Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report s3ZenAQ7m1.bin

Overview

General Information

Sample Name:s3ZenAQ7m1.bin (renamed file extension from bin to exe)
Analysis ID:368352
MD5:7f5227030be3d2ef48aa652af1ec72b0
SHA1:202e7ac1c2aaca8fbeed4ac454ca195a33c9d064
SHA256:4dfc17406a58c6f1ce83a73ce6dd5b343d00fe77d07dfe21d28da13631bfad90
Tags:ransomware
Infos:

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • s3ZenAQ7m1.exe (PID: 6116 cmdline: 'C:\Users\user\Desktop\s3ZenAQ7m1.exe' MD5: 7F5227030BE3D2EF48AA652AF1EC72B0)
    • s3ZenAQ7m1.exe (PID: 4944 cmdline: C:\Users\user\Desktop\s3ZenAQ7m1 MD5: 7F5227030BE3D2EF48AA652AF1EC72B0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: s3ZenAQ7m1.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: s3ZenAQ7m1.exeVirustotal: Detection: 66%Perma Link
Source: s3ZenAQ7m1.exeReversingLabs: Detection: 44%
Source: 1.3.s3ZenAQ7m1.exe.2167030.4.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 1.0.s3ZenAQ7m1.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.0.s3ZenAQ7m1.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 1.3.s3ZenAQ7m1.exe.2167018.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 1.3.s3ZenAQ7m1.exe.2167020.7.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.s3ZenAQ7m1.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 1.3.s3ZenAQ7m1.exe.2167038.9.unpackAvira: Label: TR/Patched.Ren.Gen
Source: s3ZenAQ7m1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: KSLDriver.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: mpwutool.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source: Binary string: ADelRCP.pdbK source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr
Source: Binary string: msmpeng.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\DCB\CBT_Main\Acrobat\Installers\Install_MaintenanceWizard\CustomActions\IWActs\Release\IWActs.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: Updater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source: Binary string: Updater.pdbTT source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source: Binary string: mpwutool.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\DCB\CBT_Main\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419452591.0000000002134000.00000004.00000001.sdmp
Source: Binary string: msmpeng.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: ADelRCP.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.255446423.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb,, source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
Source: s3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://hpdatapass.foggmobile.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://m-internet.taiwanmobile.com/internet/catch_price_3g.jsp
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://mbb.o2.co.uk
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://mim.t-mobile.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://ms-experience.gigsky.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://optus.com.au/activate
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: http://s.symcd.com06
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://setup.vodafone.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://three.co.id
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://vmall.vibo.net.tw
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://vodafone.com.au/activate
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.10010.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.10086.cn/service/tariffzone/
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.3.dk
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.3broadband.ie
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.drei.at
Source: s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.lextek.com)
Source: s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.lextek.com/
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.movistar.es/particulares/oferta-combinada/fusion/opciones-tarifas/
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.nmu.edu/lte
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.pelephone.co.il
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.ptcliente.pt
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/cps09
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/rpa04
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.tre.se/mobiltbredband-startsida
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: http://www.truphone.com
Source: RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: http://www.winimage.com/zLibDll
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: https://buyasession.att.com/sbd/ShowLogin.action
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
Source: s3ZenAQ7m1.exe, 00000001.00000003.554610700.000000000218A000.00000004.00000001.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit-script-editor/downloads/
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpString found in binary or memory: https://www.tataindicom.com/msw08
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeCode function: 0_2_00407170 __vbaStrCat,__vbaStrMove,__vbaStrCopy,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaSetSystemError,__vbaSetSystemError,__vbaAryUnlock,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaSetSystemError,__vbaAryUnlock,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,__vbaRecUniToAnsi,__vbaStrToAnsi,CreateProcessA,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaStrToUnicode,__vbaFreeStr,__vbaRecDestructAnsi,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,GetThreadContext,__vbaSetSystemError,ReadProcessMemory,NtUnmapViewOfSection,__vbaSetSystemError,VirtualAllocEx,__vbaSetSystemError,__vbaSetSystemError,__vbaSetSystemError,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,WriteProcessMemory,__vbaAryUnlock,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaRecUniToAnsi,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaAryUnlock,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,WriteProcessMemory,__vbaAryUnlock,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,__vbaRecDestructAnsi,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaRecDestruct,__vbaErrorOverflow,0_2_00407170
Source: s3ZenAQ7m1.exeStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: s3ZenAQ7m1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: s3ZenAQ7m1.exe, 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunExeMemory.exe vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000000.00000002.187552627.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUpdater.apiD vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIWActs.dllX vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWuTool.exeZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.419452591.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSetup.exeF vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000000.186430746.000000000040B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunExeMemory.exe vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOnix32.dll, vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebInstaller.exe6 vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebInstaller.exeF vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.275267467.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameADelRCP.dll\ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.569313579.0000000002134000.00000004.00000001.sdmpBinary or memory string: System.OriginalFileName vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKSLDriver.sysZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMsMpEng.exeZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamempengine.dllZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exeBinary or memory string: OriginalFilenameRunExeMemory.exe vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: s3ZenAQ7m1.exeBinary or memory string: @*\AC:\Users\seyret\Desktop\Obfuscated Number-1\xFuajkin.vbp<"@e
Source: s3ZenAQ7m1.exe, 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmpBinary or memory string: fd%@*\AC:\Users\seyret\Desktop\Obfuscated Number-1\xFuajkin.vbp
Source: s3ZenAQ7m1.exeBinary or memory string: @*\AC:\Users\seyret\Desktop\Obfuscated Number-1\xFuajkin.vbp
Source: classification engineClassification label: mal64.evad.winEXE@3/20@0/0
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Adobe\ARM\ArmReport.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\user\AppData\Local\Temp\~DF8395378865989708.TMPJump to behavior
Source: s3ZenAQ7m1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile read: C:\ProgramData\Adobe\ARM\ArmReport.iniJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: s3ZenAQ7m1.exeVirustotal: Detection: 66%
Source: s3ZenAQ7m1.exeReversingLabs: Detection: 44%
Source: unknownProcess created: C:\Users\user\Desktop\s3ZenAQ7m1.exe 'C:\Users\user\Desktop\s3ZenAQ7m1.exe'
Source: unknownProcess created: C:\Users\user\Desktop\s3ZenAQ7m1.exe C:\Users\user\Desktop\s3ZenAQ7m1
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess created: C:\Users\user\Desktop\s3ZenAQ7m1.exe C:\Users\user\Desktop\s3ZenAQ7m1Jump to behavior
Source: Binary string: KSLDriver.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: mpwutool.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source: Binary string: ADelRCP.pdbK source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr
Source: Binary string: msmpeng.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\DCB\CBT_Main\Acrobat\Installers\Install_MaintenanceWizard\CustomActions\IWActs\Release\IWActs.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: Updater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source: Binary string: Updater.pdbTT source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source: Binary string: mpwutool.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\DCB\CBT_Main\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419452591.0000000002134000.00000004.00000001.sdmp
Source: Binary string: msmpeng.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source: Binary string: ADelRCP.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.255446423.0000000002134000.00000004.00000001.sdmp
Source: Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb,, source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Google Chrome.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk.g1yfw9.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url.g1yfw9.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk.g1yfw9.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Google Chrome.lnk.g1yfw9.g1yfw9.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.g1yfw9.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.g1yfw9.g1yfw9.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.g1yfw9.g1yfw9.g1yfw9Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9Jump to dropped file
Source: s3ZenAQ7m1.exe, 00000001.00000003.475715857.0000000002134000.00000004.00000001.sdmpBinary or memory string: doid:scsi\diskvmware__virtual_disk____2.0_|ffeafa8af-706a-5fce-a5fb-ba54be559b87t
Source: s3ZenAQ7m1.exe, 00000001.00000003.475715857.0000000002134000.00000004.00000001.sdmpBinary or memory string: scsi\diskvmware__virtual_disk____2.0_en-usen

