
				_t528 = _t527 |  *_t1148;
				if(_t528 == 0) {
					 *_t528 =  *_t528 + _t528;
					_t528 = _t528 + 0x20;
				}
				_t1225 = _t1224 | _t964;
				asm("iretd");
				asm("stosd");
				 *_t528 =  *_t528 - _t1148;
				 *_t528 =  *_t528 + _t528;
				_push(es);
				asm("outsd");
				_push(_t1199);
				 *_t528 =  *_t528 + _t528;
				_t529 = _t528 |  *_t1148;
				if(_t529 == 0) {
					 *_t529 =  *_t529 + _t529;
					_t529 = _t529 + 0x16;
				}
				asm("outsd");
				_push(_t1179);
				 *_t529 =  *_t529 + _t529;
				_t530 = _t529 |  *_t1148;
				if(_t530 == 0) {
					 *_t530 =  *_t530 + _t530;
					_t530 = _t530 + 0x6f;
				}
				_push(_t530);
				 *_t530 =  *_t530 + _t530;
				_t1054 = _t1053 |  *(_t1179 + 0x58);
				 *_t530 =  *_t530 + _t530;
				_t531 = _t530 |  *_t1148;
				if(_t531 == 0) {
					 *_t531 =  *_t531 + _t531;
					_t531 = _t531 + 0x6f;
					_pop(_t1054);
					 *_t531 =  *_t531 + _t531;
				}
				 *_t1148 =  *_t1148 + _t1054;
				_t965 = _t964 +  *((intOrPtr*)(_t964 + 4));
			}

0x001f2211
0x001f2211
0x001f2211
0x001f2217
0x001f2219
0x001f221b
0x001f221d
0x001f221f
0x001f2222
0x001f2225
0x001f2227
0x001f2229
0x001f222b
0x001f2230
0x001f2234
0x001f2236
0x001f223b
0x001f223d
0x001f223f
0x001f2241
0x001f2244
0x001f2245
0x001f224a
0x001f224b
0x001f224e
0x001f2250
0x001f2252
0x001f2256
0x001f2258
0x001f225a
0x001f225c
0x001f225e
0x001f225f
0x001f2261
0x001f2263
0x001f2266
0x001f2268
0x001f226a
0x001f226b
0x001f226c
0x001f226d
0x001f226f
0x001f2272
0x001f2274
0x001f2276
0x001f2278
0x001f227a
0x001f227c
0x001f227d
0x001f227d
0x001f227e
0x001f2280
0x001f2282
0x001f2284
0x001f2286
0x001f2288
0x001f228a
0x001f228b
0x001f2291
0x001f2293
0x001f2295
0x001f229b
0x001f229e
0x001f22a3
0x001f22a5
0x001f22a7
0x001f22a9
0x001f22ab
0x001f22b1
0x001f22b6
0x001f22b8
0x001f22b9
0x001f22be
0x001f22c0
0x001f22c2
0x001f22c7
0x001f22c8
0x001f22ca
0x001f22cb
0x001f22d0
0x001f22d2
0x001f22d5
0x001f22d7
0x001f22d9
0x001f22db
0x001f22de
0x001f22df
0x001f22e4
0x001f22e5
0x001f22e7
0x001f22e9
0x001f22eb
0x001f22ed
0x001f22ef
0x001f22f0
0x001f22f2
0x001f22f3
0x001f22f5
0x001f22f7
0x001f22f9
0x001f22fb
0x001f2301
0x001f2303
0x001f2303
0x001f2304
0x001f2307
0x001f230b
0x001f2313
0x001f2316
0x001f2318
0x001f231a
0x001f231c
0x001f231c
0x001f231e
0x001f2320
0x001f2322
0x001f2324
0x001f2326
0x001f2328
0x001f232a
0x001f232b
0x001f232d
0x001f232f
0x001f2331
0x001f2333
0x001f2335
0x001f2337
0x001f233d
0x001f233f
0x001f2343
0x001f2345
0x001f234a
0x001f234c
0x001f234e
0x001f2354
0x001f235a
0x001f235b
0x001f235d
0x001f235e
0x001f2360
0x001f2362
0x001f2363
0x001f2365
0x001f2368
0x001f236a
0x001f236c
0x001f236e
0x001f2370
0x001f2372
0x001f2373
0x001f237d
0x001f2383
0x001f2388
0x001f238a
0x001f238b
0x001f238c
0x001f238e
0x001f2390
0x001f2393
0x001f2395
0x001f2397
0x001f2399
0x001f239b
0x001f239d
0x001f23a2
0x001f23a4
0x001f23a6
0x001f23ac
0x001f23ae
0x001f23af
0x001f23b7
0x001f23b9
0x001f23ba
0x001f23bc
0x001f23be
0x001f23bf
0x001f23c0
0x001f23c4
0x001f23c6
0x001f23cb
0x001f23cd
0x001f23cf
0x001f23d1
0x001f23d4
0x001f23da
0x001f23de
0x001f23df
0x001f23e4
0x001f23e6
0x001f23e8
0x001f23ea
0x001f23ee
0x001f23f0
0x001f23f1
0x001f23f3
0x001f23f5
0x001f23f7
0x001f23f9
0x001f23fb
0x001f23fd
0x001f23ff
0x001f2402
0x001f2404
0x001f2405
0x001f2407
0x001f240a
0x001f240c
0x001f240e
0x001f2410
0x001f2412
0x001f2414
0x001f2414
0x001f2415
0x001f2417
0x001f2419
0x001f241b
0x001f241d
0x001f241e
0x001f2420
0x001f2422
0x001f2424
0x001f245f
0x001f245f
0x001f2460
0x001f2426
0x001f2426
0x001f2428
0x001f242c
0x001f2430
0x001f2432
0x001f2434
0x001f2436
0x001f243a
0x001f243c
0x001f243d
0x001f243f
0x001f2441
0x001f2443
0x001f2445
0x001f2447
0x001f2447
0x001f2448
0x001f244a
0x001f244c
0x001f244e
0x001f2450
0x001f2452
0x001f2456
0x001f245b
0x001f245d
0x00000000
0x001f245d
0x001f2450
0x001f2467
0x001f2477
0x001f2479
0x001f247b
0x001f247d
0x001f247f
0x001f2482
0x001f2484
0x001f2485
0x001f2487
0x001f2489
0x001f248b
0x001f248d
0x001f248f
0x001f2490
0x001f2492
0x001f2494
0x001f2496
0x001f2498
0x001f24ae
0x001f24ae
0x001f24bf
0x001f24c1
0x001f24c3
0x001f24c5
0x001f24c7
0x001f24c9
0x001f24cb
0x001f24cd
0x001f24cf
0x001f24d1
0x001f24d3
0x001f24d5
0x001f24d6
0x001f24d7
0x001f24d7
0x001f24d8
0x001f24da
0x001f24dd
0x001f24df
0x001f24e1
0x001f24e2
0x001f24e4
0x001f24e7
0x00000000
0x00000000
0x001f249a
0x001f249a
0x001f249e
0x001f24a3
0x001f24a5
0x001f24a7
0x001f24a8
0x001f24a9
0x001f24ab
0x001f24ac
0x001f24e9
0x001f24e9
0x001f24eb
0x001f24ed
0x001f24ee
0x001f24f1
0x001f24f2
0x001f24f2
0x00000000
0x00000000
0x00000000
0x001f24ac
0x001f24f4
0x001f24f6
0x001f24f8
0x001f24f8
0x001f24f9
0x001f24fc
0x001f24fe
0x001f2500
0x001f2501
0x001f2502
0x001f2504
0x001f2506
0x001f2508
0x001f250a
0x001f250c
0x001f250e
0x001f2510
0x001f2512
0x001f2514
0x001f2514
0x001f2515
0x001f2515
0x001f2518
0x001f251a
0x001f251a
0x001f251c
0x001f251e
0x001f2520
0x001f2522
0x001f2524
0x001f2526
0x001f2528
0x001f252a
0x001f252c
0x001f252e
0x001f2530
0x001f2532
0x001f2534
0x001f2536
0x001f2538
0x00000000
0x00000000
0x001f253a
0x001f253c
0x001f253d
0x001f2542
0x001f2545
0x001f2546
0x001f2548
0x001f2549
0x001f254b
0x001f254c
0x001f2551
0x001f2553
0x001f2555
0x001f2559
0x001f255b
0x001f255d
0x001f255f
0x001f2562
0x001f2563
0x001f2565
0x001f2567
0x001f256a
0x001f256e
0x001f2570
0x001f2572
0x001f2574
0x001f2574
0x001f2575
0x001f2575
0x001f2578
0x001f257a
0x001f257c
0x001f257c
0x001f257d
0x001f2580
0x001f2581
0x001f2583
0x001f2584
0x001f2586
0x001f2588
0x001f258a
0x001f258f
0x001f2594
0x001f2596
0x001f2598
0x001f259a
0x001f259d
0x001f259e
0x001f259f
0x001f259f
0x001f25a3
0x001f25a5
0x001f25b1
0x001f25b2
0x001f25b3
0x001f25b5
0x001f25b7
0x001f25b7
0x001f25bc
0x001f25bd
0x001f25be
0x001f25c0
0x001f25c2
0x001f25c3
0x001f25c5
0x001f25c6
0x001f25c7
0x001f25c8
0x001f25ca
0x001f25cc
0x001f25ce
0x001f25d1
0x001f25d3
0x001f25d5
0x001f25d6
0x001f25d8
0x001f25d9
0x001f25db
0x001f25dd
0x001f25de
0x001f25e1
0x001f25e3
0x001f25e8
0x001f25e9
0x001f25eb
0x001f25ee
0x001f25f0
0x001f25f1
0x001f25f3
0x001f25f5
0x001f25f7
0x001f25f8
0x001f25f9
0x001f25fb
0x001f25fe
0x001f25ff
0x001f2602
0x001f2604
0x001f2605
0x001f2607
0x001f2608
0x001f260a
0x001f260c
0x001f260e
0x001f2610
0x001f2616
0x001f2618
0x001f261a
0x001f261c
0x001f261e
0x001f2624
0x001f2626
0x001f2628
0x001f262b
0x001f262d
0x001f262e
0x001f262f
0x001f2634
0x001f2636
0x001f2638
0x001f263a
0x001f263a
0x001f263b
0x001f263f
0x001f2640
0x001f2641
0x001f2646
0x001f2648
0x001f2649
0x001f264b
0x001f2651
0x001f2653
0x001f2654
0x001f2656
0x001f2658
0x001f2659
0x001f265a
0x001f265e
0x001f2660
0x001f2662
0x001f2664
0x001f2666
0x001f266b
0x001f266c
0x001f266e
0x001f2670
0x001f2675
0x001f2677
0x001f2679
0x001f267a
0x001f267f
0x001f2681
0x001f2683
0x001f2686
0x001f2688
0x001f268a
0x001f268c
0x001f268e
0x001f2690
0x001f2693
0x001f2695
0x001f2697
0x001f2699
0x001f269b
0x001f269e
0x001f26a2
0x001f26a6
0x001f26a9
0x001f26ab
0x001f26ae
0x001f26b0
0x001f26b2
0x001f26b3
0x001f26b5
0x001f26b9
0x001f26ba
0x001f26bc
0x001f26be
0x001f26c0
0x001f26c2
0x001f26c5
0x001f26c7
0x001f26c9
0x001f26cb
0x001f26ce
0x001f26d0
0x001f26d2
0x001f271a
0x001f271a
0x001f271d
0x001f271f
0x00000000
0x001f26d4
0x001f26d4
0x001f26d6
0x001f26d8
0x001f2720
0x001f2720
0x001f26da
0x001f26da
0x001f26dc
0x001f26df
0x001f2728
0x001f272a
0x001f272c
0x001f2779
0x001f277b
0x001f277d
0x001f277d
0x001f277f
0x001f2780
0x001f2782
0x001f2784
0x00000000
0x001f272e
0x001f272e
0x001f2730
0x001f2733
0x00000000
0x001f2733
0x001f26e1
0x001f26e1
0x001f26e3
0x001f26e6
0x001f26e8
0x001f26ea
0x001f2734
0x001f2734
0x001f2734
0x001f2737
0x001f2785
0x001f2785
0x001f2739
0x001f2739
0x001f273b
0x001f273e
0x00000000
0x001f273e
0x001f26ec
0x001f26ec
0x001f26ee
0x001f26f1
0x001f26f3
0x001f26f5
0x001f2740
0x001f2740
0x001f2742
0x001f2791
0x001f2793
0x001f2795
0x001f2744
0x001f2744
0x001f2746
0x001f2749
0x001f274b
0x00000000
0x001f274b
0x001f26f7
0x001f26f7
0x001f26f9
0x001f26fc
0x001f26fe
0x001f2700
0x001f274c
0x001f274c
0x001f2702
0x001f2702
0x001f2704
0x001f2707
0x001f2709
0x001f270b
0x001f2757
0x001f270d
0x001f270d
0x001f270f
0x001f2712
0x001f2714
0x001f2716
0x001f2762
0x001f2718
0x001f2718
0x00000000
0x001f2718
0x001f2716
0x001f270b
0x001f2700
0x001f26f5
0x001f26ea
0x001f26df
0x001f26d8
0x001f27b6
0x001f27b8
0x001f27ba
0x001f27bc
0x001f27be
0x001f27c0
0x001f27c1
0x001f27c1
0x001f27c3
0x001f27c5
0x001f27c7
0x001f27c9
0x001f27cb
0x001f27cc
0x001f27ce
0x001f27ce
0x001f27cf
0x001f27d1
0x001f27d2
0x001f27d4
0x001f27d6
0x001f27d8
0x001f27da
0x001f27da
0x001f27dc
0x001f27dd
0x001f27de
0x001f27e0
0x001f27e2
0x001f27e4
0x001f27e6
0x001f27e6
0x001f27e8
0x001f27e9
0x001f27ec
0x001f27ee
0x001f27f1
0x001f27f3
0x001f27f5
0x001f27f7
0x001f27f9
0x001f27f9
0x001f27fb
0x001f27fd
0x001f27fe
0x001f27ff
0x001f2801
0x001f2803
0x001f2804
0x001f2805
0x001f2806
0x001f2808
0x001f280a
0x001f280c
0x001f280e
0x001f280e
0x001f2810
0x001f2811
0x001f2812
0x001f2814
0x001f2816
0x001f2818
0x001f281a
0x001f281a
0x001f281c
0x001f281d
0x001f281f
0x001f2822
0x001f2824
0x001f2826
0x001f2828
0x001f282a
0x001f282c
0x001f282d
0x001f282d
0x001f282e
0x001f2830

Memory Dump Source

Source File: 00000001.00000002.241550967.00000000001F2000.00000002.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.241538955.00000000001F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241622342.0000000000270000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9748fa1a8de96ac4e10f3864f2eb1399d624fbe7b9fffed112befd19186d2ee3
Instruction ID: 88049a7e0d51faddfc98a96de211543dd3b848149eee991467bc5c9e284a2973
Opcode Fuzzy Hash: 9748fa1a8de96ac4e10f3864f2eb1399d624fbe7b9fffed112befd19186d2ee3
Instruction Fuzzy Hash: A202046244F7C29FCB138B789DB56A17FB19E5321471E08CBC4C1CF0A7E6285A5AD722

Uniqueness

Uniqueness Score: -1.00%

Function 00DBE550, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae6e9d7df40f8f4f4b5e7395ba42d7c0db5b148091f4e452a8f53670399962e
Instruction ID: 54d532867068bf2052c1bc117f873c6fdac4f06fa116152bd6c5927ce834c915
Opcode Fuzzy Hash: dae6e9d7df40f8f4f4b5e7395ba42d7c0db5b148091f4e452a8f53670399962e
Instruction Fuzzy Hash: 8E12DAF1C917668BE718CF65E4981A93B71B740328FD04A08E1E11BAD2D7B8996ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 00DBC104, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020952b188775134a0fd333859d7a37201a4c951c16d5c82b0578d2ceb5a9169
Instruction ID: b263d47c0aa00f59c89faeda5e230b19faab16387ba5773294d607aef2d61fd4
Opcode Fuzzy Hash: 020952b188775134a0fd333859d7a37201a4c951c16d5c82b0578d2ceb5a9169
Instruction Fuzzy Hash: ACA14A32E10619CFCF09DFA5C8445DEBBB2FF85304B15856AE906BB261EB31E915CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DBE540, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.242512093.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6112540cf29bdd0d47b46ebdbcbda0bcd72bcabdf37a25bc2f63c34eb60da2dc
Instruction ID: 33468644ab8498f23dcb11782727d4a142e10758116836116ad01cd0d3e92aa8
Opcode Fuzzy Hash: 6112540cf29bdd0d47b46ebdbcbda0bcd72bcabdf37a25bc2f63c34eb60da2dc
Instruction Fuzzy Hash: 60C180F1C917668BD718CF65E8881A93B71FB44328FD04B09E1A12B6D2D7B4986ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 001F32D9, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241550967.00000000001F2000.00000002.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000001.00000002.241538955.00000000001F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241622342.0000000000270000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2085dabea19f51334573dabd1499026e68841a86db71dc2429a7790ac059c0a4
Instruction ID: a3f4b850cf399d55df16f6d84fea355950dac02b149c12feacb6dead1f3be988
Opcode Fuzzy Hash: 2085dabea19f51334573dabd1499026e68841a86db71dc2429a7790ac059c0a4
Instruction Fuzzy Hash: 5F41F25100E7C24FCB139B745CB5691BFB2AE5320871E98CBC4C0CF0A7E629196AD772

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Payment.exe PID: 5352 Parent PID: 5232 Payment.exeCOMMON

Executed Functions

Function 00419DB2, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40
HA, xrefs: 00419DDC, 00419DE8

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA$HA
API String ID: 2738559852-181183267
Opcode ID: a3454973d89edfaf435a5f55b2bfcc35e923f4ff0740677381010076d0e4d160
Instruction ID: 5add0a946b2a5de43178de49baba8baac5255bf1ee5ae29b91df7dda899b473b
Opcode Fuzzy Hash: a3454973d89edfaf435a5f55b2bfcc35e923f4ff0740677381010076d0e4d160
Instruction Fuzzy Hash: 8C2106B6204109AFCB18DF99DC90DEBB7ADEF8C714F158649FA4DA3241C634E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E4D, 00419E54
BMA, xrefs: 00419E32, 00419E40

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Strings

HA, xrefs: 00419DDC, 00419DE8

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: HA
API String ID: 823142352-3712622743
Opcode ID: 919b8782fd26bc002f9c4e3003e67ba8991fe4e0e7094b70ba0d18e51b0b147b
Instruction ID: 1dbfa3e9b10e2eba41e67f1962abda3cbabf12d7761b7b39511b214e45cf467a
Opcode Fuzzy Hash: 919b8782fd26bc002f9c4e3003e67ba8991fe4e0e7094b70ba0d18e51b0b147b
Instruction Fuzzy Hash: 9221EEB2200108AFCB08CF99DC80DEB77A9EF8C314B168649FA1CA7241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 26memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3632dd75bf6226f064cf045329ec93db3c71ce0f02ddcec50f3a1ec5f4a745e5
Instruction ID: 36656d7baea55c93b5cba971fc7cd488d77f86d932204c79ee7ebff5eb469dca
Opcode Fuzzy Hash: 3632dd75bf6226f064cf045329ec93db3c71ce0f02ddcec50f3a1ec5f4a745e5
Instruction Fuzzy Hash: 02E04FF9204548AFCB00DF59D8D1CDB77A9FF88718B11864DFD5D83202D634E8628BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8B, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 767ec7e4bd004be10c25ae339538f6dfcd14c11b977533c6c996af62b09fc8dc
Instruction ID: de7de25ceb45b0987a39f79231fee148facadf9b4ddf62c746588f0811735487
Opcode Fuzzy Hash: 767ec7e4bd004be10c25ae339538f6dfcd14c11b977533c6c996af62b09fc8dc
Instruction Fuzzy Hash: 38E0C271600104BBDB20EFE5CC89ED77B28EF44320F15485AB90CAB252C630E54087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01009910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0100991A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74bddae10290a6d61f05fac8ed9778624c67eb6d6bc0fcb46be41d17127b3b66
Instruction ID: 910625184218e85d0297aee63391d779b6b2018899bbbaf16934b8e1ce5baa62
Opcode Fuzzy Hash: 74bddae10290a6d61f05fac8ed9778624c67eb6d6bc0fcb46be41d17127b3b66
Instruction Fuzzy Hash: 119002B120101902D140719984087460505A7D0341F51C411A5454554EC69D8DD577A5

Uniqueness

Uniqueness Score: -1.00%

Function 010099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010099AA

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c8095fcbe88c0917b5b94d506f764396558aef677a67df8b5b231f2acce5d70
Instruction ID: 6003e7a111ec9a9f20488ef90bda81bbe03758e72fc077bdaad8ab6bcb897343
Opcode Fuzzy Hash: 6c8095fcbe88c0917b5b94d506f764396558aef677a67df8b5b231f2acce5d70
Instruction Fuzzy Hash: 8C9002A134101942D10061998418B060505E7E1341F51C415E1454554DC65DCC527266

Uniqueness

Uniqueness Score: -1.00%

Function 01009840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0100984A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b29ec048409aaedefe79ebd6ee63c2fa34238752c94f5a2f6666c4695a06014
Instruction ID: d70f1ec2deb7c5e95168db17fc42719a357dc6c0c79224f8cd8e8e3fc3aedbb1
Opcode Fuzzy Hash: 5b29ec048409aaedefe79ebd6ee63c2fa34238752c94f5a2f6666c4695a06014
Instruction Fuzzy Hash: 13900261242056525545B19984085074506B7E0281791C412A1804950CC56A9856E761

Uniqueness

Uniqueness Score: -1.00%

Function 01009860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0100986A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a98617c4a0b12d09ae0b91b3ecf6debeca18f9cdba07efaef14100c13d867ff0
Instruction ID: 9e628af1a598d06d79a7ed8f0cd8d9db0abfcb660fa970a7fb1b4b92f2da2743
Opcode Fuzzy Hash: a98617c4a0b12d09ae0b91b3ecf6debeca18f9cdba07efaef14100c13d867ff0
Instruction Fuzzy Hash: 4E90027120101913D111619985087070509A7D0281F91C812A0814558DD69A8952B261

Uniqueness

Uniqueness Score: -1.00%

Function 010098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010098FA

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1abf29a8261a789d98dc3172e5dd435b183c9e466ecb10ef8202982554b4c9c7
Instruction ID: a42af1a8cfcd2dc5f22925ea7d2486e221e971d2c506d75f0088e5a542a3a7f7
Opcode Fuzzy Hash: 1abf29a8261a789d98dc3172e5dd435b183c9e466ecb10ef8202982554b4c9c7
Instruction Fuzzy Hash: AF90026160101A02D10171998408616050AA7D0281F91C422A1414555ECA698992B271

Uniqueness

Uniqueness Score: -1.00%

Function 01009A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01009A0A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f75a75d3468ad666dd885ce6fd9a2edee4f182521ebfa213025d0d925a60c5c
Instruction ID: b45d278c5e6d3fd24d7fd55ca88bccc44b74ae1e00f912c00b64368315421d93
Opcode Fuzzy Hash: 5f75a75d3468ad666dd885ce6fd9a2edee4f182521ebfa213025d0d925a60c5c
Instruction Fuzzy Hash: DA90027120141902D1006199881870B0505A7D0342F51C411A1554555DC669885176B1

Uniqueness

Uniqueness Score: -1.00%

Function 01009A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01009A2A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7fa637d18cba78e14b25caf89b6b5985c12de5a1f165bdacd3254560b5b3dce
Instruction ID: 2d3f150484dd52a1ec1d6645fb86efd7ae7c6fb61e95f2fcec9e2fa78f8bc326
Opcode Fuzzy Hash: c7fa637d18cba78e14b25caf89b6b5985c12de5a1f165bdacd3254560b5b3dce
Instruction Fuzzy Hash: 5B90026160101542414071A9C8489064505BBE1251751C521A0D88550DC59D886567A5

Uniqueness

Uniqueness Score: -1.00%

Function 01009A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01009A5A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc7c9ee920face4e5967f3d1533a8a725e51c5c3e96a726ccd77b97cb0e4b31c
Instruction ID: fe4c1f4a058d2d60d631fac40db0bbdcb0b02651dfee55d058b01217ecc4a720
Opcode Fuzzy Hash: bc7c9ee920face4e5967f3d1533a8a725e51c5c3e96a726ccd77b97cb0e4b31c
Instruction Fuzzy Hash: E390026121181542D20065A98C18B070505A7D0343F51C515A0544554CC95988616661

Uniqueness

Uniqueness Score: -1.00%

Function 01009540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0100954A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 054b5aefb47d40ef8ffea0056901e9aff1a6949dc81daa1183d86d4fae3c7608
Instruction ID: 2e16fc140f621d7910f82c5c72a5232a32e33c4039fe0aa16114bb0737cb2d3b
Opcode Fuzzy Hash: 054b5aefb47d40ef8ffea0056901e9aff1a6949dc81daa1183d86d4fae3c7608
Instruction Fuzzy Hash: 46900475311015030105F5DD470C5070547F7D53D1351C431F1405550CD775CC717371

Uniqueness

Uniqueness Score: -1.00%

Function 010095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010095DA

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f3ce7a13311c26a40a3602a32b8085b5a34e3e44ca56ea2d835018eb77703da
Instruction ID: 1f93712781c9f156a467da03d7c19a4047d7656393fee4d6ff92ad2d4ff26a7e
Opcode Fuzzy Hash: 7f3ce7a13311c26a40a3602a32b8085b5a34e3e44ca56ea2d835018eb77703da
Instruction Fuzzy Hash: 259002A120201503410571998418616450AA7E0241B51C421E1404590DC56988917265

Uniqueness

Uniqueness Score: -1.00%

Function 01009710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0100971A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 247c3db88bbc87b3e9ac63fa2fb5ebbf1f05b8e619a76db936782d3a327f8cff
Instruction ID: 8e60cfa205e1966dd98b82d8e4a2d542382b1c26c4ed849f401b33a011c26fe4
Opcode Fuzzy Hash: 247c3db88bbc87b3e9ac63fa2fb5ebbf1f05b8e619a76db936782d3a327f8cff
Instruction Fuzzy Hash: D190027120101902D10065D9940C6460505A7E0341F51D411A5414555EC6A988917271

Uniqueness

Uniqueness Score: -1.00%

Function 01009780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0100978A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f52c9df98a92342fdb8da4129727a21f23e92733edfaa6f4aadececf1abd6499
Instruction ID: 58f57f3807999afc621712875a8b84383391accf5a58c0a57e5ff4d69a7c1771
Opcode Fuzzy Hash: f52c9df98a92342fdb8da4129727a21f23e92733edfaa6f4aadececf1abd6499
Instruction Fuzzy Hash: 0590026921301502D1807199940C60A0505A7D1242F91D815A0405558CC95988696361

Uniqueness

Uniqueness Score: -1.00%

Function 010097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010097AA

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25bd481bd9e3403654c6ce8e607a06a8ca25db59c39f0ab27a3059cea3291f50
Instruction ID: 53d76b7f7de427c990093c241256a28e55945fc16e18217c8df3b98f3ae70636
Opcode Fuzzy Hash: 25bd481bd9e3403654c6ce8e607a06a8ca25db59c39f0ab27a3059cea3291f50
Instruction Fuzzy Hash: 0090026130101503D1407199941C6064505F7E1341F51D411E0804554CD95988566362

Uniqueness

Uniqueness Score: -1.00%

Function 01009660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0100966A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b1942f8742f2f4b2c44ee19c05c4fb5f3227951251a19f97318ecac2337ec0a7
Instruction ID: e6e3b507fa3838fb447a86ef8954597b6728eddbfb96bf0b10804c3270d4f153
Opcode Fuzzy Hash: b1942f8742f2f4b2c44ee19c05c4fb5f3227951251a19f97318ecac2337ec0a7
Instruction Fuzzy Hash: CA90027120101D02D1807199840864A0505A7D1341F91C415A0415654DCA598A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 010096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010096EA

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 326d2c5caa008b85fb20474674326b0fafcc62c2506ab02ebf630f6a4d61d0c3
Instruction ID: 7769b8bab9afd94a71f98e93a0e9fc792a9beeedfa54f52064c0c2a846b504a0
Opcode Fuzzy Hash: 326d2c5caa008b85fb20474674326b0fafcc62c2506ab02ebf630f6a4d61d0c3
Instruction Fuzzy Hash: 9D90027120109D02D1106199C40874A0505A7D0341F55C811A4814658DC6D988917261

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD4D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Strings

l, xrefs: 0040AD7F
., xrefs: 0040AD78

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID: .$l
API String ID: 2234796835-2021555757
Opcode ID: 0628662433a8709685a6fba5f5da5c910248eccd5689c7bd638ac98fe8cfdd00
Instruction ID: 5b51afdd77e80dd586a229e49a95f855b3fe47a8ba4d923012e4c6d09abc7d83
Opcode Fuzzy Hash: 0628662433a8709685a6fba5f5da5c910248eccd5689c7bd638ac98fe8cfdd00
Instruction Fuzzy Hash: 3D31F575A003099BCB20DF64C941AABB3B9EF54308F00856EE40A9BA81E774F955C796

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 60threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a800d7f7b6d07ec7ad89940ede833b2b5be3ccb02f9bbc008065c7faf10c0366
Instruction ID: 8e91ec829274090681901293d1be17ab23f68bc1e37084163a8396521e9362ea
Opcode Fuzzy Hash: a800d7f7b6d07ec7ad89940ede833b2b5be3ccb02f9bbc008065c7faf10c0366
Instruction Fuzzy Hash: 8D01F931A803187AE720A6A59C03FFF3B2C9B41F55F05401DFF04BA1C1D6A9690546FA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC4, Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 7754ff8d1716533659d8e73d1abdce8b8c8a66c5cea46726851e4918b4db52f4
Instruction ID: f1873f1f7e8b5f26130af4681e0b418e86b98db637ded371e8d3ffb70bfe159e
Opcode Fuzzy Hash: 7754ff8d1716533659d8e73d1abdce8b8c8a66c5cea46726851e4918b4db52f4
Instruction Fuzzy Hash: 90F04475E4020DABDF10DE94D841FD9B378DB54318F0082A5ED18AB240F630DA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A4, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 64b125bcc8272fe7a1fb921a68390b9ae364a093c59ec78b6ee327bc23f03cc1
Instruction ID: 1f13a95fcd761fd9e736e0a2358998ec16763b953739fb5568326c180d68cced
Opcode Fuzzy Hash: 64b125bcc8272fe7a1fb921a68390b9ae364a093c59ec78b6ee327bc23f03cc1
Instruction Fuzzy Hash: 81E04FB19106047BD720DF78CC8AFE77B68EF58350F118569BD5DAB241D6319941CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0100967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01009694

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a194b521a42cbfec47caaa15392c98e5e67a8e7d0af2af2792250e796a004fb0
Instruction ID: 3a19f1eff1d6f1e6d74a6f69453d0e1401691acf2f994edc7e7e25ce67d4ef5f
Opcode Fuzzy Hash: a194b521a42cbfec47caaa15392c98e5e67a8e7d0af2af2792250e796a004fb0
Instruction Fuzzy Hash: 45B09B719014D5C5E652D7A44A0C7177E4077D4745F16C551D1460645F877CC091F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0107B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The resource is owned shared by %d threads, xrefs: 0107B37E
*** Inpage error in %ws:%s, xrefs: 0107B418
This failed because of error %Ix., xrefs: 0107B446
*** then kb to get the faulting stack, xrefs: 0107B51C
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0107B39B
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0107B47D
an invalid address, %p, xrefs: 0107B4CF
The critical section is owned by thread %p., xrefs: 0107B3B9
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0107B2F3
<unknown>, xrefs: 0107B27E, 0107B2D1, 0107B350, 0107B399, 0107B417, 0107B48E
Go determine why that thread has not released the critical section., xrefs: 0107B3C5
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0107B314
*** enter .cxr %p for the context, xrefs: 0107B50D
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0107B305
read from, xrefs: 0107B4AD, 0107B4B2
*** enter .exr %p for the exception record, xrefs: 0107B4F1
write to, xrefs: 0107B4A6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0107B484
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0107B3D6
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0107B2DC
The resource is owned exclusively by thread %p, xrefs: 0107B374
a NULL pointer, xrefs: 0107B4E0
*** An Access Violation occurred in %ws:%s, xrefs: 0107B48F
*** Resource timeout (%p) in %ws:%s, xrefs: 0107B352
The instruction at %p tried to %s , xrefs: 0107B4B6
The instruction at %p referenced memory at %p., xrefs: 0107B432
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0107B323
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0107B38F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0107B476
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0107B53F

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 3f19371055fe1595cd3fef1366c73f349b6858eabfc51502352db8522802171a
Instruction ID: 3ce433ebdf141d4b4a7f765dd14426fe0fe22a4e9a876835e75beebc08a05df0
Opcode Fuzzy Hash: 3f19371055fe1595cd3fef1366c73f349b6858eabfc51502352db8522802171a
Instruction Fuzzy Hash: EA812F79E00200FFDB266A0A9C89EFB3F66AF56B51F404084F9852B152E761D441EBB7

Uniqueness

Uniqueness Score: -1.00%

Function 01081C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01081C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xfa48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FCB150();
				} else {
					E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x10b589c);
				E00FCB150("Heap error detected at %p (heap handle %p)\n",  *0x10b58a0);
				_t27 =  *0x10b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01081E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FCB150();
				} else {
					E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FCB150("Error code: %d - %s\n",  *0x10b5898);
				_t113 =  *0x10b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FCB150();
					} else {
						E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FCB150("Parameter1: %p\n",  *0x10b58a4);
				}
				_t115 =  *0x10b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FCB150();
					} else {
						E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FCB150("Parameter2: %p\n",  *0x10b58a8);
				}
				_t117 =  *0x10b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FCB150();
					} else {
						E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FCB150("Parameter3: %p\n",  *0x10b58ac);
				}
				_t119 =  *0x10b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FCB150();
					} else {
						E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10b58b4);
					E00FCB150("Last known valid blocks: before - %p, after - %p\n",  *0x10b58b0);
				} else {
					_t120 =  *0x10b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FCB150();
				} else {
					E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FCB150("Stack trace available at %p\n", 0x10b58c0);
			}

0x01081c10
0x01081c16
0x01081c1e
0x01081c3d
0x01081c3e
0x01081c20
0x01081c35
0x01081c3a
0x01081c44
0x01081c55
0x01081c5a
0x01081c65
0x01081c67
0x00000000
0x01081c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01081c67
0x01081cdc
0x01081ce5
0x01081d04
0x01081d05
0x01081ce7
0x01081cfc
0x01081d01
0x01081d0b
0x01081d17
0x01081d1f
0x01081d25
0x01081d30
0x01081d4f
0x01081d50
0x01081d32
0x01081d47
0x01081d4c
0x01081d61
0x01081d67
0x01081d68
0x01081d6e
0x01081d79
0x01081d98
0x01081d99
0x01081d7b
0x01081d90
0x01081d95
0x01081daa
0x01081db0
0x01081db1
0x01081db7
0x01081dc2
0x01081de1
0x01081de2
0x01081dc4
0x01081dd9
0x01081dde
0x01081df3
0x01081df9
0x01081dfa
0x01081e00
0x01081e0a
0x01081e13
0x01081e32
0x01081e33
0x01081e15
0x01081e2a
0x01081e2f
0x01081e39
0x01081e4a
0x01081e02
0x01081e02
0x01081e08
0x00000000
0x00000000
0x01081e08
0x01081e5b
0x01081e7a
0x01081e7b
0x01081e5d
0x01081e72
0x01081e77
0x01081e95

Strings

heap_failure_internal, xrefs: 01081C6E
Last known valid blocks: before - %p, after - %p, xrefs: 01081E45
Stack trace available at %p, xrefs: 01081E86
heap_failure_usage_after_free, xrefs: 01081CBB
heap_failure_generic, xrefs: 01081C7C
heap_failure_buffer_overrun, xrefs: 01081C98
heap_failure_buffer_underrun, xrefs: 01081C9F
heap_failure_listentry_corruption, xrefs: 01081CD0
heap_failure_block_not_busy, xrefs: 01081CA6
heap_failure_freelists_corruption, xrefs: 01081CC9
heap_failure_entry_corruption, xrefs: 01081C83
Error code: %d - %s, xrefs: 01081D12
HEAP[%wZ]: , xrefs: 01081C30, 01081CF7, 01081D42, 01081D8B, 01081DD4, 01081E25, 01081E6D
HEAP: , xrefs: 01081C16, 01081C3D, 01081D04, 01081D4F, 01081D98, 01081DE1, 01081E32, 01081E7A
heap_failure_unknown, xrefs: 01081C75
heap_failure_cross_heap_operation, xrefs: 01081CC2
Parameter1: %p, xrefs: 01081D5C
Heap error detected at %p (heap handle %p), xrefs: 01081C50
heap_failure_invalid_allocation_type, xrefs: 01081CB4
heap_failure_invalid_argument, xrefs: 01081CAD
heap_failure_virtual_block_corruption, xrefs: 01081C91
heap_failure_multiple_entries_corruption, xrefs: 01081C8A
Parameter3: %p, xrefs: 01081DEE
Parameter2: %p, xrefs: 01081DA5
heap_failure_lfh_bitmap_mismatch, xrefs: 01081CD7

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 0faf0851b78d8a50262470bb1f32f8a5cb6393b3f68e8785bd824d2207b74b6f
Instruction ID: c756e9b4b0a31f7cc39b35f3c31b4fd592c2c9d8f75aadc2514090948c71178a
Opcode Fuzzy Hash: 0faf0851b78d8a50262470bb1f32f8a5cb6393b3f68e8785bd824d2207b74b6f
Instruction Fuzzy Hash: 6C61CA3A919145DFD311BB45E997EA473E4EF04B20B0D807EF4CA6B352C6399C419F1A