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeCode function: 0_2_00407170 __vbaStrCat,__vbaStrMove,__vbaStrCopy,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaSetSystemError,__vbaSetSystemError,__vbaAryUnlock,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaSetSystemError,__vbaAryUnlock,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,__vbaRecUniToAnsi,__vbaStrToAnsi,CreateProcessA,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaStrToUnicode,__vbaFreeStr,__vbaRecDestructAnsi,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,GetThreadContext,__vbaSetSystemError,ReadProcessMemory,NtUnmapViewOfSection,__vbaSetSystemError,VirtualAllocEx,__vbaSetSystemError,__vbaSetSystemError,__vbaSetSystemError,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,WriteProcessMemory,__vbaAryUnlock,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaRecUniToAnsi,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaAryUnlock,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,WriteProcessMemory,__vbaAryUnlock,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,__vbaRecDestructAnsi,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaRecDestruct,__vbaErrorOverflow,0_2_00407170
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeMemory written: C:\Users\user\Desktop\s3ZenAQ7m1.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeProcess created: C:\Users\user\Desktop\s3ZenAQ7m1.exe C:\Users\user\Desktop\s3ZenAQ7m1Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection211Masquerading11OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Software Packing1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection211Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
s3ZenAQ7m1.exe66%VirustotalBrowse
s3ZenAQ7m1.exe45%ReversingLabsWin32.Trojan.Vebzenpak
s3ZenAQ7m1.exe100%AviraTR/Dropper.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.3.s3ZenAQ7m1.exe.2167030.4.unpack100%AviraTR/Patched.Ren.GenDownload File
1.0.s3ZenAQ7m1.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
0.0.s3ZenAQ7m1.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
1.3.s3ZenAQ7m1.exe.2167018.1.unpack100%AviraTR/Patched.Ren.GenDownload File
1.3.s3ZenAQ7m1.exe.2167020.7.unpack100%AviraTR/Patched.Ren.GenDownload File
0.2.s3ZenAQ7m1.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
1.3.s3ZenAQ7m1.exe.2167038.9.unpack100%AviraTR/Patched.Ren.GenDownload File
1.1.s3ZenAQ7m1.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://optus.com.au/activate0%VirustotalBrowse
http://optus.com.au/activate0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://vmall.vibo.net.tw0%VirustotalBrowse
http://vmall.vibo.net.tw0%Avira URL Cloudsafe
http://vodafone.com.au/activate0%Avira URL Cloudsafe
http://www.pelephone.co.il0%VirustotalBrowse
http://www.pelephone.co.il0%Avira URL Cloudsafe
http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d0%Avira URL Cloudsafe
http://mbb.o2.co.uk0%Avira URL Cloudsafe
http://www.ptcliente.pt0%Avira URL Cloudsafe
http://www.lextek.com)0%Avira URL Cloudsafe
http://www.3broadband.ie0%Avira URL Cloudsafe
http://three.co.id0%Avira URL Cloudsafe
http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl0%Avira URL Cloudsafe
http://www.lextek.com/0%Avira URL Cloudsafe
http://hpdatapass.foggmobile.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.10086.cn/service/tariffzone/s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
    		high
    http://www.10010.coms3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
      		high
      http://mim.t-mobile.coms3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
        		high
        http://www.symauth.com/cps09s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpfalse
          		high
          http://optus.com.au/activates3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://m-internet.taiwanmobile.com/internet/catch_price_3g.jsps3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
            		high
            http://ocsp.thawte.com0s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://vmall.vibo.net.tws3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://vodafone.com.au/activates3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.pelephone.co.ils3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://buyasession.att.com/sbd/ShowLogin.actions3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
              		high
              http://www.3.dks3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                		high
                https://www.tataindicom.com/msw08s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                  		high
                  http://www.symauth.com/cps0(s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpfalse
                    		high
                    http://crl.thawte.com/ThawteTimestampingCA.crl0s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpfalse
                      		high
                      http://www.drei.ats3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                        		high
                        http://setup.vodafone.coms3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                          		high
                          http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0ds3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.truphone.coms3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                            		high
                            http://mbb.o2.co.uks3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.ptcliente.pts3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tre.se/mobiltbredband-startsidas3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                              		high
                              http://www.winimage.com/zLibDllRdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.drfalse
                                		high
                                http://www.lextek.com)s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.symauth.com/rpa04s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.3broadband.ies3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.nmu.edu/ltes3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.movistar.es/particulares/oferta-combinada/fusion/opciones-tarifas/s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                                      		high
                                      http://three.co.ids3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crls3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.lextek.com/s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.autoitscript.com/site/autoit-script-editor/downloads/s3ZenAQ7m1.exe, 00000001.00000003.554610700.000000000218A000.00000004.00000001.sdmpfalse
                                        		high
                                        http://hpdatapass.foggmobile.coms3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        Contacted IPs

                                        No contacted IP infos

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:368352
                                        Start date:13.03.2021
                                        Start time:23:11:11
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 16s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:s3ZenAQ7m1.bin (renamed file extension from bin to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:30
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal64.evad.winEXE@3/20@0/0
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 100% (good quality ratio 25%)
                                        • Quality average: 20.2%
                                        • Quality standard deviation: 37.2%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Override analysis time to 240s for sample files taking high CPU consumption
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                        • Report size getting too big, too many NtCreateFile calls found.
                                        • Report size getting too big, too many NtOpenFile calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtReadFile calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                        • Report size getting too big, too many NtWriteFile calls found.
                                        • Too many dropped files, some of them have not been restored

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\Adobe\ARM\ArmReport.ini.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1000
                                        Entropy (8bit):7.691899187561062
                                        Encrypted:false
                                        SSDEEP:24:ckVCbNX/YrVKpu82EOoACZwS6S+s8hO9Y/THxJRSc+q:VEbNArVK+7xfOCH5Z+q
                                        MD5:5E5A20047D007EBF28918F2068FF88CF
                                        SHA1:2C4DC7453D0089126F790213A9D55556885D53E4
                                        SHA-256:43A588692F674651B6825B4C8C9A99C7794A48A476E17620C2909E550BA7EC54
                                        SHA-512:96BF311C3853D4009B3CC275A999DA2B309B0F99A5648279F9D83E665F9E86DD2A247E4813B08612E9CB62A3ABDF451011594368A634AEEC0F1EC0C7E4AE390E
                                        Malicious:false
                                        Reputation:low
                                        Preview: .p..W.[c.#,....NGf..X.+.F.0..7.W....r@m...Q..z.N+.+...=.y.w...S..V...N....3.m>w.9.Z.%....c<...c........n.\h....}..Q1.imd..H|.......O.......G1.%.mJ......#...o!./..@g....4....S..N....tuYL..m6.......D.r.B[..;oL(..J.J.1.sa.......2......;.kb.l..'.+.......5..%=/..^:.......>.iS......c..x..e/........,..U!.|e..#.f....q.T.V^V.....J.t...M.]..F.................L........~u..."...J.....M....y.2(.M..>Vj (J.J.s/O*..0WyC.L..s..|o.=7!o......";.9OeqI..G\.......z..h....#.vq....,.6...f.x...Cr...g.3.g%..4./.V......N1...x+..u'6.. +...T...0oG.^.&.|.S...QKi...-h..d....7..I.5.{.."...TQ..4.qL:.....71.....VC[]u.h_.E.C........ ...W.>.......5.Z..!u2....'.LH..<..bWS;R.S`.,....\......3..!.....}Y:.7........Z.yyX.......Qn.?.....A..<.M_.?...^............*t....\..8e...gA.#a.0..(...>.,.,..\g.C...pX....{g.w.....(.*...0%......O.`....MIiZ....p..L.w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...
                                        C:\ProgramData\Adobe\ARM\ArmReport.ini.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1134
                                        Entropy (8bit):4.852816346482338
                                        Encrypted:false
                                        SSDEEP:24:Q+sE+TlR/yoMlnY2I0UawHdrbJnXNYvtUvyNYFsFGPa0ZqP/THxJRSc+q:rsE6LCnY50NwTXGlUyGFsFMZqTH5Z+q
                                        MD5:C337A8219B2F0A2CBC128220907E0C23
                                        SHA1:EFAE069DE57EE8CBE918A7E31E8F59DCC149607C
                                        SHA-256:9A81BF89E7311CF5ACDB69CEED52D6FECFF082640B2A2805F50D124F6047BC6A
                                        SHA-512:012BE257E65646B9975D112C52B1E45DBF1D8582472E8CECD1F0D043EDB0DE046CBA3E21C924932F15D2091BD915E976D876269842BD649587E6E26CFA155C8D
                                        Malicious:false
                                        Reputation:low
                                        Preview: ..[.S.E.S.S.I.O.N.].....B.I.T.S._.R.e.s.u.l.t.=.-.2.1.4.6.9.5.9.3.5.5.....S.i.g.n.a.t.u.r.e._.V.a.l.i.d.a.t.i.o.n._.E.r.r.o.r.=.2.....B.a.c.k.u.p._.B.I.T.s._.R.e.s.u.l.t.=.0.....G.e.t._.P.r.o.d.u.c.t._.M.a.n.i.f.e.s.t._.R.e.s.u.l.t.=.O.K._.B.B.....A.p.p.l.i.c.a.t.i.o.n.=.R.e.a.d.e.r.S.e.r.v.i.c.e.s.....V.e.r.s.i.o.n.=.1.9...0.1.2...2.0.0.3.5...0.....L.a.n.g.u.a.g.e.=.E.N.U.....U.s.e.r._.G.r.o.u.p.=.A.d.m.i.n.....E.l.e.v.a.t.e.d.=.0.....U.A.C._.E.n.a.b.l.e.d.=.1.....M.O.D.E.=.A.u.t.o.....S.e.s.s.i.o.n.A.p.p.l.i.c.a.t.i.o.n.=.{.2.9.1.A.A.9.1.4.-.A.9.8.7.-.4.C.E.9.-.B.D.6.3.-.A.C.0.A.9.2.D.4.3.5.E.5.}.....S.e.s.s.i.o.n.I.n.s.t.a.l.l.d.i.r.=.....S.e.s.s.i.o.n.P.r.o.d.u.c.t.C.o.d.e.=.{.2.9.1.A.A.9.1.4.-.A.9.8.7.-.1.0.3.3.-.B.D.6.3.-.A.C.0.A.9.2.D.4.3.5.E.5.}.....S.e.s.s.i.o.n.D.a.t.a.M.o.d.u.l.e.P.a.t.h.=.....S.e.s.s.i.o.n.D.a.t.a.M.o.d.u.l.e.U.s.a.g.e.=.....AJqU.I..\.D......5..pc8...e..._&...;....:.dS...P.K8.."..k.@7x...F*'Uj..#-....B...k....m..4T.V......ue..&U3.Ve......!j.J....>.(..%
                                        C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):991366
                                        Entropy (8bit):7.999836591239994
                                        Encrypted:true
                                        SSDEEP:24576:V8JvDZ/OitaiGjvlghi3DVRl6h2oLit2zG:VyvNmitaiGzmi3DhEnzG
                                        MD5:249BEEE0E66BF26CA68A1DEAEAF4B75C
                                        SHA1:B683ADCDE424AED135AD59E87C30AAF8008D034C
                                        SHA-256:373DEA19A39D439D995E48FA84C94FD4300F935CA88272383649589F8040EC3F
                                        SHA-512:AF790DCAF7520B0A3CA789E0096E3DC816BC73D1A425615C54D22E944D5F649422ADE8A41E0EDE66AF232976A8714FF080BB39DAA27FCA90CA57CA07361D9FB6
                                        Malicious:false
                                        Reputation:low
                                        Preview: .A.*.....#....N.fV.U.+.F.0f;.7.WQ....r5m..uQ..V.|+.+..5...t.N...f.X..E.N...T.|>..../..l.bj...........nL_......Yyb..4.i.a...z.....{H..y".K{....\...#.7...P].J.o..HB.p.^...qe..V*h.....n..y....sV..Ju.aN........._/...AM.).x....E.tF.4c](.Y..=&..r....P..r.q..lK$.P.[...H.........6".....4.<.O*..}....E#N.M.y.m\w.........T|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7.`...N_....+..u.6V.i+...T..-0.G.^.&2|.S;..Q.i..:-*.Qd.. .57......:.."....`Q....#L........d1....~.?C(]..<_.E.C........h...H.3....J..5.Z..hu\....`.(H_._....b.S_R.S].x...m......3$.B.....DY1.........._.Ty-...{...Q/.F...x..<.MV.....^............Yt....$\...e.9g...a.....(6..>.,a,..ag.)#.p=.).}.A........(.*..L0.......O;`...,IWZ..}..LK=-^.J.XZ.i.....B.zc`....`...(-...;..X.?.fS.x.V.+2x.C...GC....@CQ%j..$Z`...[,.~.....k.l3S.W./....j....""G........V.......<.9.o%
                                        C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:Intel;1033
                                        Category:dropped
                                        Size (bytes):991500
                                        Entropy (8bit):7.421487496393618
                                        Encrypted:false
                                        SSDEEP:12288:1t0Yy+QEHeSHMTuLTBn0wM67J9ji8GUrWelRRzMzzD0Ad3KYo7hAx131YKTwIiMd:1t0Yy3a/INiRoz0AhK7+xyL6A2oY0EN
                                        MD5:D37168DB9912AB92BD3C7A284C4EED68
                                        SHA1:24973FA76E788D51E20AC31EEE7835D6B20161DD
                                        SHA-256:4BDE4676EE4EDEB8CE682EC016A83883609724B9D0FD9955D3E88FFDF5BA9B40
                                        SHA-512:059AB734DD1A8BE485CA86A9BD8D5D06FE4B7937D1B1A4286ACBB441B6DD1D17E85BEE4E261769EF372C7F774B4CA2AEA79C0574A4F34598114733FF7ADC19F9
                                        Malicious:false
                                        Reputation:low
                                        Preview: ......................>...................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-................................................................................... ...!..."...#...$.......&...'...(...)...*...+...,.../.......1...0...W...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...V...H...J.......K.......M.......O...P...Q...R...S...T...U...G...Y...X...v...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...u.......x...w.......y...z...
                                        C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):423598
                                        Entropy (8bit):7.999553218788967
                                        Encrypted:true
                                        SSDEEP:12288:3ERdouok/clAZ5r7rohri7yF5tpaYKHWn:3dgkM5r7grKZYRn
                                        MD5:3A40FE6FD93F8776D971C75CAACF4BAA
                                        SHA1:F43EAF407CF14736CBB256708B43D52A1414548F
                                        SHA-256:D6317B4BF3AE6CB951CE35CD600742FB140CB143FEDCF93B15DE16BB73C6CE36
                                        SHA-512:F104CDF044095789468BC9695C4CAB0229C9EE9C90F889B18021FC7BAC0887A7CE65C463906F3448716B62AEF1756F30705601C24AA2B941BEFBF8AA73366A0D
                                        Malicious:false
                                        Reputation:low
                                        Preview: s......c.#..!~.N.fV.U.+.F.0...7.WQ....r5m..eQ..W.|+.+..5.....N.......w....&...jM6`?.H.6.L.4.....m.T..^p.N..T....po..1.i.d..l...X......@....>{.b.H.=mKK.G....D..h.<Z.Q..."4....`&.~...<t...%z...,i.v.W...?.RS$(#./.J.1.s..j.....\P...;.k.....&.*{.s.....5g..=.].^[o.....m.i!.g....c...x..o/..~.u.ER..;%/|.~.#.f..".S.z.d^f...3.d.D...G....F......a........N.........~....U....z....kM..=..._(.M..3V` mJ.J.sYOK.j02y'.a..s.vo.=v!,.....c"".[O.q,..Ga......7....-....W..q..c..6..uf...gG..i.&.C..%o.].l.7..q.../_.P..+...u.,W.a....T..'0.G.^.&~|....%oi...s*.A...1.57......:.."....`Q.....>|.......d1...eX?C4...!_.E.C........g....3.gW.n#.5...N.Y....H.(Hv._.. 8S_R.S].W...m.....3$.......DY...........i.Ty....>....Q/.|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(|..>.,a,..ag.C..Wp=....{.........(.*.L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%
                                        C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):423732
                                        Entropy (8bit):6.330189993122203
                                        Encrypted:false
                                        SSDEEP:6144:kyYCpQcslnC3znG+xfbMgyGn7LiJdKkAtyKuskePvX2Zp7DmuXYvr6ys/pX:hYFlnCxjMyn72/KkAtydem3nM6BZ
                                        MD5:1FC9B39B1F6DBB618E9FD452BAD66048
                                        SHA1:220998CCCEC8E862E79DCD441B31128E6340968F
                                        SHA-256:7743C3ED80481190C91575FF6256AA7333EF9623B838F80833FAD6C554F7F36F
                                        SHA-512:0BDF4019E7BBA712DB50C31E40BB2FDAF05A4EAEC94251B3240C899E37367B819FFE8097E283751D95664EB9894B115FE8ECAE22EE94977B853D87EB87A9916B
                                        Malicious:false
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y6R..eR..eR..e[.eK..e[.e...e[.e..eu[zeZ..eu[les..eR..e...e[.e[..eL.eS..e[.eS..eRichR..e........PE..L......\.............................[............@......................................@.....................................T....@...............X..(....0..H3..0................................r..@...............x............................text.............................. ..`.rdata..............................@..@.data....^......."..................@....rsrc........@......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................
                                        C:\ProgramData\Adobe\ARM\S\ARM.msi.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):991366
                                        Entropy (8bit):7.999836591239994
                                        Encrypted:true
                                        SSDEEP:24576:V8JvDZ/OitaiGjvlghi3DVRl6h2oLit2zG:VyvNmitaiGzmi3DhEnzG
                                        MD5:249BEEE0E66BF26CA68A1DEAEAF4B75C
                                        SHA1:B683ADCDE424AED135AD59E87C30AAF8008D034C