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FD3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00FD1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00FD1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00FD1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00FD1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00FD1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00FE4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0100F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01011370(_t276, 0xfa4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0100BB40(0,  &_v68, _t170);
									if(L00FD43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0100BB40(_t257,  &_v68, _t243);
								if(L00FD43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01011370(_t278, 0xfa4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00FE4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0100F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01011370(_v16, 0xfa4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0100BB40(_t262,  &_v68, _t244);
								if(L00FD43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01011370(_t282, 0xfa4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0100BB40(_t262,  &_v68, _t201);
							if(L00FD43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00FE4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0100F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01011370(_t280, 0xfa4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0100BB40(_t267,  &_v68, _t245);
							if(L00FD43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01011370(_t284, 0xfa4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0100BB40(_t267,  &_v68, _t224);
						if(L00FD43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00fd3d3c
0x00fd3d42
0x00fd3d44
0x00fd3d46
0x00fd3d49
0x00fd3d4c
0x00fd3d4f
0x00fd3d52
0x00fd3d55
0x00fd3d58
0x00fd3d5b
0x00fd3d5f
0x00fd3d61
0x00fd3d66
0x01028213
0x01028218
0x00fd4085
0x00fd4088
0x00fd408e
0x00fd4094
0x00fd409a
0x00fd40a0
0x00fd40a6
0x00fd40a9
0x00fd40af
0x00fd40b6
0x00fd40bd
0x00fd40bd
0x00fd3d83
0x0102821f
0x01028229
0x01028238
0x01028238
0x0102823d
0x0102823d
0x00fd3da0
0x00fd3daf
0x00fd3db5
0x00fd3dba
0x00fd3dba
0x00fd3dd4
0x00fd3e94
0x00fd3eab
0x00fd3f6d
0x00fd3f84
0x00fd406b
0x00fd406b
0x00fd406e
0x00fd406e
0x00fd4070
0x00fd4074
0x01028351
0x01028351
0x00fd407a
0x00fd407f
0x0102835d
0x01028370
0x01028377
0x01028379
0x0102837c
0x0102837c
0x0102835d
0x00000000
0x00fd407f
0x00fd3f8a
0x00fd3f8d
0x00fd3f90
0x00fd3f95
0x0102830d
0x0102830f
0x00fd3f9b
0x00fd3fac
0x00fd3fae
0x00fd3fb1
0x00fd3fb1
0x00fd3fb6
0x01028317
0x0102831a
0x00000000
0x00fd3fbc
0x00fd3fc1
0x00fd3fc9
0x00fd3fd7
0x00fd3fda
0x00fd3fdd
0x00fd4021
0x00fd4021
0x00fd4029
0x00fd4030
0x00fd4044
0x00fd4046
0x00fd4046
0x00fd4044
0x00fd4049
0x01028327
0x01028334
0x01028339
0x0102833c
0x00fd404f
0x00fd404f
0x00fd404f
0x00fd4051
0x00fd4056
0x00fd4063
0x00fd4063
0x00fd4068
0x00000000
0x00fd4068
0x00fd3fdf
0x00fd3fe2
0x00fd3fe4
0x00fd3fe7
0x00fd3fef
0x00fd4003
0x00fd4005
0x00fd4005
0x00fd400c
0x00fd4013
0x00fd4016
0x00fd4017
0x00fd401b
0x00fd401e
0x00000000
0x00fd401e
0x00fd3fb6
0x00fd3eb1
0x00fd3eb4
0x00fd3eb7
0x00fd3ebc
0x010282a9
0x010282ab
0x00fd3ec2
0x00fd3ed3
0x00fd3ed5
0x00fd3ed8
0x00fd3ed8
0x00fd3edd
0x010282b3
0x010282b6
0x00000000
0x00fd3ee3
0x00fd3ee8
0x00fd3eed
0x00fd3ef0
0x00fd3ef3
0x00fd3f02
0x00fd3f05
0x00fd3f08
0x010282c0
0x010282c3
0x010282c5
0x010282c8
0x010282d0
0x010282e4
0x010282e6
0x010282e6
0x010282ed
0x010282f4
0x010282f7
0x010282f8
0x010282fc
0x010282ff
0x010282ff
0x00fd3f0e
0x00fd3f11
0x00fd3f16
0x00fd3f1d
0x00fd3f31
0x01028307
0x01028307
0x00fd3f31
0x00fd3f39
0x00fd3f48
0x00fd3f4d
0x00fd3f50
0x00fd3f50
0x00fd3f53
0x00fd3f58
0x00fd3f65
0x00fd3f65
0x00fd3f6a
0x00000000
0x00fd3f6a
0x00fd3edd
0x00fd3dda
0x00fd3ddd
0x00fd3de0
0x00fd3de5
0x01028245
0x00fd3deb
0x00fd3df7
0x00fd3dfc
0x00fd3dfe
0x00fd3e01
0x00fd3e01
0x00fd3e06
0x0102824d
0x0102824f
0x01028254
0x00000000
0x00fd3e0c
0x00fd3e11
0x00fd3e16
0x00fd3e19
0x00fd3e29
0x00fd3e2c
0x00fd3e2f
0x0102825c
0x0102825f
0x01028261
0x01028264
0x0102826c
0x01028280
0x01028282
0x01028282
0x01028289
0x01028290
0x01028293
0x01028294
0x01028298
0x0102829b
0x0102829b
0x00fd3e35
0x00fd3e38
0x00fd3e3d
0x00fd3e44
0x00fd3e58
0x010282a3
0x010282a3
0x00fd3e58
0x00fd3e60
0x00fd3e6f
0x00fd3e74
0x00fd3e77
0x00fd3e77
0x00fd3e7a
0x00fd3e7f
0x00fd3e8c
0x00fd3e8c
0x00fd3e91
0x00000000
0x00fd3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 00FD3E97
WindowsExcludedProcs, xrefs: 00FD3D6F
Kernel-MUI-Language-SKU, xrefs: 00FD3F70
Kernel-MUI-Language-Allowed, xrefs: 00FD3DC0
Kernel-MUI-Number-Allowed, xrefs: 00FD3D8C

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 5be3f645bf125dab10f0a8d23b21a07b82f4a35a06fb2ba3296c999e8974f1ce
Instruction ID: c0f3fa536cde9096db890ef5d4261d87ba0b4dc2e2fc05ddb68c4f91a2008800
Opcode Fuzzy Hash: 5be3f645bf125dab10f0a8d23b21a07b82f4a35a06fb2ba3296c999e8974f1ce
Instruction Fuzzy Hash: FCF16D76D00259EBCB15DF98C980AEEBBF9FF48750F18406AE505A7351D774AE00EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00FC40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FCB150();
					} else {
						E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FCB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00FCB150(", passed to %s", _t29);
					}
					_push("\n");
					E00FCB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x10b6378 = 1;
						asm("int3");
						 *0x10b6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00fc40e6
0x00fc40e8
0x00fc40f1
0x0102042d
0x0102044c
0x01020451
0x0102042f
0x01020444
0x01020449
0x0102045d
0x01020466
0x0102046e
0x01020474
0x01020475
0x0102047a
0x0102048a
0x0102048c
0x01020493
0x01020494
0x01020494
0x00000000
0x0102049b
0x00000000

Strings

RtlAllocateHeap, xrefs: 01020468
HEAP[%wZ]: , xrefs: 0102043F
Invalid heap signature for heap at %p, xrefs: 01020458
HEAP: , xrefs: 0102044C
, passed to %s, xrefs: 01020469

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 3ffb775266b4519297e3222ce384611b7f496861a54a6d7484ac902443b209fd
Instruction ID: 757b9728231c52bf698da1f1b8f835a1d0d155251d816e88602718437dbfdd21
Opcode Fuzzy Hash: 3ffb775266b4519297e3222ce384611b7f496861a54a6d7484ac902443b209fd
Instruction Fuzzy Hash: 4D0128765092519EE2259768A95FF927BE8DB41F30F1CC06DF006876D2CFAD9844E221

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00FEA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E00FEDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01009730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0108A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01009660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E00FCB150();
					} else {
						E00FCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E00FCB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E00FE7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0108138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E00FE7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E00FE7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01081582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E00FE7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E00FE7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01081582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0101D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x00fea229
0x00fea231
0x00fea23f
0x00fea242
0x00fea244
0x00fea24c
0x00fea255
0x00fea25a
0x00fea25f
0x01031c76
0x01031c78
0x01031c7e
0x01031c7f
0x01031c81
0x01031c82
0x01031c84
0x01031c89
0x01031c8b
0x01031c9e
0x01031c9e
0x01031cab
0x01031cb2
0x00000000
0x01031cb2
0x01031c8d
0x01031c92
0x00000000
0x00000000
0x01031c94
0x01031c98
0x00000000
0x00000000
0x00000000
0x01031c98
0x00fea265
0x00fea265
0x00fea266
0x00fea26f
0x00fea270
0x00fea276
0x00fea277
0x00fea279
0x00fea27e
0x00fea282
0x01031db5
0x01031dbb
0x01031dc1
0x01031dc5
0x01031de4
0x01031de9
0x01031dc7
0x01031ddc
0x01031de1
0x01031def
0x01031df3
0x01031df7
0x01031dfe
0x01031e06
0x00fea302
0x00fea308
0x00fea308
0x00fea288
0x00fea28d
0x00fea294
0x01031cc1
0x00fea29a
0x00fea29a
0x00fea29a
0x00fea29f
0x01031ccb
0x01031cd1
0x01031cd8
0x01031cea
0x01031cea
0x01031cd8
0x00fea2a9
0x00fea2af
0x00fea2bc
0x01031cfd
0x00fea2c2
0x00fea2c2
0x00fea2c2
0x00fea2c7
0x01031d07
0x01031d0d
0x01031d14
0x01031d1f
0x01031d21
0x01031d2c
0x01031d2c
0x01031d2c
0x01031d47
0x01031d47
0x01031d14
0x00fea2cd
0x00fea2d2
0x00fea2d9
0x01031d5a
0x00fea2df
0x00fea2df
0x00fea2df
0x00fea2e4
0x01031d69
0x01031d6b
0x01031d76
0x01031d76
0x01031d76
0x01031d91
0x01031d91
0x00fea2ea
0x00fea2f0
0x00fea2f5
0x01031da8
0x01031dad
0x01031dad
0x00fea2fd
0x00fea300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01031DD7
HEAP: , xrefs: 01031DE4
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01031DF9
`, xrefs: 01031C8D

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 5b4b97298abffba346cae324c5e9a487aeabf1a98898b9c3db901394aede1805
Instruction ID: 62148a9e82acfe1bcaae8e1e098ea4054e9d3ba58be81c8a9d841945ba9567f2
Opcode Fuzzy Hash: 5b4b97298abffba346cae324c5e9a487aeabf1a98898b9c3db901394aede1805
Instruction Fuzzy Hash: E15104322086819FD322EB69CC49F6777E8FF85B50F180468F9959B292D735E900DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00FF8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x10bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x10b8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x10b5780 & 0x00000003) != 0) {
							E01045510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x10b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0100B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x10b7984; // 0xa62b08
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x10b8464; // 0x74b10110
					 *0x10bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00FF9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x10b5780 & 0x00000005) != 0) {
						_push(_t49);
						E01045510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00ff8e0f
0x00ff8e16
0x00ff8e19
0x00ff8e1b
0x00ff8e21
0x00ff8e7f
0x00ff8e85
0x01039354
0x0103936c
0x01039371
0x0103937b
0x01039381
0x01039381
0x0103937b
0x00ff8e9d
0x00ff8e9d
0x00ff8e29
0x00ff8e2c
0x00ff8e38
0x00ff8e3e
0x00ff8e43
0x00ff8eb5
0x00ff8eb9
0x010392aa
0x010392af
0x010392e8
0x010392e8
0x010392af
0x00ff8eb9
0x00ff8e45
0x00ff8e53
0x00ff8e5b
0x00ff8e5f
0x00ff8e78
0x00ff8e78
0x00ff8e7d
0x00ff8ec3
0x00ff8ecd
0x00ff8ed2
0x00ff8ed2
0x00ff8ec5
0x00ff8ec5
0x00000000
0x00ff8e7d
0x00ff8e67
0x00ff8ea4
0x0103931a
0x00000000
0x00000000
0x01039320
0x00ff8ea4
0x00ff8e70
0x01039325
0x01039340
0x01039345
0x01039345
0x00ff8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 01039357
minkernel\ntdll\ldrsnap.c, xrefs: 0103933B, 01039367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0103932A
LdrpFindDllActivationContext, xrefs: 01039331, 0103935D

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: c1b3f4af85dbcb7e519c5a598169af1dce7cc26511cb28eed9c60e86a2d2ad1f
Instruction ID: 59f7248a5422cfa309634f71ced4161cfff035c75cd38d72f26d2653402dd2de
Opcode Fuzzy Hash: c1b3f4af85dbcb7e519c5a598169af1dce7cc26511cb28eed9c60e86a2d2ad1f
Instruction Fuzzy Hash: 3A412972E003199FDB31AA88CCCCB7976A4AF513A8F094169DA44970B0EF749C81A381

Uniqueness

Uniqueness Score: -1.00%

Function 010849A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01084A61
HEAP[%wZ]: , xrefs: 01084A3D, 01084AB7
HEAP: , xrefs: 01084A4A, 01084A5D, 01084A5F, 01084AC4
This is located in the %s field of the heap header., xrefs: 01084AD6

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 0182debb5cfc14605aac3f51f005e9ac44fe3db7df50e321b073b247ab43391a
Instruction ID: b1f630dd7d006a762a16b973f8621cf14381487ab964696f0de4752fcc3ae62e
Opcode Fuzzy Hash: 0182debb5cfc14605aac3f51f005e9ac44fe3db7df50e321b073b247ab43391a
Instruction Fuzzy Hash: E6311375208202EFD311EB58CC86FAAB7E8EF05720F194095F5C6DF291D774E844DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00FD8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FD8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00FD934A() != 0) {
								_t159 = E0104A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x10b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01045510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x10b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00FD849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00FD8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00FD8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x10b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x10b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00FE2280(_t92, 0x10b86cc);
															_t94 = E01099DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00FF61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x10b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00FD8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x10b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x10b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0100F380(_t136, 0xfa1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00FE2280(_t108, 0x10b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00FF61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01099D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00FDFFB0(_t118, _t156, 0x10b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01009A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00fd8799
0x00fd879d
0x00fd87a1
0x00fd87a3
0x00fd87a8
0x00fd87c3
0x00fd87c3
0x00fd87c8
0x00fd87d1
0x00fd87d4
0x00fd87d8
0x00fd87e5
0x00fd87ec
0x01029bfe
0x01029c00
0x01029c02
0x01029c08
0x01029c0d
0x01029c0f
0x01029c14
0x01029c2d
0x01029c32
0x01029c37
0x01029c3a
0x01029c3c
0x01029c42
0x01029c42
0x01029c3c
0x01029c02
0x00fd87da
0x00fd87df
0x00fd87e3
0x00000000
0x00000000
0x00fd87e3
0x00fd87f2
0x00000000
0x00fd87fb
0x00fd87fd
0x00fd87fe
0x00fd880e
0x00fd880f
0x00fd8810
0x00fd8814
0x00fd881a
0x00fd881c
0x00fd881f
0x00fd8821
0x00fd8822
0x00fd8824
0x00fd8826
0x00fd882c
0x00fd882e
0x01029c48
0x01029c48
0x00fd8834
0x00fd8834
0x00fd8837
0x00000000
0x00000000
0x00fd8837
0x00fd882e
0x00fd883d
0x00fd8840
0x00fd8843
0x00fd8846
0x00fd8849
0x00fd884c
0x00fd884e
0x00fd8850
0x00fd8852
0x00fd8854
0x00fd8857
0x00fd88b4
0x00fd88b6
0x00fd88b6
0x00fd8859
0x00fd8859
0x00fd8859
0x00fd8861
0x00fd8866
0x00fd886a
0x00fd893d
0x00fd8941
0x00000000
0x00fd8947
0x00fd8947
0x00fd894a
0x00fd894c
0x00000000
0x00fd8952
0x00fd8955
0x00fd895a
0x00fd895d
0x00fd895d
0x00fd895f
0x00fd8961
0x00fd8961
0x00fd8968
0x00000000
0x00000000
0x00fd896a
0x00fd896b
0x00fd896e
0x00000000
0x00fd8970
0x00fd8970
0x00fd8970
0x00fd8970
0x00fd8972
0x00fd8972
0x00fd8974
0x00000000
0x00fd897a
0x00fd897a
0x00fd897d
0x00000000
0x00fd8983
0x01029c65
0x01029c6d
0x01029c72
0x01029c75
0x01029c75
0x01029c82
0x01029c86
0x01029c87
0x01029c88
0x01029c89
0x01029c8c
0x01029c90
0x01029c95
0x01029c97
0x01029ca0
0x01029ca3
0x01029ca9
0x01029ca9
0x00000000
0x01029ca9
0x01029ca3
0x00000000
0x01029c97
0x00fd897d
0x00000000
0x00fd8974
0x00fd8988
0x00fd8992
0x00fd8996
0x00000000
0x00fd8996
0x00fd894c
0x00000000
0x00fd8870
0x00fd887b
0x00fd887d
0x00fd887f
0x00fd8881
0x00fd8884
0x00fd8884
0x00fd8886
0x00fd8889
0x00fd888c
0x00fd888e
0x00fd8891
0x00fd8891
0x00fd8898
0x00000000
0x00000000
0x00fd889a
0x00fd889b
0x00fd889e
0x00000000
0x00000000
0x00fd88a0
0x00fd88a8
0x00fd88b0
0x00fd88b2
0x00fd88d3
0x00fd88d5
0x00000000
0x00fd88d7
0x00fd88db
0x00fd88dc
0x00fd88e0
0x00fd88e8
0x00fd88ee
0x00fd88f0
0x00fd88f3
0x00fd88fc
0x00fd8901
0x00fd8906
0x00fd890c
0x00fd890c
0x00fd890f
0x00fd8916
0x00fd8917
0x00fd8918
0x00fd8919
0x00fd891a
0x00fd891f
0x00fd8921
0x01029c52
0x01029c55
0x01029c5b
0x01029cac
0x01029cc0
0x01029cc0
0x01029c55
0x00fd8927
0x00fd8927
0x00fd892f
0x00fd8933
0x00000000
0x00fd88f5
0x00fd88f5
0x00000000
0x00fd88f7
0x00fd88f7
0x00fd88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd88fa
0x00fd88f5
0x00fd88f3
0x00000000
0x00fd88d5
0x00000000
0x00fd88b2
0x00fd88c9
0x00000000
0x00fd88c9
0x00fd887f
0x00fd886a
0x00fd8857
0x00fd8852
0x00fd88bf
0x00fd88bf
0x00fd87aa
0x00fd87ad
0x00fd87ae
0x00fd87b4
0x00fd87b5
0x00fd87b6
0x00fd87b8
0x00fd87bd
0x00fd87c1
0x00fd87f4
0x00fd87fa
0x00000000
0x00000000
0x00000000
0x00fd87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01029C28
LdrpDoPostSnapWork, xrefs: 01029C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01029C18

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 8e033d973c1ebe8560084a679638706e0fc1369199e8f1fa3423270d1dc464ea
Instruction ID: 5e9c1601372dbd5a70e7bd64979b14159bf8810d6a3df113c79da63323a8dcac
Opcode Fuzzy Hash: 8e033d973c1ebe8560084a679638706e0fc1369199e8f1fa3423270d1dc464ea
Instruction Fuzzy Hash: 1991F571A0021A9FDF18DF59C881ABA73B6FF44354F58416AE9459B341DB30ED02EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FD7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00FD7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00FDCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00FCC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x10b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01045510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x10b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00FE7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FE7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01047016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00FE7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FE7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01047016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00FFA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00FCB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00fd7e4c
0x00fd7e50
0x00fd7e55
0x00fd7e58
0x00fd7e5d
0x00fd7e71
0x00fd7f33
0x00fd7e77
0x00fd7e77
0x00fd7e79
0x00fd7e79
0x00fd7e7e
0x00fd7f45
0x01029848
0x00000000
0x01029848
0x00fd7f4e
0x00fd7f53
0x00fd7f5a
0x00000000
0x00000000
0x0102985a
0x01029862
0x01029866
0x00000000
0x0102986c
0x00000000
0x0102986c
0x00fd7e84
0x00fd7e84
0x00fd7e8d
0x01029871
0x00fd7eb8
0x00fd7ec0
0x00fd7ec0
0x00fd7e9a
0x0102987e
0x00000000
0x00000000
0x01029884
0x0102988b
0x010298a7
0x010298ac
0x010298b1
0x010298b6
0x010298b8
0x010298b8
0x010298b9
0x00000000
0x010298b9
0x00fd7ea0
0x00fd7ea7
0x00000000
0x00000000
0x00fd7eac
0x00fd7eb1
0x00fd7ec6
0x00fd7ed0
0x010298cc
0x00fd7ed6
0x00fd7ed6
0x00fd7ed6
0x00fd7ede
0x00fd7ee3
0x010298e3
0x010298f0
0x01029902
0x010298f2
0x010298fb
0x010298fb
0x01029907
0x0102991d
0x0102991d
0x01029907
0x010298e3
0x00fd7ef0
0x00fd7f14
0x00fd7f14
0x00fd7f1e
0x01029946
0x00fd7f24
0x00fd7f24
0x00fd7f24
0x00fd7f2c
0x0102996a
0x01029975
0x01029975
0x0102997e
0x01029993
0x01029993
0x0102997e
0x00000000
0x00fd7ef2
0x00fd7efc
0x00fd7f0a
0x00fd7f0e
0x01029933
0x00000000
0x01029933
0x00000000
0x00fd7f0e
0x00000000
0x00000000
0x00000000
0x00fd7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01029891
minkernel\ntdll\ldrmap.c, xrefs: 010298A2
LdrpCompleteMapModule, xrefs: 01029898

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: e661cb724f52f15c4c96a1b8fd4c4e48b9c3a9b73898057eac1448d2f94b9414
Instruction ID: dd2035be0fa95c5ebafc3b0b70ed9233b1f24f9a4742fc01f3e6cd9778b3abe7
Opcode Fuzzy Hash: e661cb724f52f15c4c96a1b8fd4c4e48b9c3a9b73898057eac1448d2f94b9414
Instruction Fuzzy Hash: 01513331A08755DBD721EB5CC844B6A7BE1AF00324F1801DAE8919F3D1E774EC00E790

Uniqueness

Uniqueness Score: -1.00%

Function 00FCE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FCE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00FCF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E010095D0();
						}
						if(_t78 != 0) {
							L00FE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0100FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0100BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01009600();
					if(_t97 < 0) {
						goto L6;
					}
					E0100BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00FCF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0100BB40(_t83, _t102 + 0x24, _t78);
								if(L00FD43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0100BB40(_t84, _t102 + 0x24, _t94);
									if(L00FD43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00fce620
0x00fce628
0x00fce62f
0x00fce631
0x00fce635
0x00fce637
0x00fce63e
0x01025503
0x01025503
0x00fce64c
0x00fce64c
0x00fce651
0x00000000
0x00000000
0x00fce661
0x00fce665
0x0102542a
0x00fce715
0x00fce71a
0x00fce71c
0x00fce720
0x00fce720
0x00fce727
0x00fce736
0x00fce736
0x00fce743
0x00fce743
0x00fce673
0x00fce678
0x00fce67d
0x00fce682
0x00fce685
0x00fce692
0x00fce69b
0x00fce6a3
0x00fce6ad
0x00fce6b1
0x00fce6b2
0x00fce6bb
0x00fce6bf
0x00fce6c0
0x00fce6c8
0x00fce6cc
0x00fce6d5
0x00fce6d9
0x00000000
0x00000000
0x00fce6e5
0x00fce6ea
0x00fce6f9
0x00fce70b
0x00fce70f
0x01025439
0x0102545e
0x0102545e
0x00000000
0x0102545e
0x0102543b
0x0102543e
0x01025440
0x01025445
0x01025472
0x01025475
0x0102548d
0x01025493
0x010254a9
0x00000000
0x00000000
0x010254ab
0x010254b4
0x010254bc
0x010254c8
0x010254de
0x010254fb
0x010254e0
0x010254e6
0x010254eb
0x010254eb
0x010254de
0x00000000
0x010254bc
0x01025477
0x0102547a
0x01025480
0x01025483
0x01025486
0x0102548b
0x00000000
0x00000000
0x00000000
0x0102548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01025447
0x01025447
0x01025447
0x01025447
0x0102544e
0x00000000
0x00000000
0x01025450
0x01025452
0x01025455
0x0102545a
0x00000000
0x00000000
0x00000000
0x0102545c
0x0102546a
0x0102546d
0x0102546f
0x00000000
0x0102546f
0x00fce70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FCE68C
@, xrefs: 00FCE6C0
InstallLanguageFallback, xrefs: 00FCE6DB

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fb6db95d4f6d49de52c0c2f2dde444b9c0425101f23b1061ea2805f8ab2fb9f8
Instruction ID: 15493e646ecd8cd51801bd2fd755cbbf23ea4076116e275fab78510663f38ad6
Opcode Fuzzy Hash: fb6db95d4f6d49de52c0c2f2dde444b9c0425101f23b1061ea2805f8ab2fb9f8
Instruction Fuzzy Hash: AC51B1765083569BD711DF28C840BABB3E8BF88718F04096EF999D7240FB34D904D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0108E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0108E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0108BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0108BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0108AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01009730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0108A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0108A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01009730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0108A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0108A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00FE2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00FDB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00FDFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00FE7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0107FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0108e547
0x0108e549
0x0108e54f
0x0108e553
0x0108e557
0x0108e55a
0x0108e55c
0x0108e55f
0x0108e561
0x0108e567
0x0108e56b
0x0108e7e2
0x00000000
0x0108e571
0x0108e575
0x0108e577
0x0108e57b
0x0108e57c
0x0108e57d
0x0108e57e
0x0108e57f
0x0108e588
0x0108e58f
0x0108e591
0x0108e592
0x0108e592
0x0108e596
0x0108e59e
0x0108e5a0
0x0108e5a6
0x0108e61d
0x0108e61d
0x0108e621
0x0108e623
0x0108e630
0x0108e630
0x0108e7e6
0x0108e7eb
0x0108e7ed
0x0108e7f4
0x0108e7fa
0x0108e7ff
0x0108e7ff
0x0108e80a
0x0108e812
0x0108e812
0x0108e5ab
0x0108e5b4
0x0108e5b9
0x0108e5be
0x0108e5c0
0x0108e5c2
0x0108e5c8
0x0108e5c9
0x0108e5cb
0x0108e5cc
0x0108e5d5
0x0108e5e4
0x0108e5f1
0x0108e5f8
0x0108e5f8
0x0108e5d5
0x0108e602
0x0108e616
0x0108e63d
0x0108e644
0x0108e64d
0x0108e652
0x0108e657
0x0108e659
0x0108e65b
0x0108e661
0x0108e662
0x0108e664
0x0108e665
0x0108e66e
0x0108e67d
0x0108e68a
0x0108e691
0x0108e691
0x0108e66e
0x0108e6b0
0x00000000
0x0108e6b6
0x0108e6bd
0x0108e6c7
0x0108e6d7
0x0108e6d9
0x0108e6db
0x0108e6de
0x0108e6e3
0x0108e6f3
0x0108e6fc
0x0108e700
0x0108e700
0x0108e704
0x0108e70a
0x0108e70a
0x0108e713
0x0108e716
0x0108e719
0x0108e720
0x0108e761
0x0108e76b
0x0108e774
0x0108e77a
0x0108e77a
0x0108e78a
0x0108e791
0x0108e799
0x0108e79b
0x0108e79f
0x0108e7aa
0x0108e7c0
0x0108e7ac
0x0108e7b2
0x0108e7b9
0x0108e7b9
0x0108e7c7
0x0108e806
0x00000000
0x0108e7c9
0x0108e7d1
0x0108e7d8
0x00000000
0x0108e7d8
0x00000000
0x00000000
0x0108e722
0x0108e72e
0x0108e748
0x0108e74c
0x0108e754
0x0108e756
0x0108e75c
0x0108e75c
0x00000000
0x0108e75c
0x0108e758
0x0108e758
0x00000000
0x0108e758
0x0108e750
0x00000000
0x00000000
0x0108e752
0x00000000
0x0108e752
0x0108e730
0x0108e735
0x0108e73d
0x0108e73f
0x00000000
0x00000000
0x0108e741
0x0108e741
0x00000000
0x0108e741
0x0108e739
0x00000000
0x00000000
0x0108e73b
0x00000000
0x0108e73b
0x0108e722
0x0108e720
0x0108e6b0
0x0108e618
0x00000000
0x0108e618

Strings

`, xrefs: 0108E5D7
`, xrefs: 0108E670

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 76373e2c6187139e040260f5eaa03e553a56b27f99eeea51570348a9f9643ea9
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 249190312083429FE764EE29C841B5BBBE5BF84714F18896DF6D9CB280E774E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010451BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x10a05f0);
				E0101D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00FDEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010453CA(0);
						return E0101D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0100F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00FE3690(1, _t117, 0xfa1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0100AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00FE4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0100AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0104500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01009860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x010451be
0x010451c3
0x010451c8
0x010451cd
0x010451d0
0x010451d3
0x010451d8
0x010451db
0x010451de
0x010451e0
0x010451e3
0x010451e6
0x010451e8
0x01045342
0x01045351
0x01045356
0x0104535a
0x01045360
0x01045363
0x01045366
0x01045369
0x01045369
0x0104536b
0x0104536b
0x01045370
0x010453a3
0x010453a4
0x010453a6
0x010453ab
0x010453ab
0x010453ae
0x010453ae
0x010453b5
0x010453bf
0x010453bf
0x01045375
0x01045396
0x010453a0
0x010453a0
0x00000000
0x01045396
0x01045377
0x01045379
0x0104537f
0x0104538c
0x01045390
0x00000000
0x01045390
0x010451ee
0x010451f1
0x01045301
0x01045310
0x01045315
0x01045318
0x0104531b
0x01045320
0x0104532e
0x01045331
0x00000000
0x01045331
0x01045328
0x01045329
0x00000000
0x01045329
0x010451fa
0x01045235
0x01045236
0x01045239
0x0104523f
0x01045240
0x01045241
0x01045242
0x01045246
0x01045247
0x0104524e
0x01045251
0x01045267
0x01045269
0x0104526e
0x0104527d
0x0104527e
0x01045281
0x01045282
0x01045287
0x01045288
0x0104528a
0x0104528f
0x01045294
0x00000000
0x00000000
0x0104529a
0x0104529c
0x0104529e
0x0104529e
0x010452a4
0x010452b0
0x00000000
0x00000000
0x010452ba
0x010452bc
0x010452bc
0x010452d4
0x010452d9
0x010452dc
0x010452e1
0x00000000
0x00000000
0x010452e7
0x010452f4
0x00000000
0x010452f4
0x01045270
0x00000000
0x01045270
0x010451fc
0x010451fd
0x01045202
0x01045203
0x01045205
0x0104520a
0x0104520f
0x00000000
0x00000000
0x0104521b
0x01045226
0x0104522b
0x0104521d
0x0104521d
0x01045222
0x01045222
0x0104522d
0x00000000

Strings

UEFI, xrefs: 0104521D
Legacy, xrefs: 01045226

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 589cc8e122616ead9576c1036c9afffb14d972a77ef6c4866e37a2108017f9d1
Instruction ID: 49c1faaf214e220aa6695497c9546253c659fe9402dfb492b9283ed174677f34
Opcode Fuzzy Hash: 589cc8e122616ead9576c1036c9afffb14d972a77ef6c4866e37a2108017f9d1
Instruction Fuzzy Hash: 1A514FB1A006199FDB25DFA8CD80BAEBBF4FF49700F14806DE589EB291D7719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FCB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x109f7a8);
				E0101D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0101D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0100D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0100F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0101DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0100B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0100B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0100E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0100A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00fcb171
0x00fcb171
0x00fcb171
0x00fcb171
0x00fcb171
0x00fcb176
0x00fcb17b
0x00fcb180
0x00fcb186
0x00fcb18f
0x00fcb198
0x00fcb1a4
0x00fcb1aa
0x01024802
0x01024802
0x01024805
0x0102480c
0x0102480e
0x00fcb1d1
0x00fcb1d3
0x00fcb1de
0x00fcb1de
0x01024817
0x0102481e
0x01024820
0x01024822
0x01024822
0x01024824
0x01024824
0x0102482a
0x00000000
0x00000000
0x01024835
0x0102483a
0x0102483d
0x0102483f
0x01024842
0x01024842
0x01024842
0x01024846
0x0102484c
0x0102484e
0x01024851
0x01024851
0x01024853
0x01024854
0x01024854
0x01024858
0x0102485a
0x0102485a
0x0102485d
0x0102485f
0x01024861
0x01024861
0x01024866
0x0102486b
0x0102486e
0x01024871
0x01024876
0x01024876
0x01024878
0x0102487b
0x01024884
0x01024884
0x00000000
0x0102487d
0x0102487d
0x01024882
0x01024889
0x01024889
0x0102488f
0x01024891
0x010248e0
0x010248e2
0x010248e4
0x010248e4
0x010248e7
0x010248e7
0x010248ed
0x010248f4
0x010248f6
0x01024951
0x01024951
0x01024953
0x01024953
0x01024956
0x01024956
0x01024958
0x01024959
0x01024959
0x0102495d
0x0102495d
0x0102495f
0x0102495f
0x01024965
0x01024969
0x010249ba
0x010249ba
0x010249c1
0x010249c5
0x010249cc
0x010249d4
0x010249d7
0x010249da
0x010249e4
0x010249e5
0x010249f3
0x01024a02
0x00000000
0x01024a02
0x01024972
0x01024974
0x00000000
0x00000000
0x01024976
0x01024979
0x01024982
0x01024983
0x01024984
0x0102498b
0x0102498d
0x01024991
0x01024993
0x01024999
0x0102499d
0x010249a2
0x010249a2
0x010249a2
0x01024999
0x010249ac
0x00000000
0x010249b3
0x010248f8
0x010248fe
0x00000000
0x00000000
0x00000000
0x010248fe
0x01024895
0x0102489c
0x010248ad
0x010248b2
0x010248b5
0x010248b7
0x010248ba
0x010248bc
0x010248c6
0x010248c6
0x010248cb
0x010248d1
0x010248d4
0x010248d8
0x010248d8
0x00000000
0x010248d8
0x010248be
0x010248c0
0x00000000
0x00000000
0x010248c2
0x00000000
0x00000000
0x00000000
0x010248c4
0x00000000
0x01024882
0x0102487b
0x01024904
0x01024906
0x00000000
0x00000000
0x01024908
0x0102490e
0x00000000
0x00000000
0x01024910
0x01024917
0x01024917
0x00000000
0x01024917
0x00fcb1ba
0x010247f9
0x010247fc
0x00000000
0x00000000
0x00000000
0x010247fc
0x00fcb1c0
0x00fcb1c0
0x00fcb1c3
0x00fcb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 010248AD

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 57308218ab38eb64ab14629b2d62ca1c116ead1938afbc2fda782c041349fa6a
Instruction ID: 33d516bda6cc659f590bb599a6d9d0eb229da582ee24284129fde49b1f3d1eb0
Opcode Fuzzy Hash: 57308218ab38eb64ab14629b2d62ca1c116ead1938afbc2fda782c041349fa6a
Instruction Fuzzy Hash: B551F475E1026A8EEB36CF68C845BBEBBF0BF00710F1041ADD899EB281D7754945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FEB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x10bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E00FE7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01098CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01009E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0100B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0100CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E00FE7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01098F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0100AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x10b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x10b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x10b8628; // 0x0
							_t116 =  *0x10b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x00feb94c
0x00feb956
0x00feb95c
0x00feb95e
0x00feb964
0x00feb969
0x00feb96d
0x00feb96d
0x00feb970
0x00feb974
0x00feb97a
0x00febadf
0x00febadf
0x00febae2
0x00febae4
0x00febae6
0x00febaf0
0x01032cb8
0x00febaf6
0x00febaf6
0x00febaf6
0x00febafd
0x00febb1f
0x00febb1f
0x00febaff
0x00febb00
0x00febb00
0x00febb03
0x00febb03
0x00febacb
0x00febacf
0x00febad0
0x00febad1
0x00febadc
0x00febadc
0x00feb980
0x00feb980
0x00feb988
0x00feb98b
0x00feb98d
0x00feb990
0x00feb993
0x00feb999
0x00feb99b
0x00feb9a1
0x00feb9a5
0x00feb9aa
0x00feb9b0
0x00feb9bb
0x00feb9c0
0x00feb9c3
0x00feb9ca
0x00feb9cc
0x00feb9cf
0x00feb9d3
0x00feb9d7
0x00feba94
0x00feba94
0x00feba98
0x00febaa3
0x01032ccb
0x00febaa9
0x00febaa9
0x00febaa9
0x00febab1
0x01032cd5
0x01032cdd
0x01032cdd
0x00febabb
0x00febabc
0x00febac2
0x00febac3
0x00febac3
0x00febac6
0x00000000
0x00feb9dd
0x00feb9dd
0x00feb9e7
0x00feb9e7
0x00feb9ec
0x00feb9ec
0x00feb9f1
0x00feb9f5
0x00feb9fa
0x00feba00
0x00feba0c
0x00feba10
0x00feba10
0x00feba12
0x00feba18
0x00000000
0x00000000
0x00febb26
0x00febb26
0x00feba1e
0x00feba1e
0x00feba23
0x00feba25
0x00feba2c
0x00feba30
0x00feba35
0x00feba35
0x00feba41
0x00feba46
0x00feba4c
0x00feba50
0x00feba54
0x00feba6a
0x00feba6e
0x00feba70
0x00feba74
0x00feba78
0x00feba7a
0x00feba7c
0x00feba8e
0x00feba90
0x00feba92
0x00febb14
0x00febb14
0x00febb16
0x00febb16
0x00000000
0x00feba7c
0x00febb0a
0x00febb0d
0x00000000
0x00000000
0x00000000
0x00febb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FEB9A5

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 51ecfa8e38b537ab8f6267ae18e2868adca1e7ff6c277070a34e7010cbb7f568
Instruction ID: 86e4a4b5209f43031bbc1311d0568129cae13b5a6eb2a6742ea29b0183282e48
Opcode Fuzzy Hash: 51ecfa8e38b537ab8f6267ae18e2868adca1e7ff6c277070a34e7010cbb7f568
Instruction Fuzzy Hash: 7A513971A08385CFC720DF2AC4C092BBBE5BB88714F24896EE98597355D735EC44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 00FF2642, 00FF2691

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 343990aed65198a062b0080f34c5cd04787b25eb6f6f2571ffc47e03c704c7d5
Instruction ID: 3117626dd827150caeec271ddca18ff9265163d8e1b406b5a4b29f2cfa4ec3ae
Opcode Fuzzy Hash: 343990aed65198a062b0080f34c5cd04787b25eb6f6f2571ffc47e03c704c7d5
Instruction Fuzzy Hash: 9EC1B172D00209DBCB65DF99D881BFEB7B5FF48710F148029E641AB2A0D778A801EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0103BE0F

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: e960d35b9bbef2d5add9a3acc87f4a61783887fd2216ebe01eec6f9b50827f6d
Instruction ID: d4cc1e31f88ab79ae2cf5d26ab98ac4da9980ef0f373d606a87c6d458f8e5d32
Opcode Fuzzy Hash: e960d35b9bbef2d5add9a3acc87f4a61783887fd2216ebe01eec6f9b50827f6d
Instruction Fuzzy Hash: 18A13A31B0061E8BDB21DF68C45077EB7E9AF84724F04457AEA42CB3A1EB34D905EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0101FA4A

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 9781c19be4d8acb9de1adfa905c5a7e429b2c9792ea49496a9645650ed1d9ba8
Instruction ID: a1162f68a05cff2781bf2771c0d99c22d1a2a7a21f1e5ffeec49ef134911469d
Opcode Fuzzy Hash: 9781c19be4d8acb9de1adfa905c5a7e429b2c9792ea49496a9645650ed1d9ba8
Instruction Fuzzy Hash: 0C613672A006469FDB72DB6CC981FBE77E5EB40720F2402A9E991A72C1C73C9D05A791