                                        SHA-256:373DEA19A39D439D995E48FA84C94FD4300F935CA88272383649589F8040EC3F
                                        SHA-512:AF790DCAF7520B0A3CA789E0096E3DC816BC73D1A425615C54D22E944D5F649422ADE8A41E0EDE66AF232976A8714FF080BB39DAA27FCA90CA57CA07361D9FB6
                                        Malicious:false
                                        Reputation:low
                                        Preview: .A.*.....#....N.fV.U.+.F.0f;.7.WQ....r5m..uQ..V.|+.+..5...t.N...f.X..E.N...T.|>..../..l.bj...........nL_......Yyb..4.i.a...z.....{H..y".K{....\...#.7...P].J.o..HB.p.^...qe..V*h.....n..y....sV..Ju.aN........._/...AM.).x....E.tF.4c](.Y..=&..r....P..r.q..lK$.P.[...H.........6".....4.<.O*..}....E#N.M.y.m\w.........T|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7.`...N_....+..u.6V.i+...T..-0.G.^.&2|.S;..Q.i..:-*.Qd.. .57......:.."....`Q....#L........d1....~.?C(]..<_.E.C........h...H.3....J..5.Z..hu\....`.(H_._....b.S_R.S].x...m......3$.B.....DY1.........._.Ty-...{...Q/.F...x..<.MV.....^............Yt....$\...e.9g...a.....(6..>.,a,..ag.)#.p=.).}.A........(.*..L0.......O;`...,IWZ..}..LK=-^.J.XZ.i.....B.zc`....`...(-...;..X.?.fS.x.V.+2x.C...GC....@CQ%j..$Z`...[,.~.....k.l3S.W./....j....""G........V.......<.9.o%
                                        C:\ProgramData\Adobe\ARM\S\ARM.msi.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:Intel;1033
                                        Category:dropped
                                        Size (bytes):991500
                                        Entropy (8bit):7.421487496393618
                                        Encrypted:false
                                        SSDEEP:12288:1t0Yy+QEHeSHMTuLTBn0wM67J9ji8GUrWelRRzMzzD0Ad3KYo7hAx131YKTwIiMd:1t0Yy3a/INiRoz0AhK7+xyL6A2oY0EN
                                        MD5:D37168DB9912AB92BD3C7A284C4EED68
                                        SHA1:24973FA76E788D51E20AC31EEE7835D6B20161DD
                                        SHA-256:4BDE4676EE4EDEB8CE682EC016A83883609724B9D0FD9955D3E88FFDF5BA9B40
                                        SHA-512:059AB734DD1A8BE485CA86A9BD8D5D06FE4B7937D1B1A4286ACBB441B6DD1D17E85BEE4E261769EF372C7F774B4CA2AEA79C0574A4F34598114733FF7ADC19F9
                                        Malicious:false
                                        Reputation:low
                                        Preview: ......................>...................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-................................................................................... ...!..."...#...$.......&...'...(...)...*...+...,.../.......1...0...W...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...V...H...J.......K.......M.......O...P...Q...R...S...T...U...G...Y...X...v...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...u.......x...w.......y...z...
                                        C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):14982
                                        Entropy (8bit):7.986033929355074
                                        Encrypted:false
                                        SSDEEP:384:zvQaPGKSgGSBKcu8SMy0hwFk1joj+4MYJXoimvIjd+q:zo/uKcChswUslVJXoim6
                                        MD5:4AF9DB10D2C94A96B5F2BBA3D2ACF359
                                        SHA1:C097D667608296B7F809924CF34434319D5C0DD3
                                        SHA-256:A1ECABBF739A19B6E4566DF899B2906E39F5CA5BF8A4FC7EF0AC55CD588326A9
                                        SHA-512:BC23CDF404159B1C8C28C557502F0781EF4F5B742C249677B8F349C3AB43B5F6BB635E31FC6B2EAC059A06F2A3D1844AC88CFCFB7AFB0A664C2EF51A9DF4639D
                                        Malicious:false
                                        Reputation:low
                                        Preview: .A.*.....#....N.fV.U.+.F.0f;.7.WQ....r5m..dQ..V.|+.+..5...O.N...f.X..E.N...T.....%...a.....C.7.'.c.F..X.L...p{)-Y.....<...:...pM.f'U....y".K{....\...#.7...P].J.o..HB.p.^...qe..V*h.....n..y....sV..Ju.aN........._/...AM.).x....E.tF.4c](.Y..=&..r....P..r.q..lK$.P.[...H.........6".....4.<.O*..}....E#N.M.y.m\w.........T|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7....T......+..u.6V.i+...T......^.&2|.S;..Q.i..:-*.Qd.. .57......:.."....`Q....#L........d1.".3.W....^.q.@.NgU.;t67DR.RA..^...)*U..%.].l4...-]$...A....)Z"....[..9.C.}}c.E3SH|...g..O..*...r..x.+.k.~N......Zj...4.....uh.B`..\.Q..B...Nr.Zi..63'8<`U.iW..A`|....0...|....TO.._....$.......)#...o(.}../.VG(%.Z.y.7q..f.#D.Y...;m.$...MD|.........[..R.}J..=.eC...Dux..5.\..@.k.Pc...n..8...N..'.*e.r...iC7...\...XZ.........KN....M.#.l1.O....uP......;\;K...O.<n ...T.F..
                                        C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:0
                                        Category:dropped
                                        Size (bytes):15116
                                        Entropy (8bit):6.149066524437746
                                        Encrypted:false
                                        SSDEEP:192:GL9W4ol8lRAi75wKVsw2uaSZscF8Bd1LgV5+a9sgfxIZHo3DLhxMt+q:khoGYiWZwDZsHLgqDgf2hqJI+q
                                        MD5:39D8BC08F25B79ACE155FF6FD999FC2F
                                        SHA1:12EDD19808F31EE370910DB5B08426299746FD75
                                        SHA-256:8BE05B8697E54F91E3A5E270AF0D66F420F241CA8DF470A19ECF395557F047ED
                                        SHA-512:1F56BF6232FA510F5A0D1CB5372DBE9FC6E2FA73CE6BA05B9178E8626AE6F5D611C56070E05AE24531B4ECFB6157B3145FCC23834909BD48658117E0FBFC5B80
                                        Malicious:false
                                        Reputation:low
                                        Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):177846
                                        Entropy (8bit):7.9990067622525975
                                        Encrypted:true
                                        SSDEEP:3072:NuSW8yPyUk30w6CwsRYbryC5+vshmLg1nymhf64SOvmugO4ft:NuSGKIw6vsRceC5+vVLg1nXhtSq74ft
                                        MD5:2C185067778B734C64A708D3DA7F9D0F
                                        SHA1:0480C0A01FE4D864BA7C482EEF1A51487C316185
                                        SHA-256:1A2726BBC068124BB157C5CFA36F4FCFA9E02B683D5FB3F4D08E47ECBA90165C
                                        SHA-512:7D02B76ED7A5A08F311ADCC32E05ECAB2CA608A737A453563D5866A49FAEE06627FF792A5D5BE69260C060D5DCAB67B83CEA6E05C65A967E5E7B61340DEC1CAA
                                        Malicious:false
                                        Reputation:low
                                        Preview: s......c.#..!~.N.fV.U.+.F.0...7.WQ....r5m..eQ..W.|+.+..5...\.N.......w....&...jM6`?.H.6.L.4.....m.T..^p.N..T....po..1.i.d..3".....O.p....=Q.*...9.9'i........Pm.V..j...$..4Z..rI.C.9.<.>..&....u....+. ..\}}Eh...s...'...L@_7.{...2.........q.....+r.s......5g..=-C.^.~..:..Lm..i!.g.+..b...x.ln/..~.u.5.;1/|TH.#.f.".C.z.d^`...3.b.D...G....F.....Lf...............~....m....J....kM..<.._(......` mJ.J.sYOKVh0.g'.q..s..vo.w!......`"Z.[O.q,..Ga......7.E..m....#.v.....6..uf.x..gC..i.&.C..%o.].L.7..w...N_...+..u..W.a/...T..'0.G.^.&.|.3...0z...U.*.A...1.57.....:.."....`Q...J.(n.......d1...e.?C4}..!_.E.C.......mg....3...nC.5....NY^....H.(Hv._..".!:>.0]._..,o......&.......DY.......=....i.Ty....>....Q/.|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(|..>.,a,..ag.C..Wp=....{.........(.*.L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%
                                        C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):177980
                                        Entropy (8bit):6.667386381176696
                                        Encrypted:false
                                        SSDEEP:3072:i16mNB3sJ2xp+MHsSVSol3cUAYuBwp0yOvbXWTBfgQcVE0dvdCohMA:iPNSYxp+M/KvTWTBVcVE5qMA
                                        MD5:455CEA8BA20AD9A31EFF1DA5A226A5DA
                                        SHA1:B9924BDC0446CE2722741B75A12F42C91CB18E4A
                                        SHA-256:188092834BC98778F86314B479451366926403DBACB1E7E5EF412799EF1CB7A2
                                        SHA-512:D16CAB44399208EB7C670C4CDC1F09D2F822D254026349520E32ACC87FBBA1A8727502AA7AA6783A1B4EB6CCDE3ACEB711D74BE2F3C8D9FCE9F258B962D86006
                                        Malicious:false
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I^;..?U..?U..?U..m...?U..m...?U.Kn...?U..m...?U..m...?U....?U....?U......?U..?T..?U....?U..m...?U..?...?U....?U.Rich.?U.................PE..L.....]............................py............@.................................|B....@.................................$........P..0R..............0...........0...8...............................@............................................text...#........................... ..`.rdata..`...........................@..@.data........@....... ..............@....rsrc...0R...P...T...,..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):244416646
                                        Entropy (8bit):7.999999354586816
                                        Encrypted:true
                                        SSDEEP:3145728:wN6sGnTpc1W8uhhDWslXo5RteOR7dxoSxVnwKxeZI/4hT3hTexywJ5uiIX5bJRi3:q6sKm1W8oDWslY5n5dxHMZqE4DDImxtn
                                        MD5:24C5C064A92962E58DF01240589CD560
                                        SHA1:47A14D9C5930759C43FD094AEA15A16FD0C7314E
                                        SHA-256:2F882C65245DD54ECE873E9285C601728311D08F29414E8BBFF6DC335EB8A3D5
                                        SHA-512:334C659D2EF81C61EEB9E2B6DB6159D0C5C8D2CC0DB3EEFA82342BDBC54238D536457D9D644E504F5F1392705EBBA14D50DCA7076A1EDBC288C1C0B551076EB3
                                        Malicious:false
                                        Reputation:low
                                        Preview: .A.*.....#....N.fV.U.+.F.0f;.7.WQ....r.m..^Q..V.|+.+..5...O.N...f.X..E.N...T..>..../.l.cj...........ny\..D...j}b..1.i.d...|....*O..T.h.WGn.5.l..J....\.x.P....!n.....Mg......,S...i.Yt.Y..m...q.~..n.r-.(...0L.1.J..1Z.......{....K.`~.;@......'B.r.....b..5...=..^..........i.3g.7..cI..xR+o/.Y..Uu..m\w.........T|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..o.].L.7.....N_....+..u.6V.a+...T..'0.G.^.&>|.S6..Q.i..5-*.Ad..1.57......:.."....`Q....4L........d1....e.?C4]..!_.E.C........I...j.3....n..5.Z..Nu\....H.(Hv._...b8S_R.S].W...m.....3$.......DY...........i.Ty....>....Q/.|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(|..>.,a,..ag.C..Wp=....{.........(.*.L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:Composite Document File V2 Document, Can't read SAT
                                        Category:dropped
                                        Size (bytes):71827456
                                        Entropy (8bit):7.9905540073984165
                                        Encrypted:true