Uniqueness

Uniqueness Score: -1.00%

Function 01090EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01090F16

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 2111ea77db55e96f44ace3b3464cf4f9d630d3721e61f527967ad28842c9853f
Instruction ID: dfcb2e3979a41bd99f087032bd6ce2e148f5b0932553d6479da434c44def7634
Opcode Fuzzy Hash: 2111ea77db55e96f44ace3b3464cf4f9d630d3721e61f527967ad28842c9853f
Instruction Fuzzy Hash: D851CF713083428FD724DF28D8A0B5BBBE9EBC4314F04096DFAD687690D671E905DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 00FFF124

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 398908c2009213a3704f6664299501c80c86b91fee1e94e30ba43fec676c94da
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: D251B071504B159FD321DF19C841A6BBBF8FF88714F00892DFA95876A0E7B4E904DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01043540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0104358F

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 61b439650109bc8d8ae5d3a205bf1985c2e43654beadadaf03b50065111eb55d
Instruction ID: 0a285320afc3fec9753d1dd3e011daa6c029247d4db0a839aa80ecc9ac9b9219
Opcode Fuzzy Hash: 61b439650109bc8d8ae5d3a205bf1985c2e43654beadadaf03b50065111eb55d
Instruction Fuzzy Hash: 124156F1D0052EABDB21DA50CC85FDEB77CAB54714F0085E5EA49AB281DB319E88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 010905AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01090633

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 8199a797c8efbcd3b2f199edd13cfecd9b30fef823fac4e0dcc71b0dfcb2d18a
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: F231F232704306ABEB10DE18CC54F9A7BD9ABC8754F144125BA88DB2C4D770E904C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01043884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 010438B4

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 1924fd4dd6a20331a4da24e71f6bc721c2bcfac1dbdc44d2d72e83d4ef957441
Instruction ID: e0bcceacd3dc1434bb34ba497f73731b75b53cd0c632050e7ee0ed9a1c1e4546
Opcode Fuzzy Hash: 1924fd4dd6a20331a4da24e71f6bc721c2bcfac1dbdc44d2d72e83d4ef957441
Instruction Fuzzy Hash: 093108B6D0052ABFEB16DA58C985D6FF7B4FB40720F014179E984AB281D7319E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00FFD303

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ac446ea124da0b647aeccb801d0ad3134c649417a496916ef0bd825d54958d54
Instruction ID: 12ad76830fd2e185e4d8868098d7afb95304dbd7abc60eb112ecfa4b3ee51a34
Opcode Fuzzy Hash: ac446ea124da0b647aeccb801d0ad3134c649417a496916ef0bd825d54958d54
Instruction Fuzzy Hash: 1C31B3B25083499FD711DF28C880AABBBE9EF95754F00092EFA94C3260D635DD04EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00FD1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 00FD1BC5

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 40561130d4a9b3c3bfb2654f7d43c397f56d0ca4c3bfab2c4f75192d805162c3
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 4321FB77A50224FBDB229A598880F9B77AEBF51760F194466FD449B300D634DC00F7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 00FEF73F

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 6799ac65a875d541eb16e62e9d787e2846c31c09b3f12467570eeaad927af5ba
Instruction ID: a60788808e1fcabdef609c571ca2b541a6297deb6120c382f70f17a24eb5f6ba
Opcode Fuzzy Hash: 6799ac65a875d541eb16e62e9d787e2846c31c09b3f12467570eeaad927af5ba
Instruction Fuzzy Hash: C611B636B046C28BEB244E1F849073676D6EB95734F35453AE865CB391D770CC48B340

Uniqueness

Uniqueness Score: -1.00%

Function 01078DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01078E21

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: bfb254b1c39922b7a687d4054943228bda151fb95663b0fefc3d3725cd22fccb
Instruction ID: e79703bf08d955c097665a5cc218045a61e5932fd7d59a63978532581f3dd1c8
Opcode Fuzzy Hash: bfb254b1c39922b7a687d4054943228bda151fb95663b0fefc3d3725cd22fccb
Instruction Fuzzy Hash: E9115BB5D14348EADF25DFA889097DDBBF0BB14315F24865EE5A96B282C3384601CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0105FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0105FF60

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: eef5153da0e9fdce2cf1b7eaae976efae37e954a4d4b41c1f32c5ac84edc46bd
Instruction ID: 149894f6b1e0fe667b657f0041fa7e89bb8d45ad337fbffc394b3b7e0a14a14c
Opcode Fuzzy Hash: eef5153da0e9fdce2cf1b7eaae976efae37e954a4d4b41c1f32c5ac84edc46bd
Instruction Fuzzy Hash: 3111E171510149EFDBA2EB54CC88FD9BBB1FF08704F148484F9886B6A1C73D9940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01095BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9841ad001f0841f255da22ebd068244ad33d5f32cc75df1fc5a4915d2145b7
Instruction ID: 3e9072d930d3b47f2d3840a28725f68f1a1608d30db262659dc404db4bdefd74
Opcode Fuzzy Hash: 9b9841ad001f0841f255da22ebd068244ad33d5f32cc75df1fc5a4915d2145b7
Instruction Fuzzy Hash: CA428A71900229CFDB65CF68C890BA9BBF1FF45304F1481EAD98DAB242D7319985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2f86a5351ee691eace83912aaa6f3a4e57d8e9c1e56d6b57d55e4b1b97a2be
Instruction ID: be00c0cb4b9eebef43e5c65b1cb3f1ba80b0a7642045931d162aac43ef7c95d1
Opcode Fuzzy Hash: fc2f86a5351ee691eace83912aaa6f3a4e57d8e9c1e56d6b57d55e4b1b97a2be
Instruction Fuzzy Hash: ABF1AE716083918FC724CF1AC480A7AB7E1FF99714F14496EF986CB291E734E885EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FF20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98217f054320c236850a22ca7d3ca21697af807668bcd0f044567defbebec296
Instruction ID: 2eb36e76ceafb4a2646b4413d7fd859ad698f67d35f0f66e2e14de10ad7645a3
Opcode Fuzzy Hash: 98217f054320c236850a22ca7d3ca21697af807668bcd0f044567defbebec296
Instruction Fuzzy Hash: 78F13631A083458FE7A5CF28C88077A77E5AFC5320F14855EEAD59B2B1D739D841DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71fa0fb315c3e1687e7ce289e47a879e64e886ef5f346314799b3b7c1471eff
Instruction ID: b3a26b4f096c0ab867abeebbf2d467f4f68bd586fc5a1fa440c5125119db8f6a
Opcode Fuzzy Hash: b71fa0fb315c3e1687e7ce289e47a879e64e886ef5f346314799b3b7c1471eff
Instruction Fuzzy Hash: A9E1C331A003598FEB35DF18C880BA9B7B6BF45314F1841EAD9499B391DB34AD81EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FD849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e085da4b0e252e502c98a78bea59277dfd19f10751cbc882c1cffc84cf3afe
Instruction ID: 50edafbbb6b66c9986342942b865dca210b1ac426feb55d3d5766069abdd6fb0
Opcode Fuzzy Hash: 35e085da4b0e252e502c98a78bea59277dfd19f10751cbc882c1cffc84cf3afe
Instruction Fuzzy Hash: CFB19D71E00259DFDB15DF99C980AEDBBB6BF48314F28412AE505AB345DB74AC42DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FF513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9768523be05a4419b484b88aadb82d1bda2f8c2873f45d103c934f6ce3c82ae
Instruction ID: de37bd8d91dd3c3ec9830361406f61b541e7ab7bdb8213e402541983e5d7188b
Opcode Fuzzy Hash: f9768523be05a4419b484b88aadb82d1bda2f8c2873f45d103c934f6ce3c82ae
Instruction Fuzzy Hash: 57C122755083809FD354CF28C480A6AFBE1BF88704F184AAEF9D98B362D775E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FF03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d2f4da5911bde746d3cd16a2b8072ead9651abc58526093f5a3635d649f51e
Instruction ID: c0a7fef324cb1bfdf983ab353366331e2a11ad57fe3885951ce19d32157bd9c6
Opcode Fuzzy Hash: 16d2f4da5911bde746d3cd16a2b8072ead9651abc58526093f5a3635d649f51e
Instruction Fuzzy Hash: 40911B31E002199FEB31DB68C848BBD7BE4AF41724F190265EB91EB2E2DB749D40D791

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3dfe84adf569cd846401e7f43cadac5ae156f25611654bf01d2adba634b814
Instruction ID: c0436b46b07cca7cdd9eb8fed59dda27c18c8d7fee32279bab9393262602728a
Opcode Fuzzy Hash: 6f3dfe84adf569cd846401e7f43cadac5ae156f25611654bf01d2adba634b814
Instruction Fuzzy Hash: 7D81A0B56046429BDB66CE58C881B6EB7ECEBC4350F1449AEEEC59B241D330DD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0105B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7026309c77b93baeb4accf7c4bd23828c030a521950ce3a147e40d075db87114
Instruction ID: 74422bc8fb8db84e6e4154d52c48a7aa68a9e29acd35e37c2fecbd6a487373f5
Opcode Fuzzy Hash: 7026309c77b93baeb4accf7c4bd23828c030a521950ce3a147e40d075db87114
Instruction Fuzzy Hash: 8A71FF32200706AFE7B29F19C845F67BBF6EB40720F144528EA958B6E1DBB5F940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01046DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 823c47690ea45968ef180e61fa072c85af0c7a3a91e7a169593c3fc95e20bf75
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: B7718FB1A00249EFDB11DFA9C984EEEBBB9FF48700F144169E545E7251EB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c993e819727a3370a1f069be6b053130f9a95654fbe9093052ed95686e9bbc
Instruction ID: 9e7113f9e037347740489d2568eb15caba5ba4f29a53e1688f6afa8aeee9c0e6
Opcode Fuzzy Hash: 59c993e819727a3370a1f069be6b053130f9a95654fbe9093052ed95686e9bbc
Instruction Fuzzy Hash: 8F51DC311057529BD721EF28C942BA7BBE4FF90B10F14091EF4D5876A2E774E844D792

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f556638ed33259c52a4ed285b06afcdc3eabde065623eee7baf0da5c2757c1c
Instruction ID: 216995e5f18cc037051381f7b9f7f0a356e8a5c88db2690c01758df82f705d58
Opcode Fuzzy Hash: 2f556638ed33259c52a4ed285b06afcdc3eabde065623eee7baf0da5c2757c1c
Instruction Fuzzy Hash: 3651AE76A001198BCB68DF1CC8809BDB7B1FFD8710715845AEE86AB364D735AE41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0108AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41081c278e2a4e7f9a32fc1879f2a216fc507f852dcea3982a361684401a0f1c
Instruction ID: 280cc5eb2db7f1f448a0469ff47896643ab6b0372d8e8d4ceed63a93abd9d2d0
Opcode Fuzzy Hash: 41081c278e2a4e7f9a32fc1879f2a216fc507f852dcea3982a361684401a0f1c
Instruction Fuzzy Hash: 4D412870708611DBE726FA69C884B7BBBD9EF84720F04465AF9D687AD2DB34D801C690

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1cc7cfbed1c064bcd1601fd9d26e207d7802a99209a752872af1f90fff6aa1
Instruction ID: 6786e6565c45a937c0dfb48a102f9e9696a0bbe366bf5f931ff454dffa68aa67
Opcode Fuzzy Hash: 3b1cc7cfbed1c064bcd1601fd9d26e207d7802a99209a752872af1f90fff6aa1
Instruction Fuzzy Hash: 2351BE71E00649CFCB24CF69C8D0AAEBBF6BF48350F24815AD995AB340DB35AD44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FDEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 8ebff20e9300e2da078ff2879ef337dacf1849b26429e4881e7dac7d34ea6842
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 65512631E04245DFDB21CB68C0D4BAEBBF2AF05324F2C81BAD44657382C376A988E741

Uniqueness

Uniqueness Score: -1.00%

Function 0109740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 6a35b6a824fde2d9625808604f605fc6e11299b31dc6092180e43c0fe8b5a4ea
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 3D516A72600646EFDB56CF18C880A96BBF5FF45304F14C0AAE9489F252E7B1E946DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d320c53f12606aeee89fe04a898a186cef5349be0292ab4f5fd77190f23c5b
Instruction ID: e5a9544ecda16866f1c16893404d0a7e9d73d490c6c50b2dc23d46d549b8e2b8
Opcode Fuzzy Hash: 64d320c53f12606aeee89fe04a898a186cef5349be0292ab4f5fd77190f23c5b
Instruction Fuzzy Hash: D051697190020EDFCF65DF95C880AEEBBB5BF48710F158055EA14AB260C3399D52EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47742250d4b8bf87a0e7c5d37c849d95b40bbff9dc67509817d6ffab97b48ff5
Instruction ID: cfeb275de84cd4e4eb8d3fe82028711fb72a9b149f9369a066922e9e3c3e9a45
Opcode Fuzzy Hash: 47742250d4b8bf87a0e7c5d37c849d95b40bbff9dc67509817d6ffab97b48ff5
Instruction Fuzzy Hash: 7D41C536A0122CABDB21DF68CD41FEA77B8FF45710F4100A5EA48AB251D775EE84DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dec3c4bbceda50cbf6975b95d9a8aaee8ca595cc4611f489879f618adc4d258
Instruction ID: 60e25026dc3c56ab8251b817ec5e425474c0c149565a56c0e48545acc78907ba
Opcode Fuzzy Hash: 7dec3c4bbceda50cbf6975b95d9a8aaee8ca595cc4611f489879f618adc4d258
Instruction Fuzzy Hash: 9041B071A4031CAFEB22DF14CC81FBBB7A9EF45710F0040A9EA499B291D775ED449B91

Uniqueness

Uniqueness Score: -1.00%

Function 00FD8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e82b62ec9b05f0595f03da392990c934866e11dcc81cac3e1d4fb5ec0ef27d5
Instruction ID: 6c6f8ca2503cadbdfe4d9c6da557224439dfcab45c71a862575f04f1956da5a9
Opcode Fuzzy Hash: 2e82b62ec9b05f0595f03da392990c934866e11dcc81cac3e1d4fb5ec0ef27d5
Instruction Fuzzy Hash: 08416EB1A0022C9BDB24DF15CC88BA9B7B5FB94350F1441EBE81997352EB749E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0108AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 92fbf960ac1a311e60a9dfb1ce7bd1f2d0a7295e8ebbb9fdc89210bb6f06b0aa
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: F8312631F04645ABEB15AB69CC45BAFFBBAEF84210F0544AAE8C0A7A42DB74CD00C650

Uniqueness

Uniqueness Score: -1.00%

Function 0108FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: ff54febe2de168ebdccd088abad2f46db76d19103d6aa2fe684eccb6af9094b0
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: A831F532208A46AFD722A778C844F6A7BE9EFC5750F184098E5C5CB382DB74D841C760

Uniqueness

Uniqueness Score: -1.00%

Function 0108EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 46702323365ab7c41b6c407492a8beda068b86f957e69e65fcfff0c9035d9bd0
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: BE3172726087059BD719EF28CC81A6BB7EAFBC4710F04492DF5D687641DA34E809CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010469A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff1faa4dc3ce465e9bbe69bc880bac02529a8db49cb5adbfae11a7fa4092e00
Instruction ID: e4048c9217068ef58cbb60228f0a8ce7c46bedf6eccf022032c343dba73390f5
Opcode Fuzzy Hash: 4ff1faa4dc3ce465e9bbe69bc880bac02529a8db49cb5adbfae11a7fa4092e00
Instruction Fuzzy Hash: 2241AFB1D006089FDB11CFA9C880BEEBBF8EF49304F04816AE544A7251EB759905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61b3e552b70a3e8b5c7500d0b06b38e739740594abb73fbb510060de0e0d5b9
Instruction ID: 0d33c3508b74bd1c4c38c4a192fae8117819a071897af18a7dcb7655099d1a7d
Opcode Fuzzy Hash: f61b3e552b70a3e8b5c7500d0b06b38e739740594abb73fbb510060de0e0d5b9
Instruction Fuzzy Hash: B4311632642B12DBD736BB18CD82FAA77E5FF50B60F11462AF4950B1E6D760F840D690

Uniqueness

Uniqueness Score: -1.00%

Function 01003D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960086f6eb06187824eaa1421d311211790e2b7ed4a3d21d1c4aaaa21c0c0642
Instruction ID: 806800969cc9035fb5dc64bcf8c78837f8f4d068b3d0bfb8f801f826d2ea94eb
Opcode Fuzzy Hash: 960086f6eb06187824eaa1421d311211790e2b7ed4a3d21d1c4aaaa21c0c0642
Instruction Fuzzy Hash: 1131AD31A046559FE7279F2DD842A6BBBE5FF85700B0581BAE98ACF391E730D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd938b76f32af900554047fcfee94325e451affc48dc8e7b5ea50924bd8ce059
Instruction ID: 379bb2dd256729c2d3c712bdde5085f7220919085738e6b1352757ac60d03a04
Opcode Fuzzy Hash: fd938b76f32af900554047fcfee94325e451affc48dc8e7b5ea50924bd8ce059
Instruction Fuzzy Hash: EC417FB5A00209DFCB19CF58C990BA9BBF1BF89314F18C0A9E948EB354D779A901DF54

Uniqueness

Uniqueness Score: -1.00%

Function 01047016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4cfc707fd105a14128a68bca223038fd906989b0e7679c75be7557fd6b35d4
Instruction ID: 07ccaa60ee21a8fa1b55b595228ef11593a3f7000ff5e50b9abfae9d6cb963d9
Opcode Fuzzy Hash: 3d4cfc707fd105a14128a68bca223038fd906989b0e7679c75be7557fd6b35d4
Instruction Fuzzy Hash: 0531C4B26047919BD321DF2CCC81AAAB7E9FFC8700F044A69F99587691E734E904C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 22aaeaba2def78445bad56affd2ef1f7891206083a7725ee332cf54dfaae0d3d
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 37312872A015CAAED705EBB5C881BE9F794BF42304F18416AE51857302DB38590AF7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01073D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a55f3bc646c5588fc0a4881d6be3f59b1dd7504326e3f72cdc00a66ca596d9
Instruction ID: 1467d581c95c75372a743f13dc582410c3a59b30a26e9425776703d86e4247b4
Opcode Fuzzy Hash: 02a55f3bc646c5588fc0a4881d6be3f59b1dd7504326e3f72cdc00a66ca596d9
Instruction Fuzzy Hash: 97317771A09302CFD714DF18D88185ABBE5FB85704F0889AEF4C88F291E330E904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8768cc8474adbd1aa8f40f5a3dc193fbf31ccd9b04849f8ef9cbdcf990464036
Instruction ID: 29a1b980af86c6abf7d824a4da6da6dcc8fe3eb622d08e4a2664ea19fefa960c
Opcode Fuzzy Hash: 8768cc8474adbd1aa8f40f5a3dc193fbf31ccd9b04849f8ef9cbdcf990464036
Instruction Fuzzy Hash: 2731E3B26202049BCB25DF08DCD1FA577F9FBC4710F50095AE289A7694D3BAA900DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FF61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10a46aad1f938b55ac61d86fd0b8ab516382dc54cb920970322fb8671f85186
Instruction ID: 40b3954edc0504381e86b5938cdc9a9bc91a038df3bbf234b68f7bb154a4507b
Opcode Fuzzy Hash: d10a46aad1f938b55ac61d86fd0b8ab516382dc54cb920970322fb8671f85186
Instruction Fuzzy Hash: 8D316BB1A057018FD760CF19C950B2ABBE9FF88B10F05496DEA94D7361DB70D804DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FCAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca9374868f5880a779ec68241675397d5a56983fe53049878e8c2e596fd301f
Instruction ID: 13047471e02c64eb138febdd47ea6fbe06c59399a1ff0f7f2fb39291b5989cbc
Opcode Fuzzy Hash: 8ca9374868f5880a779ec68241675397d5a56983fe53049878e8c2e596fd301f
Instruction Fuzzy Hash: B531C871A00219EBCF159F64CD42ABFB7B9EF44700F014069F941D7151E779AD11E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01004A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889fc5838c0ad194036c7de0cd9c34bab4b6c839cf1ff8dcf036a56b912fdd82
Instruction ID: c2cac1f208b86eef161b396d27b5df97d8cef618977f9e37a781a17fb244cd8c
Opcode Fuzzy Hash: 889fc5838c0ad194036c7de0cd9c34bab4b6c839cf1ff8dcf036a56b912fdd82
Instruction Fuzzy Hash: 7E314832205741DBE7629F19CD81B2ABBE8FFC6700F04456DEAD28B291CB74D844CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01008EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7b62dd07e525ece44ad43b07d21843fbac89fae1ce22bbe4d7eec20b616263
Instruction ID: 3fb250cfc732570140ac5257c75c25a29e26ce30eaa1532c84b5f358d69298c9
Opcode Fuzzy Hash: 6c7b62dd07e525ece44ad43b07d21843fbac89fae1ce22bbe4d7eec20b616263
Instruction Fuzzy Hash: 9541A1B1D002189FDB60CFAAD981AEDFBF4FB48710F5081AEE549A7241D7745A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FFE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8625f46e81b11656ade7c5137e684cd07eccc43063b4685400978c29c82ab4ff
Instruction ID: 368473ff3432e0f6a5795ae8fb197fc46621da55edf04c62dc296134a3119e73
Opcode Fuzzy Hash: 8625f46e81b11656ade7c5137e684cd07eccc43063b4685400978c29c82ab4ff
Instruction Fuzzy Hash: 7F318F76A14249AFD704DF58C841F96B7E8FF09314F148256FA54CB3A1D635ED80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d727385e461cf3b9061e436e9dab8ea7f9a17474949d1b2d748b8f7165d10d
Instruction ID: a9b1980b5b90d35f2751509cfad1d6f9129d16395b4451cf37216b63e4b40436
Opcode Fuzzy Hash: 56d727385e461cf3b9061e436e9dab8ea7f9a17474949d1b2d748b8f7165d10d
Instruction Fuzzy Hash: 6431E136A106199BCB21DF58C4C07BA73B4FF18310F144479EE85DB215EB7ADD45AB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FC9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e212c3e1bf41352ae5216880a6eefdbe5c6cd2da670cfa4a742a43d734d17c8a
Instruction ID: 7e45a1cd723f3e6718c489b917b9adfa694638e899a0d4bce80386dcd9ff3c1e
Opcode Fuzzy Hash: e212c3e1bf41352ae5216880a6eefdbe5c6cd2da670cfa4a742a43d734d17c8a
Instruction Fuzzy Hash: 7531B575E08247DFDB25DB68C58EBDCB7F1BB49320F18814ED48467251C3B5A940EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 40f29479b21f5da285d05d04da2aa6dde1c88b65f43bab51f25832cd1aca7779
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 05217C72A00259EBD721CF99DC80EABBBBDFF85750F114065FA0597260D634AE01EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3570b97a8257c820bea32e7274629f346bbb2c506de3ba77584ac50faf268fff
Instruction ID: db01cae3c52123f99af8f4ff522404a67761c52d59baf464cb3a0ea27dc69073
Opcode Fuzzy Hash: 3570b97a8257c820bea32e7274629f346bbb2c506de3ba77584ac50faf268fff
Instruction Fuzzy Hash: A331D231601B44CFD722CF28C880B9AB3E5FF89714F14456DE59687790EB75AC01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01046C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c58696a1201c91e90ed32e067f15e2f3045c39623a82e4c28be4467163bc1ad
Instruction ID: 25747331569dfdf9e70a875ea1f4140c39dd14ee7cc502a44bc556fb61e7a0ce
Opcode Fuzzy Hash: 5c58696a1201c91e90ed32e067f15e2f3045c39623a82e4c28be4467163bc1ad
Instruction Fuzzy Hash: FD21A0B1A00648AFD715DB59D880F69B7B8FF49700F0440A9F944C7791E639ED50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 010090AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 82b14676fa964fa4c7c61ff3953868d032b518126bdba3fb1531c24cf319d439
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 99218371A00205EFEB21DF59C844AAAFBF8EB44314F14847AE98997251D770ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0be58967b05a4e3d46734689960a6817a3d4b78e5b7a66c901680d19525cac
Instruction ID: a3d8d13853a7e29095868dccb2cb5d6b95b7b529e18993e93c452d37cf9de51e
Opcode Fuzzy Hash: 0e0be58967b05a4e3d46734689960a6817a3d4b78e5b7a66c901680d19525cac
Instruction Fuzzy Hash: 0A21D472600108AFD710DF58CD81FAAB7BDFF40308F150069EA04AB261C776EE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01046CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2e7fbba8d62e733426383a50bb53848e39f2742f74a62ff5c83bda4c33c3cc
Instruction ID: d19014021b1803bdcd663b6b8bbed5c599f48c555e98828cc407b8c25e676519
Opcode Fuzzy Hash: ee2e7fbba8d62e733426383a50bb53848e39f2742f74a62ff5c83bda4c33c3cc
Instruction Fuzzy Hash: 2C21B6B29047459BD711EF29CD84B6BBBDCAF82740F0405B6BAC0C7252E735D548C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0109070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: c4418f4cad63128f8f5cc5e14f1102fc3dced4972242db0c46b3f5f8fcd0634c
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 9521F236708204AFDB15DF18C890AAEBBE9FFD4360F048569F9958B385DA30D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 23a5602f42677c398eeda11e0f12e157304c1598741d43b19fbfed266912cb84
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: A821D4726056C5DFE7269B2AD944B2577E8FF84350F1900E0ED448B6A2E738EC40E691

Uniqueness

Uniqueness Score: -1.00%

Function 01047794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d60676b4e3ee228464415db6c2c1d1c74b5b1c4a5be18a730114c05d157570
Instruction ID: 6b783a2203b3bc91b0c9acbad7585716a7275f4c97912e8fac1e8105327b75cc
Opcode Fuzzy Hash: 39d60676b4e3ee228464415db6c2c1d1c74b5b1c4a5be18a730114c05d157570
Instruction Fuzzy Hash: 7721A172500644ABD725DF69DC80EABBBE8EF88740F1045ADFA4AD7790D734E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 54e702eb6004e95ffff76b162e68af32b54118572800e564ff5df437dca934ab
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 3B217C72A00A48DBD735CF0AC640A76F7E5EF94B20F24857EEA4587621D734AC04EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ce7299e0e0952c4fff0bee82b3b440e3f785c298cc33b0278f931a00f10d07b
Instruction ID: 623b3b9c17d092507cd27c29ed6a7867ea1236501a245641244599dfccd08953
Opcode Fuzzy Hash: 6ce7299e0e0952c4fff0bee82b3b440e3f785c298cc33b0278f931a00f10d07b
Instruction Fuzzy Hash: 29218931041A81DFC726EF68CE46F99B7B9FF18304F04456CE089866A2CB79E941EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e4e6e0f16fed3863d4b3a488d5365f09b541d92ac9dd33c0b46e8b52749d7ab
Instruction ID: 6ad8e4df28858dd3e524cca4aacdb9fa555fa64867cc59440ff5089ed71a34d3
Opcode Fuzzy Hash: 1e4e6e0f16fed3863d4b3a488d5365f09b541d92ac9dd33c0b46e8b52749d7ab
Instruction Fuzzy Hash: DC116B337451149BCB19DA55CDC1A7B729AEFC9330B244139EE96C73A0DA319C02D690

Uniqueness

Uniqueness Score: -1.00%

Function 01054257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5417edaf1b73d9077e27aa7da602c91edb650d7a88ebfd7d53eef6f127f643db
Instruction ID: e0c7228531e1ad5bee974a1f5c8aa4c67ae8a895e43d2f24e33fe2d8480f0326
Opcode Fuzzy Hash: 5417edaf1b73d9077e27aa7da602c91edb650d7a88ebfd7d53eef6f127f643db
Instruction Fuzzy Hash: B9217C70940601CFC7A5DF68D480AD57BF9FB45359B60C2EED589CB2A9E73AC492CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ba43d01fdecf283642e20fffd6c1f2540e79a02fbc046a231c1426a50175b8
Instruction ID: 24d314a4551d84ab48dec88730dd3578415bc4f34394d0b48fcad123549b2340
Opcode Fuzzy Hash: 28ba43d01fdecf283642e20fffd6c1f2540e79a02fbc046a231c1426a50175b8
Instruction Fuzzy Hash: FB116F7260074457D770A6299C81B6572CDEF90720F18843AF745AB1B2CA7CD804F754

Uniqueness

Uniqueness Score: -1.00%

Function 010446A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 158c9b37179d62855bf5837b53ef8a1c0ad8bff9d4c741fd6413cfbff3a5526d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 60112572504208BBCB059F5DD8809BEF7B9EF95300F1080AEF984C7351DA358D51D3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c498a03feccfbabd177be3f1d3871ad84c7cf865c3b1240c7c6587e9c842155b
Instruction ID: a6bea3700483a7e6643e80f7ed94ad22138b1eb78f66ef300fe063459d382d54
Opcode Fuzzy Hash: c498a03feccfbabd177be3f1d3871ad84c7cf865c3b1240c7c6587e9c842155b
Instruction Fuzzy Hash: 1D11C27132060A9BC751AE2CCC85AAA77EAFBC4610B00053EF9C587691DB25EC10D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 010037F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ed208a0870e2147f9c2f2de9851ecadae7c2803571aff48c8115f542047f6b
Instruction ID: c11c80acd7a921d275e755b8a530e2f84b53a27875da42a69a1598f15202f56c
Opcode Fuzzy Hash: 81ed208a0870e2147f9c2f2de9851ecadae7c2803571aff48c8115f542047f6b
Instruction Fuzzy Hash: 5D0104729057109FE37B8B1E9940E2ABBE6FF81B50F1540E9E9858F292D734CA00C780

Uniqueness

Uniqueness Score: -1.00%

Function 00FF002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 7c954f1e7af14a0135d6346c88257d24af2d4ece7825052e7d032e03024b51d2
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 1E11ED326056C8CFE7279B29C944B353BD8EF81B54F1900E0EE44CB6A3EB2CC841E260

Uniqueness

Uniqueness Score: -1.00%

Function 00FD766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: f839004c1602cd5ed32bd228babb4299c06fa1723b815d77f5601fcae19f3a09
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 3901883270461DABC720AE5ECC41E5B77AEEF84B60B280539B908CF350FA34DD01A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f5bbd36fa4240b697c1fcb9f4b7f1efaaa4ca7396368815ef773679575fdf0
Instruction ID: db4fbbb301bfbeaa25ea8ea5b91fe38a5875e1623d7450fbc90cb21c7bcbf420
Opcode Fuzzy Hash: 98f5bbd36fa4240b697c1fcb9f4b7f1efaaa4ca7396368815ef773679575fdf0
Instruction Fuzzy Hash: 8801F4739052018FC3288F24DD85F1177A9EB41721F25806AE1418B791C3B5DC41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0105C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 88ddbe573e480af95f8c918a2a4b24c5586afaefeaa765f63de1ea88d4a4b48f
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 47018471140646BFF725AF69CD80EA3BB6DFB54355F004525F694425A1CB32ACA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01094015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311422657dd07406d44a614cf5ab8bc7b3287e8bdb07b5d968713e6d75ab53ee
Instruction ID: 53920b06b2c4934d30af01de1245f615c671ee53020e617906ad75e55fb189f4
Opcode Fuzzy Hash: 311422657dd07406d44a614cf5ab8bc7b3287e8bdb07b5d968713e6d75ab53ee
Instruction Fuzzy Hash: 350184722016857FD755AB6ACE81E53B7ACFB49750B04022AB50887A22DB38EC11D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0108138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aadb2753798898bb039c91482115dbc1de6f494bf64bc2b1fcc07abefb2f207
Instruction ID: 094cf116cab4398244f92f0888c06c33cf40bebe10aec1672c372c486291b7c9
Opcode Fuzzy Hash: 5aadb2753798898bb039c91482115dbc1de6f494bf64bc2b1fcc07abefb2f207
Instruction Fuzzy Hash: 9F019271A04208AFDB10EFA9D841EAEBBB8EF44700F004066B944EB281D674DA41C790

Uniqueness

Uniqueness Score: -1.00%

Function 010814FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f15f65106f891447221cd93ef44235f26ad9784aa482f308b2b35e605bb71ac
Instruction ID: 97ca86360c6f0e58baa6913d99962bcff5e88f402bcfb1c88e0fa28907040bc7
Opcode Fuzzy Hash: 7f15f65106f891447221cd93ef44235f26ad9784aa482f308b2b35e605bb71ac
Instruction Fuzzy Hash: FD019E71A01248EFDB10EFA9D842EEEBBB8EF45700F044066F944EB281DA74DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FC58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c2df4f0c394ee716e6cc345bbf5ae36ffe84ff014132f7d54d5c0cb61c73de
Instruction ID: 747e4ac250ab4768a5c4d33f54f502b8381be7c3c4ff12b0580ef221507e7430
Opcode Fuzzy Hash: 59c2df4f0c394ee716e6cc345bbf5ae36ffe84ff014132f7d54d5c0cb61c73de
Instruction Fuzzy Hash: 4401D4B1A00906EBC714DE74DD42FEE77A8EF90A30F5440B9AA4597644DF31ED41D790

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 727f8e2118cceb5dd0f533b4d17d624d8393408e4dd14bc23592c5500c8052e0
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: CA017C72705A84DFD3228B1DC98CF6777D9EB85B50F0A00A2F919CBA51DB28DC40D620

Uniqueness

Uniqueness Score: -1.00%

Function 01091074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e265be434a3d34bdb0ad7597ce23be19003a6299d7fa6e2b454e3733c37958e6
Instruction ID: 8b134d9475ffbb65bde6d6bb030eafe028debde37c9964dbdf530bce347b096f
Opcode Fuzzy Hash: e265be434a3d34bdb0ad7597ce23be19003a6299d7fa6e2b454e3733c37958e6
Instruction Fuzzy Hash: 620128727047439BCB50EB69C940B5A7BD9ABC4320F04C919F9C583691EE75D440DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0107FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa701db72dd557bae6e6dc0a2f06a78edc286009da30a2bbaa44268e88bc72d
Instruction ID: f77554063a1e0c95537f55c664babe6a7edc951112b5b6f814a7be377f53f2ef
Opcode Fuzzy Hash: 3fa701db72dd557bae6e6dc0a2f06a78edc286009da30a2bbaa44268e88bc72d
Instruction Fuzzy Hash: C3018471E05249ABDB14DFA9D845FAEBBB8EF44B04F004066B940EB281DA74D941C795

Uniqueness

Uniqueness Score: -1.00%

Function 0107FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920164b93e85c5ef87cf5e282cac69d651add06b3dfffc977f55fa7944af04d7
Instruction ID: 25a19dcd3a44d7912276a53a9f5f1fde1446573e6e2dab93399fff0912f1cdbf
Opcode Fuzzy Hash: 920164b93e85c5ef87cf5e282cac69d651add06b3dfffc977f55fa7944af04d7
Instruction Fuzzy Hash: 1D018471E0120DABDB14DBA9D845FAEBBB8EF45700F004066B940EB281DA74DA41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01098A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3d9426946e692b6ffd43d0a017599f27644c2a6d9da45ca2612915fce1ab12
Instruction ID: cf98f2ac99744eb8478e026ab0805102b46d85def564fee2cfb1daa6e006e3ed
Opcode Fuzzy Hash: 2a3d9426946e692b6ffd43d0a017599f27644c2a6d9da45ca2612915fce1ab12
Instruction Fuzzy Hash: F2012C71A0121DAFDB00DFA9D9419EEBBB8EF59710F10405AFA04E7381D638A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01098ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543368bd9d7a3ad9f2a4a78ee89ae6385730a756e6a063bea9047acb6edc69d0
Instruction ID: 2bba67565f19eee0793c234d27f46e02b5b582fa087fbef85615905b038a3f7d
Opcode Fuzzy Hash: 543368bd9d7a3ad9f2a4a78ee89ae6385730a756e6a063bea9047acb6edc69d0
Instruction Fuzzy Hash: 2E1112709042499FDB04DFA9D455BAEF7F4FF08300F0442AAE558EB382D6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FCDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: eb231e32d3edd7c6b25eaad5cd081d73469e4d2390ce94f946da876f67264d99
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: F0F0F6336016639BD3326A558EC6F2FB6A58FC1B60F27003DF2099B344CB648C02B6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: af5fe6cc68e14984f1ae08bee2a63bfdd1c6251d92816bc62b385ffe1ec4f335
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 9F01D136600684DBD323975DD906FA97BD8EF51750F0800A5FD94CB6B2D779C800E214

Uniqueness

Uniqueness Score: -1.00%

Function 0105FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684906a2dba0f99b7320a98db90c682d35d462988b230c6425aa742715b96fe0
Instruction ID: beaa5f968435af966d2c8aa3d5f52ca17bb44fd6cbef849cd34cb9c3c8006922
Opcode Fuzzy Hash: 684906a2dba0f99b7320a98db90c682d35d462988b230c6425aa742715b96fe0
Instruction Fuzzy Hash: 87018670A0420DEFCB54DFA8D942AAEB7F4FF08704F1441A9B944DB382D639D901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0108131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15170a2c805b245c13d04340bceea88062df3850488ce221008039cbbabe0528
Instruction ID: be3efc92bd71c34e82422ad515efbd6750826da46c65631a9d8e68ec3b664e20
Opcode Fuzzy Hash: 15170a2c805b245c13d04340bceea88062df3850488ce221008039cbbabe0528
Instruction Fuzzy Hash: C8013C71A0524CAFDB04EFA9D945AAEB7F4FF18700F008069B985EB381E674DA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01098F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faeda041d59ef4247051182934db904cac4952166a5c832528113b3d833d1a7d
Instruction ID: 0374c51526f5f43ec3063beccbd17b8f7f2687229aba6b2738604740a0129a2c
Opcode Fuzzy Hash: faeda041d59ef4247051182934db904cac4952166a5c832528113b3d833d1a7d
Instruction Fuzzy Hash: B4014474A0520DAFDB00EFA9D955AAEB7F4EF18300F10805AB945EB381DA74DA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01081608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d9ea77894dfbe6b1bd26429f0ae06dd2b16d65bf942dba587080e29c68550f
Instruction ID: 6d7c8c5d9c37aa3088affb2a8b7b787999dba2fd13f53bac532c10b2506b4a43
Opcode Fuzzy Hash: 02d9ea77894dfbe6b1bd26429f0ae06dd2b16d65bf942dba587080e29c68550f
Instruction Fuzzy Hash: 68F06271A05248EFDB14EFA9D845AAEB7F4EF18300F0440A9B985EB381E634D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48518b0e165e02107c3f112a89f1aac80c4a3111ccea651933b685e8e1e026fc
Instruction ID: b5b91f9f606433913571885dfca8cd504edf9210dea3d7f79165318483789fe5
Opcode Fuzzy Hash: 48518b0e165e02107c3f112a89f1aac80c4a3111ccea651933b685e8e1e026fc
Instruction Fuzzy Hash: 24F09AB3D157D49ED7318B2A8404B227BE89B05770F6D8467F51687201C6A4FC82E2D1