                                        SSDEEP:1572864:bWdolzI0VkoqvxI9Fw2Ltl32DJi+Sx+melo1h6HbbZ:bW8LzpEi+qqbZ
                                        MD5:721F94A7AF6D5665E7FD49EF08574C47
                                        SHA1:29BA0C211F5C72A53789E3B05CCC7D8B11334B37
                                        SHA-256:EDFFC55E95E68BD1076E6E1A964551CDF2D2A1D74607097A5C052C26F04BD3D7
                                        SHA-512:EF1C07FD6D973A59291FF9A0489D59788F19D1BB1E56178F1D4AE84A93127393535951A17846E5342027017B97668797DF2088EC8BE7EA0A8338EAC70500E35B
                                        Malicious:false
                                        Reputation:low
                                        Preview: ......................>...................;............................................................................................................................................................{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2793094
                                        Entropy (8bit):7.999934177292409
                                        Encrypted:true
                                        SSDEEP:
                                        MD5:93597FF5F8EC906FEB063DC9338CC7B4
                                        SHA1:357D4B070B56407A9934506F3C52537D02762E68
                                        SHA-256:A6A7EC804371957F78AE38FD7474FCD74B90114F1B811A754A78B1B5795386E6
                                        SHA-512:4EF66F5C8A8DB1F729F88B1F7FF55ADCBB58A284BD2F17E763FACDBDCFB372D0545065EC73982D39BC111CAADC390254D4332CC1F7ED8D72681B8790D4A0F0E6
                                        Malicious:false
                                        Reputation:low
                                        Preview: .A.*.....#....N.fV.U.+.F.0f;.7.WQ....r5m..NQ..V.|+.+..5...t.N...f.X..E.N...T..>..../...l.bj...........nL_......Yyb.\4.i.a...z.....{H..y.h..On..l.FC....\..P.b..!.....Mg......q^..<.i..z.Y/..m......~...r.R(.P*0L...JVX.1.a......4....K.=..;r....P..r.q..lK$.P.[...H.........6".....4.<.O*..}....E#N.M.y.m\w.........T|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7.....N_....+..u.6V.q+...T..-0.G.^.&2|.S;..Q.i..:-*.Bd.. .57......:.."....`Q....#L........d1....~.?C(]..<_.E.C........h...H.3....H..5.Z..`u\....`.(H_._....b.S_R.S].z...m....3$.$.....DY1.........._.Ty-.......Q/.F...x..<.MV.....^............Yt....&\...e.7g...a.....(5..>.,a,..agSC..q=.9..{]........(.*..L0+......O;`...,IYZ..}..LK=-^.J.XZ.i.....B.zc`....`...(-...;..X.?.fS.x.V.+2x.C...GC....@CQ%j..$Z`...[,.~.....k.l3S.U./........""G.Pn...V..9...<.9.o%
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):175114177
                                        Entropy (8bit):7.999998925759809
                                        Encrypted:true
                                        SSDEEP:
                                        MD5:B3812EE37714C294174FD2B2ED8F0258
                                        SHA1:703810A035C0DD482A1FEAEB1AF18BD05C9CCA01
                                        SHA-256:9EB7D3CCC5B4125FC7D74617DCB31EAC03A4109AB2CB73E2BE22F82FA9CFA5F0
                                        SHA-512:81ED18662C037AB1681F49B9F09A34B51544A12700031A4F29B9B49E7BA72F1DC65AE179AA1F4150AF282831051586B484A8688FF310089C0085C0C325E9100A
                                        Malicious:false
                                        Reputation:low
                                        Preview: s.....c.$....N.gV.U.+.G.0...7.SQ..r.m..+.....|+.`............f.#...N.k.. >......I.l.r._...s/L.Y..n.y.........j1.i%p<.H|...$..O..).A..Gn...Q..J..$./<.P...t#.......e....)L..S.....Zt.Y.\.nD...-.F....r.dc..;0L./.I.J.1.[..]......^.K.$.+8.j.."..#./r.......5.E.;_..^".c.......{o..g.~.ue...x.Q.)......t...bT.z...#.e....C../V.....:+...D...+.r..F......e.56......[.........:w(...n..J..f.lG .>..I".M....H*AJ.Jj.gEm.j0.ev.R..s...e.=v!.....`"Z.<..s...#...b....[.....U~..`.A2'.......%DT.'..".B.(.....!.[....8.3+..N8. .#+....sW$.ON.l....f..u.....L.g....L+..j.k.t".....r......:.."....S..`xY?y..... r....T.yq.mD..m.................(.Pl....o..5....nu......!.A$.`&..=v.......4....We....?..Xo...'<q.i.......&..6J........Q/.|....x..x. E.|.......O.....>...Y....`...5.....eS.......(.W.>..j,...!ZO....K..g./H.y...Z.w.z...0T.....O.&....M-a8.....k. 'M.+.#.v>.Y.=....B..~cN..E`...LA......6sY..'...V..3x. ..^.Kc...-P.D...%Z..7.6,.~.U.....nq^*.B.L.j......."S..\N....&r.2.....<.U.o!
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):742
                                        Entropy (8bit):7.5490936735624405
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:DB38E130D9960D1BC0B79CD5626CFC72
                                        SHA1:493C8FDF7B5F96CA86CCFF509131D8591F13B0ED
                                        SHA-256:1B457017C172E592DCC7F71DDAE8A5355CABCBA7AE2F651DDBEE1CCBAD3E1DA2
                                        SHA-512:BE4C58F69F600283AFCCE842BF0B421FA38D9F448F41DC50168388040A71DC47F94E5E83FA1CB3ABE0DEAD9AB966A392F0F0BCD16F39766C3F1D43CB303665A4
                                        Malicious:false
                                        Reputation:low
                                        Preview: .....;4I..U%...d#L|.....l.......}{..X.G..O{.8}.V........f;d...]..9.......8.fL6U5.J.9.........z.....9...9=....S..J<.R5N..PV.. ...e...B..mD..F..`....v...z.H.)...8...gM....{....y..6.c.^*s...GC....T....X.h.....fP..`.`...Y?.......Z.a&.....A8.6..*..?..r..z.\...7FR.;{W.x.c.r....D.G..!.C.....K...s.N.o......V~....L....i.P.NtL......N7n..m.;8.l..5.$O........=......S.t@............*.Mx\.i..M.).~..#-gG.G.Hsea.@..S..[..Y..\E..\......J.p.qe#[...mK..)..........1.....\/...i..........*r.I.V.*.yVb.f.f....).du..#)..._<.|.K..#.~.....m.t...V.y...{$C......kN...8=.JO.%.T.C..j..WUKx.K.....w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.g1yfw9.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):876
                                        Entropy (8bit):4.628585969096136
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:BBDAAD0C6A4BC3E281618D8E35CEFC11
                                        SHA1:0689E67A316B4111A574BE31DE1FBD1BD1926C87
                                        SHA-256:458372710E387F4A0ECF1446A0AD8D7FF9B51AB3C51E7619356A70C27E4B2E8F
                                        SHA-512:B6DD7FC60C4F6566C0C373EE5829BB3BCFBD4667B2AA407D3AD0976EE2973A3708BA6F22AC94D4724F242551C60E8E9B2FB63709893F2EB0D23587E80B5A34B9
                                        Malicious:false
                                        Reputation:low
                                        Preview: ;***************************************************************..;Adobe Installer External Configuration File: Abcpy.ini..;***************************************************************....;***************************************************************..;Main Section..;The (Product) key is a required key..;***************************************************************..[MAIN]..Product=Adobe Acrobat Reader DC......;***************************************************************..;OEM Installation Options..;***************************************************************..[OEM Install]..INSTALLDIR=...b:....c.N7BY..#(.6.C.........B...j.G....n..6.P..>wZ....<."Kv.\....c?$T#.V).&..........0T.......C-q.t..y..h.V.n...<...."D....w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):465014
                                        Entropy (8bit):7.999587188788213
                                        Encrypted:true
                                        SSDEEP:
                                        MD5:2B3E0305E17F3726DE1D54A9E3F6888F
                                        SHA1:7DE15ADBA7305F873CF38E5E2E0AF85B2E7E084C
                                        SHA-256:E4BAEACE261F31B0720A41AF7FAA729A5ACFC742F1C44937001F0900D83E3879
                                        SHA-512:461B01754BA8564125B632C4935070037D9E87712DBFB71E25DFCF42E6C6F835F6157727244F779EC1C987CA9B6CA6567DB170A0C16EC2110A66DA125AE6207A
                                        Malicious:false
                                        Reputation:low
                                        Preview: s......c.#..!~.N.fV.U.+.F.0...7.WQ....r5m..eQ..W.|+.+..5...D.N.......w....&...jM6`?.H.6.L.4.....m.T..^p.N..T....po..1.i.d....ke.xR...zyk<.0`.`j.B.b...c8..O.:1#q..S$..6@...=.U.H_.Z..p.}b....m#.T.pHR.gu...|..$0.a._8.;......>b..f'}(S".(d/8w..k.....'.+r.s....\.5+..=2...[..........h*.k...c.G.x..o/...~.u.ER..;!o|T..#.d..'.B.z.d^c...3.d}C...G._:.F......u...............~....}.......1.kM?.;.E.^(.M..3V` m..JWnYOK.j02y'.d.s..vo.=v!,.....`"Z.[O.q,..Ga.a....7....-......v%....6..uf.x..gC..i.&.C..%A.8.8.7.....^_...+...u.6V.a+...T...0.'.,.GJ..S...Q....5}+.A...1.57......:..".....%.....&........d1.'..e.?C4]..!_.E.C.X........y..j!6....n7.5.Z..Nu\......(.v._...b8S_R.S].W...m.....3$.......DY...........i.Ty....>....Q/.|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(|..>.,a,..ag.C..Wp=....{.........(.*.L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%
                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.g1yfw9
                                        Process:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):348
                                        Entropy (8bit):6.668673391714458
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:842C2D5B8F6D5E04CF9A46A7438A4B4B
                                        SHA1:5205C1E8AD122DA03855F500E7CFED232BDAAD77
                                        SHA-256:8F4082747B9E07928228BC825F46890E2E7EAD4D71829606256ACDC53B538C1E
                                        SHA-512:EBFEF611B266F7378F828B07D852C67D5D1F1925194E56057ED3AB31F7835204DD27CFE8E1A9D7AB6F461586550C22F5E080244C60F59445F54224DA71921E9F
                                        Malicious:false
                                        Preview: e..vek...u]...'{.......K.=...E.3$...xe,.-l.q%..O.o..E.5.| |..,U.;...D.....qQDu,...$.a.Xi1.,./......k.c..f.....X>.P..p......k...a.......h......K/....sY....L.,...=...Hs...>.. .dP....?Ba...]Z....F......H.w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):5.889119918577074
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.15%
                                        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:s3ZenAQ7m1.exe
                                        File size:102400
                                        MD5:7f5227030be3d2ef48aa652af1ec72b0
                                        SHA1:202e7ac1c2aaca8fbeed4ac454ca195a33c9d064
                                        SHA256:4dfc17406a58c6f1ce83a73ce6dd5b343d00fe77d07dfe21d28da13631bfad90
                                        SHA512:4603b758416dac60cb322aae6f3566711b6a4a9b657f6448861553b45b1c737fd3180d2b0bc169ef193a2372e89aba14a4d27a25e0a5eb440ed6c4afafe5f55c
                                        SSDEEP:1536:juwI7JIu1l2tHeRtnKT5lv1jZR+rpwNy1CqKvbBnNooElc3Q:j3I7l1l2ReyTXX1q4Du7
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].......................p...............Rich............................PE..L.....L`..........................................@