Uniqueness

Uniqueness Score: -1.00%

Function 01082073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d606cedf67026ce552de712f28458576e65b50b74bfe9e5b47ded750c64901
Instruction ID: f79c3d611ad6687c85af0a742c85d67f1d333bb9a1012a34542412615ed404b5
Opcode Fuzzy Hash: 98d606cedf67026ce552de712f28458576e65b50b74bfe9e5b47ded750c64901
Instruction Fuzzy Hash: 6BF0203A8191858AEE73BF6874402E23BCAEB56114B1940C6E4E01720AC93A8883CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0100927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 55b4ded1bf16f59ae1b59f3092e0c2ee7386ba01b99240274662ab3b648c88f6
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: E2E022723406416BFB229E0ACC80F4777ADEFC2724F04407CB9045E283CAE6DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01098D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902db59b0fb233430b9f5a4027514326e49d88030e0d73294e0661a3e2e7f763
Instruction ID: 5e6b60e42acc62c1b1bdc670f1c9728ec513854b10921e7bd467a3c0d509c8d0
Opcode Fuzzy Hash: 902db59b0fb233430b9f5a4027514326e49d88030e0d73294e0661a3e2e7f763
Instruction Fuzzy Hash: FFF0B470A0560CAFDB14EFB8D841AAEB7B4EF18700F108099E945EB381EA38D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01098B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d90bdaf1dbf78b8c4e0fa637b4357d4315715c04ffc067e8c049a6e5d094cc0
Instruction ID: d8c8d5df4219352aa8077492bb9b9f5ae844d7c94821bbc69a68453b7848acb2
Opcode Fuzzy Hash: 0d90bdaf1dbf78b8c4e0fa637b4357d4315715c04ffc067e8c049a6e5d094cc0
Instruction Fuzzy Hash: E9F082B0A0425DABEF10EBA8D916EAEB7B8EF04704F044499BA45DB3C1EA74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 00FE746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74158d8d10e148b90744baad7105eff354bc6d269bf5b08ed17720ab38d08f7
Instruction ID: f34ed60716ab863d629dbca78e58a8d4c8d7e0380444a4f6fab7e145e890115d
Opcode Fuzzy Hash: b74158d8d10e148b90744baad7105eff354bc6d269bf5b08ed17720ab38d08f7
Instruction Fuzzy Hash: 9DF0E935A0A3C5EADF11F76AC840F79BFB1AF14360F140155E891AB1E1E7259C00E785

Uniqueness

Uniqueness Score: -1.00%

Function 01098CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc6e78b23ed6bd7be0b934d2e8cd79c2c46e68e5a0096680bb5f36083ec7145
Instruction ID: 5a31c0f45709a67966a2dae6b550a862e78b1e82c8b2d527bded3e611e91b218
Opcode Fuzzy Hash: bbc6e78b23ed6bd7be0b934d2e8cd79c2c46e68e5a0096680bb5f36083ec7145
Instruction Fuzzy Hash: 5FF0E270A0920CABDF04EBA8E846EAE77B4EF19304F10419AF945EB3C1EA38D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3623d645718c67c3f048fbefb5e1640f788dd120149a2d259946ec66d8def3a2
Instruction ID: 850ae8e65bb90b1eb82b5f911a672e303f77e87eaf6b83eff827a4ae17a29aa9
Opcode Fuzzy Hash: 3623d645718c67c3f048fbefb5e1640f788dd120149a2d259946ec66d8def3a2
Instruction Fuzzy Hash: E7F0E2365217A88FD7B3CB1CC144B22BBD9AB01778F0584A5F58587A26C734EC80C680

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab7b2ded2fd02812234444ccf87c3136b86cd20cba9458fc5470d8cb2108092
Instruction ID: 799dcc2eca789ff18d29ca9578bb380308ddd555517e80abce86b5b3e7c9d543
Opcode Fuzzy Hash: 2ab7b2ded2fd02812234444ccf87c3136b86cd20cba9458fc5470d8cb2108092
Instruction Fuzzy Hash: CDE092B2A01421ABD2229F18AC00FA6B39DDFE5751F194039F648C7264D668DD01D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: d48571cf0995e43690f6fd4880c04a38dca110f6a149d8f8c52245ed8dd523a2
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 2BE0D832A40158BBCB2196D99E06FAAFBADDB44B60F00016AB904DB190D5659D04E2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3783271ed410b21dca659e93447ac987d1b14248e8fafb5c66b492e649f627
Instruction ID: 0a3089b075016ed4db0728dd1128d438fdb2f3943f75200b8242f9d057dc6ec4
Opcode Fuzzy Hash: fe3783271ed410b21dca659e93447ac987d1b14248e8fafb5c66b492e649f627
Instruction Fuzzy Hash: 5BE0DFB1A052449FDB34DB52D050F2D379EAB62739F1E822FE00A4B302C621DC84F256

Uniqueness

Uniqueness Score: -1.00%

Function 010541E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e69435de5b2c7c23cd32acda7888414879bd81a8773d68218c0d98a88e3019d
Instruction ID: 18cd97625013a041b8642d0da083a56d8a27a88d502d0cd2817b4564ab73b6fc
Opcode Fuzzy Hash: 1e69435de5b2c7c23cd32acda7888414879bd81a8773d68218c0d98a88e3019d
Instruction Fuzzy Hash: 60F01574890701CECBB1EFA9D5887E436ACF74435AF50C19BA1C0872A8D73D84A1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0107D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: e9c6b6b5a002a724e4dfc4955c8f9f3300dcd81d6b1785287162dae80c7e6cb6
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: E4E0C231284244BBDB226E84CC01F697B56DF407A0F108035FE485A691C679AC91E7C8

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7238374a2ec3a5ba12afded02d5e68b05361eeafe3f2098236fb565246de9153
Instruction ID: 9fe4436329a610f702863a26069816d16d40bc1110b39172c412a8160e3d122a
Opcode Fuzzy Hash: 7238374a2ec3a5ba12afded02d5e68b05361eeafe3f2098236fb565246de9153
Instruction Fuzzy Hash: 87D02BB116004416DA2C2700DCA4B713216FB84700F31044DF34B0A5B0ED5688D4B509

Uniqueness

Uniqueness Score: -1.00%

Function 00FF16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555c7d5dba58e148a82f32784ecbd885c102987b356871255736e3ef23acf9f3
Instruction ID: 4934726ad2a9ee0e07a15777c1817213d72727e4d7ff8e9e3622f0652a10ac4c
Opcode Fuzzy Hash: 555c7d5dba58e148a82f32784ecbd885c102987b356871255736e3ef23acf9f3
Instruction Fuzzy Hash: CED0A731140144D2DE2D5B119C45B243255FFC0791F38005CF30B994E1DFA6DC92F04C

Uniqueness

Uniqueness Score: -1.00%

Function 010453CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: aa9f8280e07b0585c104a64337e6f416bf9268882f14e4d8b7f9e712d0627fd4
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 89E08C729047C09BCF12EB49CA90F4EBBF5FB84B00F1800A4B0485F621C628AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: c4ec890886ae43fd70f0514b35b5af79afd48a82646dce7653158fa61a72b36d
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: D9D0C939352980CFD617CB0CC554B0533A4BB44B40FC505D0E400CBB62EA2CDD40CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00FF35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: f8921e1b7b0a3655bea4c09224371244639e4f641947e65fc97421b0a35766d2
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 66D0C93295128A9ADF51BB50C61877C77B2BF80328F6C206696464A972C33A4F5AF602

Uniqueness

Uniqueness Score: -1.00%

Function 00FCDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 7457029d9a09f0431e2933b4f34a980461e1a70609efac909ec7eedd3205cd4f
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 91C08C30280A41AAEB221F20CE02F0076A0BB81B01F4500A47300DA0F1EB7CEC01F600

Uniqueness

Uniqueness Score: -1.00%

Function 0104A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: c9879d45ec98ec478469717b6e7db02a287ed6f552659e99ec83cfe4e9f84f54
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 5BC01232080288BBCB126E82CC01F167F2AEB94BA0F008011BA080A5618A36E971EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 2f05c638135581dba2b4b8cc8400a245f68ec51e6923843f08fd7834b17b05ac
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 07C04C32180688BBCB126E46DD01F15BB69E795B60F154025B6040A5618576ED61E59C

Uniqueness

Uniqueness Score: -1.00%

Function 00FCAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 3d27c3d4ae193c45101a170c2f9cd82ec7fc27d6564499a5a9889e1c3f004e9f
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 50C08C32080288BBC7126A46DD01F017B29E790B60F000020B6040A6628936E860E588

Uniqueness

Uniqueness Score: -1.00%

Function 00FD76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 4f12e56c9249d54592f96e11641809c9ab304f37d87dad161dbb874cb2380768
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 47C08C70549BC85AEB2A7708CE21B207651AB08718F4C02ACBA010D6A2E36CEC02E208

Uniqueness

Uniqueness Score: -1.00%

Function 00FF36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: c8ce32841e7885b79b87012b986033515aea92e476ca29f06be21b8c695b01ff
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 4CC09B75155480BBDB156F30CD51F25B254FB41B71F6407587321855F1D56DAD40F508

Uniqueness

Uniqueness Score: -1.00%

Function 00FE7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 04cdab0de472190fd5531870c852da52367046ffbc8a64e0ceda3b57d11039d5
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 55B09234301A81CFCE26EF19C480B1533E8BB44B40B8400D0E800CBA20D229E8009900

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 37169b74bb13fcb152c72bfaf065ff3bd27c1733b906f579d286229ecc85b623
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: D0B01232C10540CFCF02FF40CA10B197332FB40750F094492A0012BA31C22CBC11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 01009950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7889e6c30b578f65f36aa7d833de30dec3c87850b3ed08ef24af2d6e458e7ac
Instruction ID: 12b655689a489e21587f92ddceaa1432e97c8e26084c6cb2bf4258c461eae75b
Opcode Fuzzy Hash: c7889e6c30b578f65f36aa7d833de30dec3c87850b3ed08ef24af2d6e458e7ac
Instruction Fuzzy Hash: 4D9002A120141903D140659988086070505A7D0342F51C411A2454555ECA6D8C517275

Uniqueness

Uniqueness Score: -1.00%

Function 010099D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4497251851e0f187bc6ea67faa4deca159980e2a69af2b5f50b571372c1f30c8
Instruction ID: 2f07845102b6775545f0746015324610258b020681d18a6a5f685c8ecebaa0b6
Opcode Fuzzy Hash: 4497251851e0f187bc6ea67faa4deca159980e2a69af2b5f50b571372c1f30c8
Instruction Fuzzy Hash: 289002A121101542D104619984087060545A7E1241F51C412A2544554CC56D8C616265

Uniqueness

Uniqueness Score: -1.00%

Function 01009820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a2a11bffccf0127f2675aa90e50ba43826f307a0339885487857a09535618c
Instruction ID: 13336a3347215219880c8187c50674934a821c1666dd97684b155be660ad36ab
Opcode Fuzzy Hash: c7a2a11bffccf0127f2675aa90e50ba43826f307a0339885487857a09535618c
Instruction Fuzzy Hash: DC90027124101902D141719984086060509B7D0281F91C412A0814554EC6998A56BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a027987fc9cfb68df2ce016ae5f9ef50ffb2db2ce228c8f16430e0afb3c9346a
Instruction ID: 9be192ebed0712ebdd42ac76f83d91ec1b592b26e8245d35be53fb14fa9a134b
Opcode Fuzzy Hash: a027987fc9cfb68df2ce016ae5f9ef50ffb2db2ce228c8f16430e0afb3c9346a
Instruction Fuzzy Hash: 299002A1601155434540B19988084065515B7E1341391C521A0844560CC6AC8855A3A5

Uniqueness

Uniqueness Score: -1.00%

Function 010098A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f4d6aa17fa3d94ab6d48a777eac5c7c122368710d6f6f805bd11408ac22ba9
Instruction ID: 37584f634c16c5aa642a37bb12e351b71309c98a8a8f2539808b5c28b74dc924
Opcode Fuzzy Hash: 82f4d6aa17fa3d94ab6d48a777eac5c7c122368710d6f6f805bd11408ac22ba9
Instruction Fuzzy Hash: 5590026130101902D102619984186060509E7D1385F91C412E1814555DC6698953B272

Uniqueness

Uniqueness Score: -1.00%

Function 01009B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfd809be4ec75d8ce616001d2575d8ed4c13b575bae456f3ba99f383ef37eae
Instruction ID: 056a4a15b62c4142118f481b468516fc06748e0575a9d2fd0cac53ccb4eeaa24
Opcode Fuzzy Hash: 2dfd809be4ec75d8ce616001d2575d8ed4c13b575bae456f3ba99f383ef37eae
Instruction Fuzzy Hash: 2290026124101D02D1407199C4187070506E7D0641F51C411A0414554DC65A896577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c2945591f8e0fb749fb50f719b2d7f47ef5a8eebd090d0c07178ebd9fc1d63
Instruction ID: 1bc6165509c325234fdf9e9aedf6178f760d78d66ed8ed636964e630ef0254da
Opcode Fuzzy Hash: 32c2945591f8e0fb749fb50f719b2d7f47ef5a8eebd090d0c07178ebd9fc1d63
Instruction Fuzzy Hash: AD90027120145502D1407199C44860B5505B7E0341F51C811E0815554CC6598856A361

Uniqueness

Uniqueness Score: -1.00%

Function 01009A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b71ebdf0d105b24880b5ee8ade485ab3dafa9afe68171f92eaa72128e5089c
Instruction ID: 2358728bfdbfc1ed6cf722fad0d30d00060e75d57ce04e7c4ede74d87f470189
Opcode Fuzzy Hash: 35b71ebdf0d105b24880b5ee8ade485ab3dafa9afe68171f92eaa72128e5089c
Instruction Fuzzy Hash: 6290027120141902D1006199880C7470505A7D0342F51C411A5554555EC6A9C8917671

Uniqueness

Uniqueness Score: -1.00%

Function 01009A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3505778a1e280c289164179b40adb43571701c678d127b9ba77b54e9da00cd
Instruction ID: c7e0d2ed2b6170819eeacf992a8b55b4e159feab36eebddf38f3fcdfcdaeaa9b
Opcode Fuzzy Hash: 8c3505778a1e280c289164179b40adb43571701c678d127b9ba77b54e9da00cd
Instruction Fuzzy Hash: AC90026120145942D14062998808B0F4605A7E1242F91C419A4546554CC95988556761

Uniqueness

Uniqueness Score: -1.00%

Function 01009520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cce14442d00e2be8c5df88f6791d796ffa09f48796bade0b4a65e2f36d92157
Instruction ID: 7d3b5cdbe89a71de0714984c90421f63fd10a06f700c49c7d30c02a215e19d45
Opcode Fuzzy Hash: 8cce14442d00e2be8c5df88f6791d796ffa09f48796bade0b4a65e2f36d92157
Instruction Fuzzy Hash: 839002E1201155924500A299C408B0A4A05A7E0241B51C416E1444560CC5698851A275

Uniqueness

Uniqueness Score: -1.00%

Function 0100AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0e92c77b5b20dfc045ee017637a0134b75fab29bb6ae1d2fd5d1988ce049ad
Instruction ID: 600d35e24a36623b9eb1c23e7c7c54893360cc7ace063d36f36e2877c2954bc8
Opcode Fuzzy Hash: 4f0e92c77b5b20dfc045ee017637a0134b75fab29bb6ae1d2fd5d1988ce049ad
Instruction Fuzzy Hash: 57900271A05015129140719988186464506B7E0781B55C411A0904554CC9988A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01009560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce78fb2384ec2f38acf10099bea7953a9ec9ac1a11333134f048eaf5022c356d
Instruction ID: 1b18f1b0fa79f026197fe86b4a05d3253480f2b78d64475b35c8685d3d1d16f1
Opcode Fuzzy Hash: ce78fb2384ec2f38acf10099bea7953a9ec9ac1a11333134f048eaf5022c356d
Instruction Fuzzy Hash: 3E900265221015020145A599460850B0945B7D6391391C415F1806590CC66588656361

Uniqueness

Uniqueness Score: -1.00%

Function 010095F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5f58d91342bb2312e1719f10f04209c636c4d75c565a3fd519ae9fb0200075
Instruction ID: baa1cbab70dac5be19106fc4fb762c4026156663c54cf24122291916ca492823
Opcode Fuzzy Hash: 3a5f58d91342bb2312e1719f10f04209c636c4d75c565a3fd519ae9fb0200075
Instruction Fuzzy Hash: 3390027120101D02D104619988086860505A7D0341F51C411A6414655ED6A988917271

Uniqueness

Uniqueness Score: -1.00%

Function 0100A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947ef3928f28984d0ed5f57f0b1d74a8fd9ad3fe535b9be5ba89731ef354900e
Instruction ID: e2b7695ddd88174c9bb10000bd61d2b6fc9db29a1f12c11da16a83a89afa6743
Opcode Fuzzy Hash: 947ef3928f28984d0ed5f57f0b1d74a8fd9ad3fe535b9be5ba89731ef354900e
Instruction Fuzzy Hash: D3900271301015529500A6D99808A4A4605A7F0341B51D415A4404554CC59888616261

Uniqueness

Uniqueness Score: -1.00%

Function 01009730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a0c6f7f71818afe42f9fd2bb812c74a26d869d435926a5c19592b3341d5ddf
Instruction ID: ecfdcbd0bb5edcd3513b8244095e9f74d42ba3663363723822cb6b6463573112
Opcode Fuzzy Hash: d1a0c6f7f71818afe42f9fd2bb812c74a26d869d435926a5c19592b3341d5ddf
Instruction Fuzzy Hash: A390026160501902D1407199941C7060515A7D0241F51D411A0414554DC69D8A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01009760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a9b9db27e62ec8cdf04bb2e27dc0484a4da74254eafed82ab2bcb7100bf81a
Instruction ID: bb776d198b84e371f1c364a1845d869824d6835ffc6ff2b4bd77e51408e4b269
Opcode Fuzzy Hash: d3a9b9db27e62ec8cdf04bb2e27dc0484a4da74254eafed82ab2bcb7100bf81a
Instruction Fuzzy Hash: 5390027120101903D1006199950C7070505A7D0241F51D811A0814558DD69A88517261

Uniqueness

Uniqueness Score: -1.00%

Function 0100A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11346092f1148eff2ff50eaa306fc2618ce4a1d05769fb80f08e09051d3a2a8e
Instruction ID: 07787f59d487bab09e6bdbc113382953c610d289a82a763dc59159cff03f59db
Opcode Fuzzy Hash: 11346092f1148eff2ff50eaa306fc2618ce4a1d05769fb80f08e09051d3a2a8e
Instruction Fuzzy Hash: 3A90027520505942D50065999808A870505A7D0345F51D811A081459CDC6988861B261

Uniqueness

Uniqueness Score: -1.00%

Function 01009770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74251055de3f45bff331f19fa7fffb66e07a66f3538a0130cd432c5a31891fb3
Instruction ID: 160be980f7e6537162eef46ff2517dd4032ec62b4f64ced78e908bd14954ef67
Opcode Fuzzy Hash: 74251055de3f45bff331f19fa7fffb66e07a66f3538a0130cd432c5a31891fb3
Instruction Fuzzy Hash: 3D90026120505942D1006599940CA060505A7D0245F51D411A1454595DC6798851B271

Uniqueness

Uniqueness Score: -1.00%

Function 01009FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72268198d0116e7c19953fef5e76eaa9fa46c6bc657a554fd4baf8581429ffdc
Instruction ID: 46808d8c869e7c023f61daf608e452a884af9ba9be602b3b9f77649b3d2abf74
Opcode Fuzzy Hash: 72268198d0116e7c19953fef5e76eaa9fa46c6bc657a554fd4baf8581429ffdc
Instruction Fuzzy Hash: C190027131115902D1106199C4087060505A7D1241F51C811A0C14558DC6D988917262