                                        File Icon

                                        Icon Hash:38f6c6e6f8f4f060

                                        Static PE Info

                                        General

                                        Entrypoint:0x4015ec
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                        DLL Characteristics:
                                        Time Stamp:0x604C949E [Sat Mar 13 10:31:58 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:65155a2944ad0beb18aa3e4f1d3900f5

                                        Entrypoint Preview

                                        Instruction
                                        push 00401CB0h
                                        call 00007FDAA4DD8223h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        xor byte ptr [eax], al
                                        add byte ptr [eax], al
                                        inc eax
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [ebx+1FDE625Ah], ah
                                        cmpsd
                                        push es
                                        inc edi
                                        lahf
                                        mov gs, word ptr [eax+32h]
                                        lahf
                                        adc ebx, dword ptr [edi]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [ecx], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax+46h], bh
                                        jne 00007FDAA4DD8293h
                                        push 0000006Bh
                                        imul ebp, dword ptr [esi+00h], 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add bh, bh
                                        int3
                                        xor dword ptr [eax], eax
                                        add byte ptr [esi+edi*2], al
                                        lds ecx, fword ptr [esi+55h]
                                        mov al, 44h
                                        mov word ptr [ebp-2DE994E0h], cs
                                        das
                                        inc esi
                                        sal ebp, cl
                                        and byte ptr [eax+1Dh], FFFFFFD4h
                                        add eax, dword ptr [ebp-4Fh]
                                        sbb dl, byte ptr [edx]
                                        out dx, al
                                        int3
                                        call far 33ADh : 4F3ADDC0h
                                        cdq
                                        iretw
                                        adc dword ptr [edi+00AA000Ch], esi
                                        pushad
                                        rcl dword ptr [ebx+00000000h], cl
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        mov byte ptr [eax+eax], al
                                        add byte ptr [ebx+00000004h], al
                                        verw word ptr [ebx+ebp*2+41h]
                                        inc ebp
                                        inc edi
                                        jns 00007FDAA4DD828Bh
                                        outsb
                                        push ax
                                        js 00007FDAA4DD82ACh
                                        push esp
                                        jnbe 00007FDAA4DD8274h
                                        add byte ptr [00000119h], cl

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x7e940x28.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0000xe8bc.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x160.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x75080x8000False0.408599853516data5.16788060997IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .data0x90000x102c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .rsrc0xb0000xe8bc0xf000False0.511100260417data6.35043315796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        EXE0xb8bc0xe000PE32 executable (GUI) Intel 80386, for MS WindowsEnglishUnited States
                                        RT_ICON0xb5d40x2e8data
                                        RT_ICON0xb4ac0x128GLS_BINARY_LSB_FIRST
                                        RT_GROUP_ICON0xb4880x24data
                                        RT_VERSION0xb1700x318dataEnglishUnited States

                                        Imports

                                        DLLImport
                                        MSVBVM60.DLL__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarIndexLoad, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaCyI2, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, __vbaPowerR8, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaStrToAnsi, __vbaVarMod, __vbaFpI4, __vbaRecDestructAnsi, _CIatan, __vbaAryCopy, __vbaStrMove, _allmul, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeStr

                                        Version Infos

                                        DescriptionData
                                        Translation0x0409 0x04b0
                                        LegalCopyrightiiUVwFRu
                                        InternalNameRunExeMemory
                                        FileVersion3.02.0032
                                        CompanyNameGMIUlmH
                                        LegalTrademarksAvvuzkdkOpbr
                                        CommentsSqYAQxDQf
                                        ProductNamexpNrVFB
                                        ProductVersion3.02.0032
                                        FileDescriptionsQjvjgaspM
                                        OriginalFilenameRunExeMemory.exe

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        No network behavior found

                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: s3ZenAQ7m1.exe PID: 6116 Parent PID: 5812

                                        General

                                        Start time:23:11:51
                                        Start date:13/03/2021
                                        Path:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\s3ZenAQ7m1.exe'
                                        Imagebase:0x400000
                                        File size:102400 bytes
                                        MD5 hash:7F5227030BE3D2EF48AA652AF1EC72B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Visual Basic
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: s3ZenAQ7m1.exe PID: 4944 Parent PID: 6116

                                        General

                                        Start time:23:11:51
                                        Start date:13/03/2021
                                        Path:C:\Users\user\Desktop\s3ZenAQ7m1.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\s3ZenAQ7m1
                                        Imagebase:0x400000
                                        File size:102400 bytes
                                        MD5 hash:7F5227030BE3D2EF48AA652AF1EC72B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Analysis Process: s3ZenAQ7m1.exe PID: 6116 Parent PID: 5812 s3ZenAQ7m1.exeCOMMON

                                          Executed Functions

                                          Function 00407170, Relevance: 195.1, APIs: 93, Strings: 18, Instructions: 820COMMON
                                          Download Yara Rule
                                          APIs
                                          • __vbaStrCopy.MSVBVM60(00000000,660E6C30,660E6A76), ref: 004072BB
                                          • __vbaAryLock.MSVBVM60(?), ref: 004072CE
                                          • __vbaGenerateBoundsError.MSVBVM60 ref: 004072F0
                                          • __vbaGenerateBoundsError.MSVBVM60 ref: 00407300
                                          • __vbaSetSystemError.MSVBVM60(?,?,00000040), ref: 00407326
                                          • __vbaAryUnlock.MSVBVM60(?), ref: 0040732F
                                          • __vbaStrMove.MSVBVM60(1B2B44F03D503E26E4EE082A6A3319ED5A2B3BCA1E1D59), ref: 0040735C
                                          • __vbaStrMove.MSVBVM60(lBEH), ref: 00407375
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407385
                                          • __vbaStrMove.MSVBVM60(EJgnuZ), ref: 0040739E
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 004073AE
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 004073BE
                                          • __vbaStrMove.MSVBVM60(3E7ED082145E120B235629131A2E04), ref: 004073D2
                                          • __vbaStrMove.MSVBVM60(UxCPM), ref: 004073EB
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 004073FB
                                          • __vbaStrMove.MSVBVM60(YngPy), ref: 00407414
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407424
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407434
                                          • #595.MSVBVM60(?,00000010,?,?,?), ref: 004074AB
                                          • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407507
                                          • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0040752B
                                          • __vbaAryLock.MSVBVM60(?,00000000), ref: 00407548
                                          • __vbaGenerateBoundsError.MSVBVM60 ref: 0040756D
                                          • __vbaGenerateBoundsError.MSVBVM60 ref: 0040757D
                                          • __vbaSetSystemError.MSVBVM60(?,?,000000F8), ref: 004075A0
                                          • __vbaAryUnlock.MSVBVM60(?), ref: 004075A9
                                          • __vbaStrMove.MSVBVM60(2C559A0AA43D1005C9D2341946332CCA461834D2301A45), ref: 004075D7
                                          • __vbaStrMove.MSVBVM60(GaF), ref: 004075F0
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407600
                                          • __vbaStrMove.MSVBVM60(IiiJR), ref: 00407619
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407629
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407639
                                          • __vbaStrMove.MSVBVM60(8768812445710A3A0559260B0B280B), ref: 0040764D
                                          • __vbaStrMove.MSVBVM60(BSCZIT), ref: 00407666
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407676
                                          • __vbaStrMove.MSVBVM60(vVv), ref: 0040768F
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 0040769F
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 004076AF
                                          • #595.MSVBVM60(?,00000010,?,?,?), ref: 00407726
                                          • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407782
                                          • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004077A6
                                          • __vbaRecDestructAnsi.MSVBVM60(00403D80,?,00407E62), ref: 00407E19
                                          • __vbaFreeStr.MSVBVM60 ref: 00407E28
                                          • __vbaFreeStr.MSVBVM60 ref: 00407E2D
                                          • __vbaFreeStr.MSVBVM60 ref: 00407E35
                                          • __vbaFreeStr.MSVBVM60 ref: 00407E3D
                                          • __vbaFreeStr.MSVBVM60 ref: 00407E45
                                          • __vbaFreeStr.MSVBVM60 ref: 00407E4D
                                          • __vbaRecDestruct.MSVBVM60(00403D80,00000044), ref: 00407E5B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$Move$Free$Error$BoundsGenerateList$#595DestructLockSystemUnlock$AnsiCopy
                                          • String ID: 1B2B44F03D503E26E4EE082A6A3319ED5A2B3BCA1E1D59$2C50AC1BAD85D747FBD50404D547F8221AFA2210562915072418FBD444$2C559A0AA43D1005C9D2341946332CCA461834D2301A45$3E7ED082145E120B235629131A2E04$8768812445710A3A0559260B0B280B$BSCZIT$D$EJgnuZ$GaF$IiiJR$MZ$PE$UVgDyc$UxCPM$Vhy$YngPy$lBEH$vVv
                                          • API String ID: 2849353991-476126404
                                          • Opcode ID: 76bcecbb046eb3ad2a0fb648c7daa3b3d36430b67704f34c9399dd77634a3ee5
                                          • Instruction ID: 099449512aeb439720a6fc2b306f32c175a9bca5b93ea3143f22acc4763425a7
                                          • Opcode Fuzzy Hash: 76bcecbb046eb3ad2a0fb648c7daa3b3d36430b67704f34c9399dd77634a3ee5
                                          • Instruction Fuzzy Hash: 8872EFF1D002289BCB25DF64CC84ADEB7B9AB48304F5085EEE609B7250DA746F85CF59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405A90, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 209COMMON
                                          Download Yara Rule
                                          APIs
                                          • __vbaStrCopy.MSVBVM60 ref: 00405B18
                                          • __vbaStrCopy.MSVBVM60 ref: 00405B20
                                          • __vbaLenBstr.MSVBVM60(?), ref: 00405B2C
                                          • __vbaLenBstr.MSVBVM60(?), ref: 00405B4F
                                          • __vbaLenBstr.MSVBVM60(?), ref: 00405B5F
                                          • __vbaLenBstr.MSVBVM60(?), ref: 00405B76
                                          • #681.MSVBVM60(?,?,00000003,00000003), ref: 00405BAB
                                          • __vbaI4Var.MSVBVM60(?,?), ref: 00405BED
                                          • #632.MSVBVM60(?,00004008,00000000), ref: 00405BFF
                                          • #632.MSVBVM60(?,?,?,?), ref: 00405C42
                                          • __vbaStrVarVal.MSVBVM60(?,?), ref: 00405C53
                                          • #516.MSVBVM60(00000000), ref: 00405C56
                                          • __vbaStrVarVal.MSVBVM60(?,?), ref: 00405C6D
                                          • #516.MSVBVM60(00000000), ref: 00405C70
                                          • #608.MSVBVM60(?,?), ref: 00405C89
                                          • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00405CA4
                                          • __vbaStrVarMove.MSVBVM60(00000000), ref: 00405CAB
                                          • __vbaStrMove.MSVBVM60 ref: 00405CB6
                                          • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00405CC6
                                          • __vbaFreeVarList.MSVBVM60(0000000A,0000000B,00000003,00000003,?,00000002,?,00000002,?,?,?), ref: 00405D05
                                          • __vbaFreeStr.MSVBVM60(00405D95), ref: 00405D8D
                                          • __vbaFreeStr.MSVBVM60 ref: 00405D92
                                          • __vbaErrorOverflow.MSVBVM60 ref: 00405DAB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$BstrFree$#516#632CopyListMove$#608#681ErrorOverflow
                                          • String ID: QwF$niLMtNS$o
                                          • API String ID: 505741399-2904503189
                                          • Opcode ID: 8c1a01a2b5e7c4bcc9e1b513638f54cf946dfc436b967feffc213f5223f38271
                                          • Instruction ID: afe4b6194a3380cabf1ce22c4c145a1da1c7a7f42cb0ca369920840fae9e31c9
                                          • Opcode Fuzzy Hash: 8c1a01a2b5e7c4bcc9e1b513638f54cf946dfc436b967feffc213f5223f38271
                                          • Instruction Fuzzy Hash: DE81A5B2D00219DFDB15DFA5DD84FDEBBB8BB48300F0081AAE51AB7250E6745A49CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406C01, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 154COMMON
                                          Download Yara Rule
                                          APIs
                                          • __vbaStrMove.MSVBVM60(CFB724), ref: 00406C77
                                          • __vbaStrMove.MSVBVM60(wRF), ref: 00406C87
                                            • Part of subcall function 00405DC0: __vbaChkstk.MSVBVM60(00000000,004013E6), ref: 00405DDE
                                            • Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948,00000000,004013E6), ref: 00405E0B
                                            • Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60 ref: 00405E17
                                            • Part of subcall function 00405DC0: __vbaAryConstruct2.MSVBVM60(?,00402E34,00000002), ref: 00405E28
                                            • Part of subcall function 00405DC0: __vbaOnError.MSVBVM60(000000FF), ref: 00405E37
                                            • Part of subcall function 00405DC0: #717.MSVBVM60(?,00004008,00000080,00000000), ref: 00405E69
                                            • Part of subcall function 00405DC0: __vbaVar2Vec.MSVBVM60(?,?), ref: 00405E7A
                                            • Part of subcall function 00405DC0: __vbaAryMove.MSVBVM60(?,?), ref: 00405E8B
                                            • Part of subcall function 00405DC0: __vbaFreeVar.MSVBVM60 ref: 00405E94
                                            • Part of subcall function 00405DC0: __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 00405F04
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00406C94
                                          • __vbaStrMove.MSVBVM60(QJFQ), ref: 00406CA4
                                            • Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B18
                                            • Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B20
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B2C
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B4F
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B5F
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B76
                                            • Part of subcall function 00405A90: #681.MSVBVM60(?,?,00000003,00000003), ref: 00405BAB
                                            • Part of subcall function 00405A90: __vbaI4Var.MSVBVM60(?,?), ref: 00405BED
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00406CB1
                                            • Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(?,660E6C30,660E0EBE), ref: 00406732
                                            • Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 0040673C
                                            • Part of subcall function 004066E0: #632.MSVBVM60(?,?,?,?), ref: 004067A0
                                            • Part of subcall function 004066E0: __vbaStrVarVal.MSVBVM60(?,?), ref: 004067AE
                                            • Part of subcall function 004066E0: #516.MSVBVM60(00000000), ref: 004067B5
                                          • __vbaErrorOverflow.MSVBVM60 ref: 00406C01
                                            • Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948), ref: 0040656F
                                            • Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 00406579
                                            • Part of subcall function 004066E0: #537.MSVBVM60(00000026), ref: 004065A9
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065B0
                                            • Part of subcall function 004066E0: #537.MSVBVM60(00000048,00000000), ref: 004065B5
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065BC
                                            • Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065BF
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065CA
                                            • Part of subcall function 004066E0: #631.MSVBVM60(?,?,?,00000000), ref: 004065D6
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065E1
                                            • Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065E4
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065EF
                                            • Part of subcall function 004066E0: #581.MSVBVM60(00000000), ref: 004065F2
                                            • Part of subcall function 004066E0: __vbaFpI4.MSVBVM60 ref: 004065F8
                                            • Part of subcall function 004066E0: #537.MSVBVM60(00000000), ref: 004065FF
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 00406606
                                            • Part of subcall function 004066E0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040661E
                                            • Part of subcall function 004066E0: __vbaFreeVar.MSVBVM60 ref: 0040662A
                                            • Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(?,?), ref: 00406638
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00406CBE
                                          • __vbaNew2.MSVBVM60(00403518,00409584), ref: 00406CD2
                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403508,00000038,?,?,?,?,?), ref: 00406D3E
                                          • __vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D4C
                                          • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D5A
                                          • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,?), ref: 00406D7A
                                          • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?), ref: 00406D8A
                                          • __vbaAryCopy.MSVBVM60(?,?), ref: 00406D9B
                                          • __vbaFreeStr.MSVBVM60(00406E14), ref: 00406E01
                                          • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406E0D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$Move$Copy$BstrFree$#537List$ErrorVar2$#516#581#631#632#681#717CheckChkstkConstruct2DestructHresultInitNew2Overflow
                                          • String ID: CFB724$QJFQ$wRF
                                          • API String ID: 1766937285-169090389
                                          • Opcode ID: d778b7cd5b4b8b28017b51fa3faae1dad924b9591277092ce3115ee916503277
                                          • Instruction ID: 0d22c63b821632034c5087a3f616cc0919ef05cafb2105a151a16de8dd7b83b3
                                          • Opcode Fuzzy Hash: d778b7cd5b4b8b28017b51fa3faae1dad924b9591277092ce3115ee916503277
                                          • Instruction Fuzzy Hash: 0B5106B1D10218ABCB04EFE5D985ADEBBB8FF48700F10812AF506B7294DB746A45CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406C10, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 144COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948), ref: 0040656F
                                            • Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 00406579
                                            • Part of subcall function 004066E0: #537.MSVBVM60(00000026), ref: 004065A9
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065B0
                                            • Part of subcall function 004066E0: #537.MSVBVM60(00000048,00000000), ref: 004065B5
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065BC
                                            • Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065BF
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065CA
                                            • Part of subcall function 004066E0: #631.MSVBVM60(?,?,?,00000000), ref: 004065D6
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065E1
                                            • Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065E4
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065EF
                                            • Part of subcall function 004066E0: #581.MSVBVM60(00000000), ref: 004065F2
                                            • Part of subcall function 004066E0: __vbaFpI4.MSVBVM60 ref: 004065F8
                                            • Part of subcall function 004066E0: #537.MSVBVM60(00000000), ref: 004065FF
                                            • Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 00406606
                                            • Part of subcall function 004066E0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040661E
                                            • Part of subcall function 004066E0: __vbaFreeVar.MSVBVM60 ref: 0040662A
                                            • Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(?,?), ref: 00406638
                                          • __vbaStrMove.MSVBVM60(CFB724), ref: 00406C77
                                          • __vbaStrMove.MSVBVM60(wRF), ref: 00406C87
                                            • Part of subcall function 00405DC0: __vbaChkstk.MSVBVM60(00000000,004013E6), ref: 00405DDE
                                            • Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948,00000000,004013E6), ref: 00405E0B
                                            • Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60 ref: 00405E17
                                            • Part of subcall function 00405DC0: __vbaAryConstruct2.MSVBVM60(?,00402E34,00000002), ref: 00405E28
                                            • Part of subcall function 00405DC0: __vbaOnError.MSVBVM60(000000FF), ref: 00405E37
                                            • Part of subcall function 00405DC0: #717.MSVBVM60(?,00004008,00000080,00000000), ref: 00405E69
                                            • Part of subcall function 00405DC0: __vbaVar2Vec.MSVBVM60(?,?), ref: 00405E7A
                                            • Part of subcall function 00405DC0: __vbaAryMove.MSVBVM60(?,?), ref: 00405E8B
                                            • Part of subcall function 00405DC0: __vbaFreeVar.MSVBVM60 ref: 00405E94
                                            • Part of subcall function 00405DC0: __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 00405F04
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00406C94
                                          • __vbaStrMove.MSVBVM60(QJFQ), ref: 00406CA4
                                            • Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B18
                                            • Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B20
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B2C
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B4F
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B5F
                                            • Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B76
                                            • Part of subcall function 00405A90: #681.MSVBVM60(?,?,00000003,00000003), ref: 00405BAB
                                            • Part of subcall function 00405A90: __vbaI4Var.MSVBVM60(?,?), ref: 00405BED
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00406CB1
                                            • Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(?,660E6C30,660E0EBE), ref: 00406732
                                            • Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 0040673C
                                            • Part of subcall function 004066E0: #632.MSVBVM60(?,?,?,?), ref: 004067A0
                                            • Part of subcall function 004066E0: __vbaStrVarVal.MSVBVM60(?,?), ref: 004067AE
                                            • Part of subcall function 004066E0: #516.MSVBVM60(00000000), ref: 004067B5
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00406CBE
                                          • __vbaNew2.MSVBVM60(00403518,00409584), ref: 00406CD2
                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403508,00000038,?,?,?,?,?), ref: 00406D3E
                                          • __vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D4C
                                          • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D5A
                                          • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,?), ref: 00406D7A
                                          • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?), ref: 00406D8A
                                          • __vbaAryCopy.MSVBVM60(?,?), ref: 00406D9B
                                          • __vbaFreeStr.MSVBVM60(00406E14), ref: 00406E01
                                          • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406E0D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$Move$Copy$BstrFree$#537List$Var2$#516#581#631#632#681#717CheckChkstkConstruct2DestructErrorHresultInitNew2
                                          • String ID: CFB724$QJFQ$wRF
                                          • API String ID: 916492069-169090389
                                          • Opcode ID: 644c323d8087a445c575ec87d5d103c560cf325dc4108926bfc6b715c5bce791
                                          • Instruction ID: 5e8495b79b113b5c2d9223d720655d8d2097712990354c8e0691a1ce84517e07
                                          • Opcode Fuzzy Hash: 644c323d8087a445c575ec87d5d103c560cf325dc4108926bfc6b715c5bce791
                                          • Instruction Fuzzy Hash: ED5117B1D10218ABCB04EFE5D985ADEBBB8FF48700F10812AF506B7294DB746A45CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004015EC, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			_entry_(signed int __eax, intOrPtr* __ebx, signed char __ecx, void* __edi, signed int __esi, char _a1, intOrPtr _a42, intOrPtr _a50, intOrPtr _a54, signed int _a58, intOrPtr _a64, signed int _a70, signed int _a101, signed int _a120) {
				char _v1;
				intOrPtr _v79;
				intOrPtr _v770282720;
				signed char _t305;
				signed char _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				intOrPtr* _t309;
				intOrPtr* _t310;
				signed int _t322;
				signed char _t323;
				signed char _t324;
				signed char _t325;
				intOrPtr* _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t336;
				intOrPtr* _t337;
				intOrPtr* _t338;
				intOrPtr* _t339;
				intOrPtr* _t340;
				intOrPtr* _t341;
				intOrPtr* _t343;
				signed char _t345;
				signed char _t346;
				void* _t347;
				void* _t348;
				intOrPtr* _t351;
				void* _t352;
				intOrPtr* _t354;
				intOrPtr* _t355;
				intOrPtr* _t356;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int _t366;
				void* _t368;
				signed int _t369;
				signed int _t373;
				signed char _t375;
				intOrPtr* _t377;
				intOrPtr* _t382;
				signed char _t383;
				signed int _t384;
				signed char _t386;
				signed char _t387;
				signed int _t395;
				signed int _t402;
				intOrPtr* _t403;
				signed char* _t404;
				signed int _t407;
				char* _t409;
				signed int _t410;
				signed int _t416;
				void* _t422;
				void* _t424;
				intOrPtr _t425;
				intOrPtr* _t431;
				intOrPtr _t443;
				signed char _t445;
				void* _t447;
				intOrPtr _t449;
				void* _t452;
				intOrPtr _t454;
				void* _t456;
				void* _t461;
				intOrPtr _t466;
				intOrPtr _t467;
				void* _t468;
				void* _t473;
				void* _t488;
				intOrPtr _t497;
				void* _t515;
				void* _t518;
				void* _t519;
				void* _t526;
				void* _t530;