Uniqueness

Uniqueness Score: -1.00%

Function 01009610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb72a757bc7fe47f91181c3dcc012abab223712d3db218b2f1833bda04e07f6
Instruction ID: d5541a8554c24138abeed62656b4d79f486d89db58b93065ec85f42d6318a062
Opcode Fuzzy Hash: dbb72a757bc7fe47f91181c3dcc012abab223712d3db218b2f1833bda04e07f6
Instruction Fuzzy Hash: 1290027160501D02D150719984187460505A7D0341F51C411A0414654DC7998A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01009650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35b9a430420366cf34ca5a21629223de4ce544b43b720010603878eefaf9246
Instruction ID: 28707e786c40dd5bf7c7f036229bafde47723bb4fc2c73dbc2df2a2e4717ebfe
Opcode Fuzzy Hash: b35b9a430420366cf34ca5a21629223de4ce544b43b720010603878eefaf9246
Instruction Fuzzy Hash: EE90027120505D42D14071998408A460515A7D0345F51C411A0454694DD6698D55B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010096D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1573994a291f4cc5e012e363a7807d2581e550e02dacbbec9cd5f2fd3078b336
Instruction ID: fdd8849dbb67753f13ad1eb37b4e400f4ed286b0c0cd7687b82e3cd2de3e5ba7
Opcode Fuzzy Hash: 1573994a291f4cc5e012e363a7807d2581e550e02dacbbec9cd5f2fd3078b336
Instruction Fuzzy Hash: 5690027120101D42D10061998408B460505A7E0341F51C416A0514654DC659C8517661

Uniqueness

Uniqueness Score: -1.00%

Function 01009670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 2545f13ab9f9245af6e57c504383347de5e47b916f60a1f454a4cf243066f45c
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0105FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0105FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0100CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01055720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01055720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0105fdda
0x0105fde2
0x0105fde5
0x0105fdec
0x0105fdfa
0x0105fdff
0x0105fe0a
0x0105fe0f
0x0105fe17
0x0105fe1e
0x0105fe19
0x0105fe19
0x0105fe19
0x0105fe20
0x0105fe21
0x0105fe22
0x0105fe25
0x0105fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0105FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0105FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0105FE01

Memory Dump Source

Source File: 00000006.00000002.320754415.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: b4fc97133252d554ca4313d10b670aa29bc700ead8f19ecfd3cae7d89a0febe5
Instruction ID: 06851391ff537915bf723e250666484313e740ba8f3f682c23164df99f9af478
Opcode Fuzzy Hash: b4fc97133252d554ca4313d10b670aa29bc700ead8f19ecfd3cae7d89a0febe5
Instruction Fuzzy Hash: 79F0F676200202BFE7611A45DC02F63BF5AEB44B30F244314FA68565D1DA62F86096F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cscript.exe PID: 6280 Parent PID: 3388 cscript.exeCOMMON

Executed Functions

Function 00819D5A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00814B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00814B87,007A002E,00000000,00000060,00000000,00000000), ref: 00819DAD

Strings

.z`, xrefs: 00819D9D, 00819DA8

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 595ddf0d40bd5132b9bfc2e310ba8df2c87980a484b1ad9afc8cd550bc8b87f6
Instruction ID: 9b7a14f4584c84bfcb57415ce4c44bbc4fcb40b7c52d58e31a069eeff25967a2
Opcode Fuzzy Hash: 595ddf0d40bd5132b9bfc2e310ba8df2c87980a484b1ad9afc8cd550bc8b87f6
Instruction Fuzzy Hash: FF21ABB2204108ABCB08DF99DC94DEB77ADFF8C754B168649FA1DA7241C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00819D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00814B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00814B87,007A002E,00000000,00000060,00000000,00000000), ref: 00819DAD

Strings

.z`, xrefs: 00819D9D, 00819DA8

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 1665e99b44c8d837012cdd9c04cefc37914aef65a69b129fc5f047ca0c360ad4
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: CAF0B2B2201208ABCB08CF88DC85EEB77ADEF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00819DB2, Relevance: 1.6, APIs: 1, Instructions: 70filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00814D42,5EB6522D,FFFFFFFF,00814A01,?,?,00814D42,?,00814A01,FFFFFFFF,5EB6522D,00814D42,?,00000000), ref: 00819E55

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6c382a46aeef8514f2bfbb79b7c78fa15df67adc5ca8302cb52caeb276e7af46
Instruction ID: 30efc09c207dae6a051cc82a5e2fb1b2257c218b36e42d851eccb6fe429c13e9
Opcode Fuzzy Hash: 6c382a46aeef8514f2bfbb79b7c78fa15df67adc5ca8302cb52caeb276e7af46
Instruction Fuzzy Hash: 2B21C9B6204109AFCB18DF99DC90DEB77ADEF8C754F158649FA5D93241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00819E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00814D42,5EB6522D,FFFFFFFF,00814A01,?,?,00814D42,?,00814A01,FFFFFFFF,5EB6522D,00814D42,?,00000000), ref: 00819E55

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 85e60d2d83f65ed0f248d2d6aa1024acb59f0febe90a1666bb44c00c570e6021
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 9BF0A9B2200108ABCB14DF89DC81DEB77ADEF8C754F158248BA1D97241D630E8518BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00819F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00802D11,00002000,00003000,00000004), ref: 00819F79

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: bbeaddf04cd0d78b063c7992c3f9b9ca0fc5e096f88167407889df88fabcba12
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 74F015B2200208ABCB18DF89DC81EEB77ADEF88750F118148BE18A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00819F3A, Relevance: 1.5, APIs: 1, Instructions: 26memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00802D11,00002000,00003000,00000004), ref: 00819F79

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a03148a391285fd12a54f8ef209ad2dd64188826c9b952ff2d59fcaece74d31b
Instruction ID: a08fa0185973c4087fca55e25790ce29b12b3aef6673ebc8c4f9384e4533ad87
Opcode Fuzzy Hash: a03148a391285fd12a54f8ef209ad2dd64188826c9b952ff2d59fcaece74d31b
Instruction Fuzzy Hash: 8DE04FB9204548AFCB04DF58D8D1CDB77ADFF88718B118649FD9EC3202D634E8518BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00819E8B, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00814D20,?,?,00814D20,00000000,FFFFFFFF), ref: 00819EB5

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 398da853f1d9cba5f41267a321180cbedb51693c33960b1835d89c200ee00cc5
Instruction ID: 3aed29e4c0f02b8a374d3255b13ef768755b324e355c1def62e9d55b6208e489
Opcode Fuzzy Hash: 398da853f1d9cba5f41267a321180cbedb51693c33960b1835d89c200ee00cc5
Instruction Fuzzy Hash: 58E0C231600104BBDB24EFE8DC89ED77B2CFF44320F114459B91CEB252C630E54087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00819E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00814D20,?,?,00814D20,00000000,FFFFFFFF), ref: 00819EB5

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 27c0da4572e8928c5ac5ba256dec90e67978360f6e9e660eaced039ee31cc851
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: ADD012752002146BD714EB98DC85ED77B6CEF44760F154455BA5C9B242C530F54086E1

Uniqueness

Uniqueness Score: -1.00%

Function 04899840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489984A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf0eac8046ebcb2375afe7ad68c79430e326a493b241ae7bbf6fcee061c84c91
Instruction ID: 46f563ccb1c6e760875c23837faed4b3e56dc376292a117da93d6a255a59a8bc
Opcode Fuzzy Hash: cf0eac8046ebcb2375afe7ad68c79430e326a493b241ae7bbf6fcee061c84c91
Instruction Fuzzy Hash: B9900261242041627545B15944045074047A7E02857D1C512A240DAA0C99A6E86AE661

Uniqueness

Uniqueness Score: -1.00%

Function 04899860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489986A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14f02057f6a3a2ca49ffb051528ea63212e1eb16857368a53c12b01a5d3d3584
Instruction ID: 6064037dd71e9ed347dfe3e49565b06b5aa24bb2725a2223ec6bcc9645fa009d
Opcode Fuzzy Hash: 14f02057f6a3a2ca49ffb051528ea63212e1eb16857368a53c12b01a5d3d3584
Instruction Fuzzy Hash: 1D90027120100423F11161594504707004A97D0285FD1C912A141D6A8DAAD6D966B161

Uniqueness

Uniqueness Score: -1.00%

Function 048999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048999AA

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0e17ccc6a87ddb5ad76513962841ac7b2682e5cb4982e99439f23ce38db3b86
Instruction ID: a891f70c84f70c5eaa39ebb0fdb119165c63858059840232ff32f7eb91301c4f
Opcode Fuzzy Hash: a0e17ccc6a87ddb5ad76513962841ac7b2682e5cb4982e99439f23ce38db3b86
Instruction Fuzzy Hash: 0C9002A134100452F10061594414B060046D7E1345F91C515E205D6A4D9A99DC667166

Uniqueness

Uniqueness Score: -1.00%

Function 048995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048995DA

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 93b9de656dcd9cb3f597908c1db6abe1558326d95edeba3a9cf4321384f50707
Instruction ID: 6170e85a93784058168690a499863f489a37b0381042460a363b5bcaa4c840da
Opcode Fuzzy Hash: 93b9de656dcd9cb3f597908c1db6abe1558326d95edeba3a9cf4321384f50707
Instruction Fuzzy Hash: 099002A120200013710571594414616404B97E0245B91C521E200D6E0DD9A5D8A57165

Uniqueness

Uniqueness Score: -1.00%

Function 04899910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489991A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0656d282599d40b1aa3f5216ac861224f23ebe379194694f643f9888dc8b285
Instruction ID: d42019cc2233db7244e34b7d7de38e53fb84c69ed3ab88df70be24d493b240ee
Opcode Fuzzy Hash: a0656d282599d40b1aa3f5216ac861224f23ebe379194694f643f9888dc8b285
Instruction Fuzzy Hash: FE9002B120100412F14071594404746004697D0345F91C511A605D6A4E9AD9DDE976A5

Uniqueness

Uniqueness Score: -1.00%

Function 04899540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489954A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b5f5e98188b7c47285e3df5a19d68a92988ead88d2327cc0e4b918d6d9481bc
Instruction ID: 769b6794b6858d5c3de6ae23b14a9a97938a13de752641a2a65fbcae621cb8fd
Opcode Fuzzy Hash: 4b5f5e98188b7c47285e3df5a19d68a92988ead88d2327cc0e4b918d6d9481bc
Instruction Fuzzy Hash: 6E900265211000133105A5590704507008797D5395391C521F200E6A0CEAA1D8756161

Uniqueness

Uniqueness Score: -1.00%

Function 048996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048996DA

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f432133bcbe0dc4a149ef3c82691d9eee0770be1d7ab29b4b06b085c34af46f
Instruction ID: 3ac6bca96f0e5d25d0dc0bd60f0d76f0f7ae4f7e67a0946b1c1db20be6f33c85
Opcode Fuzzy Hash: 6f432133bcbe0dc4a149ef3c82691d9eee0770be1d7ab29b4b06b085c34af46f
Instruction Fuzzy Hash: E090027120100852F10061594404B46004697E0345F91C516A111D7A4D9A95D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 048996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048996EA

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c973c0927afcce8e7842a5489b94fa1314216e3e6fee1797213672e5a92e307
Instruction ID: 874ccd3a21eece443163d7c7651f0cf99f08944657794d6eccc5a02335bf200c
Opcode Fuzzy Hash: 0c973c0927afcce8e7842a5489b94fa1314216e3e6fee1797213672e5a92e307
Instruction Fuzzy Hash: 6D90027120108812F1106159840474A004697D0345F95C911A541D7A8D9AD5D8A57161

Uniqueness

Uniqueness Score: -1.00%

Function 04899A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04899A5A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25b419684b007effc014f4ac21a868bfb8aeafdadf4d975a35f4306180e153d8
Instruction ID: ce6ec09dde8bc6985e3a10d87837797c4171c61ff652df9992d0b72587976dcd
Opcode Fuzzy Hash: 25b419684b007effc014f4ac21a868bfb8aeafdadf4d975a35f4306180e153d8
Instruction Fuzzy Hash: 9890026121180052F20065694C14B07004697D0347F91C615A114D6A4CDD95D8756561

Uniqueness

Uniqueness Score: -1.00%

Function 04899650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489965A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d8207a22d33ba58db677e74c106cb1037c5ee4f37aa964ac4e87f3e01690a724
Instruction ID: 5a585dcf1b8030cc1f8be073f883572f1c74878fe14035d94ad2eaa2cd44f3c0
Opcode Fuzzy Hash: d8207a22d33ba58db677e74c106cb1037c5ee4f37aa964ac4e87f3e01690a724
Instruction Fuzzy Hash: 2890027120504852F14071594404A46005697D0349F91C511A105D7E4DAAA5DD69B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04899660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489966A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 73476dcc44fc0cdcfe043a5016f3ee3f2bb4fa70d61bb4aab87c1f8220c1b5e1
Instruction ID: 078313b2f63e128a7c3b41b7b2072c989d450e49bd7f7f098a7eca1db645bc9e
Opcode Fuzzy Hash: 73476dcc44fc0cdcfe043a5016f3ee3f2bb4fa70d61bb4aab87c1f8220c1b5e1
Instruction Fuzzy Hash: 3E90027120100812F1807159440464A004697D1345FD1C515A101E7A4DDE95DA6D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04899780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489978A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 534bb9f49b93a84960c677af9fc290f41ede38d586d2bfa4ecfb0d94760b5b24
Instruction ID: c9d02ddd68cf07fa2c56c6908c9e3b7a6de9b1de1da896107daabd065a824950
Opcode Fuzzy Hash: 534bb9f49b93a84960c677af9fc290f41ede38d586d2bfa4ecfb0d94760b5b24
Instruction Fuzzy Hash: 6190026921300012F1807159540860A004697D1246FD1D915A100E6A8CDD95D87D6361

Uniqueness

Uniqueness Score: -1.00%

Function 04899FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04899FEA

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e47f1ac2519f474e863d76e27cbcd7037052535a6197a8dd334eb85fffb523a0
Instruction ID: a2257e8a71af5a1f616b46b9710444557926a6acac88194f9feebba37968a2b5
Opcode Fuzzy Hash: e47f1ac2519f474e863d76e27cbcd7037052535a6197a8dd334eb85fffb523a0
Instruction Fuzzy Hash: 2A90027131114412F11061598404706004697D1245F91C911A181D6A8D9AD5D8A57162

Uniqueness

Uniqueness Score: -1.00%

Function 04899710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0489971A

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98da5176d5326b9b4256e194be27b2255ac208db32cfcfbf9de9b2f3e16d44d3
Instruction ID: e07599328f18d460a6503d9c0482b0a674df197625c67a7aac9f9588aabdb307
Opcode Fuzzy Hash: 98da5176d5326b9b4256e194be27b2255ac208db32cfcfbf9de9b2f3e16d44d3
Instruction Fuzzy Hash: F490027120100412F10065995408646004697E0345F91D511A601D6A5EDAE5D8A57171

Uniqueness

Uniqueness Score: -1.00%

Function 0081A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00803AF8), ref: 0081A09D

Strings

.z`, xrefs: 0081A08C, 0081A098

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 2bd574ce2e05ba353ad45d63f59e9807093cd65287dccb434631cf4515abab90
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: B9E01AB12002086BD718DF59DC45EA777ACEF88750F018554B91857241C630E9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 008082E8, Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0080834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0080836B

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 28b6e726582d5a8454a6cfa8f78629a74e529b72ff7dde440735712590894664
Instruction ID: e70c34973cc874e8478af4b25f622561eb74c6720d68f0ddf5b738cf85eb9f08
Opcode Fuzzy Hash: 28b6e726582d5a8454a6cfa8f78629a74e529b72ff7dde440735712590894664
Instruction Fuzzy Hash: A001B171A807287AE720A6989C03FFF7A2CFF41F51F054058FB04FA1C2EA95690646F6

Uniqueness

Uniqueness Score: -1.00%

Function 008082F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0080834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0080836B

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: 2388b2530eadaedd068cf0b2ebc5cf6f02b22f5f7c0aa1107d278cd9470af2db
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 1E018F31A802287AE720A6989C43FFE766CBF40F51F054118FB04FA1C1EA94690646E6

Uniqueness

Uniqueness Score: -1.00%

Function 0081A0DD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0081A134

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: c015ce18292ac6113f7b08a2c7effd5cbcb0985eda82257e651d23dffb4f49f1
Instruction ID: d36cdac4ab43fb69bf7e06067a6acd25231d851368285629171c90fcf3574f57
Opcode Fuzzy Hash: c015ce18292ac6113f7b08a2c7effd5cbcb0985eda82257e651d23dffb4f49f1
Instruction Fuzzy Hash: FE019DB2204108AFCB58CF99DC81EEB77ADAF8C754F158258BA0DE7251C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0081A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0081A134

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 7d3497b1d27c46ff0ee1760736158a0b6446da52c1009ee2f3550878bc6c3943
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: D601AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0081A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00814506,?,00814C7F,00814C7F,?,00814506,?,?,?,?,?,00000000,00000000,?), ref: 0081A05D

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 5609f0af4725ef481a3c901cd93a69d6eb711b08938f269874273466fd89e36c
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: CAE01AB1200208ABD714DF59DC41EA777ACEF88650F118558BA185B241C530F9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0081A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0080F1A2,0080F1A2,?,00000000,?,?), ref: 0081A200

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: f775ea07b364c3813c9abfc3d8d39055a9c83bed95c6af968d5dbb2a9fdbdd21
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 15E01AB12002086BDB14DF49DC85EE737ADEF88650F018154BA0C67241C930E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0080F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00808CF4,?), ref: 0080F6CB

Memory Dump Source

Source File: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, Offset: 00800000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 4ceeffe632c1d1e171b3de19a7b5d8c3bcc8c3d0796a58a46e8561357f7d9abd
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: BAD0A7717903043BE610FAA89C03F6632CDBB54B10F494074FA4CD73C3D950E4004165

Uniqueness

Uniqueness Score: -1.00%

Function 0489967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04899694

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7a231309f01cca554ab19f31e417b517bc7148b892aa75f239cc27dab3ed7df
Instruction ID: c829dec6b1facb23329ef080b9a75b5298e8169040eccf9415f3afbc76cdeeb8
Opcode Fuzzy Hash: f7a231309f01cca554ab19f31e417b517bc7148b892aa75f239cc27dab3ed7df
Instruction Fuzzy Hash: 8EB02BB18014C0C5FB01D7600608717394077C0300F17C511D2028390A0778D090F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 048EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E048EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0489CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E048E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E048E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x048efdda
0x048efde2
0x048efde5
0x048efdec
0x048efdfa
0x048efdff
0x048efe0a
0x048efe0f
0x048efe17
0x048efe1e
0x048efe19
0x048efe19
0x048efe19
0x048efe20
0x048efe21
0x048efe22
0x048efe25
0x048efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 048EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 048EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 048EFE2B

Memory Dump Source

Source File: 00000013.00000002.482567245.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: true

Associated: 00000013.00000002.483799695.000000000494B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: e14a2aa8574ec12a2e9b3a2814ad0369bb20bfe4f91d6bdda5ff774a6b2fabb3
Instruction ID: 106bff17824e3f7bf3f42ad1b06adf0257c65f46e6a9043d66bf3df10af75d40
Opcode Fuzzy Hash: e14a2aa8574ec12a2e9b3a2814ad0369bb20bfe4f91d6bdda5ff774a6b2fabb3
Instruction Fuzzy Hash: 63F0FC76604501BFE6201A86DC01F337B5ADB85774F140754F714965D1EAA2FC3097F5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Payment.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 001F2211, Relevance: .4, Instructions: 446
COMMONCrypto