				_t406 = __esi;
				_t386 = __ecx;
				_t379 = __ebx;
				L004015E4(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t305 = __eax + 1;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(__ebx + 0x1fde625a)) =  *((intOrPtr*)(__ebx + 0x1fde625a)) + _t305;
				_t395 = 0x401cb0;
				asm("invalid");
				_pop(ds);
				asm("cmpsd");
				_push(es);
				_t402 = __edi + 1;
				asm("lahf");
				gs =  *((intOrPtr*)(_t305 + 0x32));
				asm("lahf");
				asm("adc ebx, [edi]");
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *__ecx =  *__ecx + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				_t4 = _t305 + 0x46;
				 *_t4 =  *((intOrPtr*)(_t305 + 0x46)) + __ebx;
				if( *_t4 == 0) {
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					_t379 = __ebx + __ebx;
					asm("int3");
					 *_t305 =  *_t305 ^ _t305;
					 *((intOrPtr*)(__esi + _t402 * 2)) =  *((intOrPtr*)(__esi + _t402 * 2)) + _t305;
					asm("repne lds ecx, [esi+0x55]");
					_v770282720 = cs;
					asm("das");
					_t406 = __esi + 1;
					 *0x00000061 =  *0x00000061 & 0x000000d4;
					_t305 = 0x44 + _v79;
					asm("sbb dl, [edx]");
					asm("out dx, al");
					asm("int3");
					0x33ad(0x6b);
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
				}
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *(_t305 + _t305) = _t305;
				 *((intOrPtr*)(_t379 + 4)) =  *((intOrPtr*)(_t379 + 4)) + _t305;
				asm("verw word [ebx+ebp*2+0x41]");
				_t409 =  &_a1;
				_t403 = _t402 + 1;
				_t431 = _t403;
				if(_t431 >= 0) {
					L8:
					_t305 = _t305 +  *_t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *((intOrPtr*)(_t305 + 0x800000)) =  *((intOrPtr*)(_t305 + 0x800000)) + _t305;
					 *_t305 =  *_t305 + _t305;
					 *((char*)(_t305 + 0x8000)) =  *((char*)(_t305 + 0x8000));
					L9:
					 *_t305 =  *_t305;
				} else {
					asm("outsb");
					_push(_t305);
					if(_t431 >= 0) {
						_push(_t416);
						if(_t431 <= 0) {
							 *0x42000119 =  *0x42000119 + _t386;
							 *_t395 =  *_t395 + _t305;
							 *_t379 =  *_t379 + _t416;
							 *((intOrPtr*)(_t416 + _t406 * 2)) =  *((intOrPtr*)(_t416 + _t406 * 2)) + _t386;
							 *_t406 =  *_t406 + _t395;
							_t375 = _t305;
							 *_t375 =  *_t375 + _t375;
							 *_t386 =  *_t386 + _t375;
							 *_t395 =  *_t395 + _t375;
							 *_t375 =  *_t375 + _t375;
							 *_t375 =  *_t375 & _t395;
							 *_t375 =  *_t375 + _t375;
							 *_t375 =  *_t375 + _t375;
							_t377 = _t375 + _t386 +  *((intOrPtr*)(_t375 + _t386));
							 *_t406 =  *_t406 + _t377;
							 *_t377 =  *_t377 + _t377;
							 *_t377 =  *_t377 + _t395;
							asm("adc [eax], dl");
							 *_t377 =  *_t377 + _t377;
							 *_t377 =  *_t377 + _t377;
							 *_t377 =  *_t377 + _t386;
							 *_t377 =  *_t377 + _t377;
							 *_t406 =  *_t406 + _t386;
							_t305 = _t377 +  *_t377;
							 *_t305 =  *_t305 + _t386;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
						}
						 *_t305 =  *_t305 + _t305;
						_t305 = _t305 + 1;
						 *_t305 =  *_t305 + _t305;
						 *_t386 =  *_t386 + _t305;
						 *(_t305 + _t305) =  *(_t305 + _t305) + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t395 =  *_t395;
						goto L8;
					}
				}
				 *((intOrPtr*)(_t305 - 0x7fff8000)) =  *((intOrPtr*)(_t305 - 0x7fff8000)) + _t305;
				 *_t305 =  *_t305;
				 *((char*)(_t305 - 0x3f3fff80)) =  *((char*)(_t305 - 0x3f3fff80)) + 0xc0;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + 1;
				 *_t305 =  *_t305 + _t305;
				asm("invalid");
				_t379 = _t379 + _t379 + _t379 + _t379;
				while(1) {
					L11:
					 *_t305 =  *_t305 + 1;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + 1;
					 *_t305 =  *_t305 + 1;
					asm("invalid");
					 *_t305 =  *_t305 + _t305;
					asm("invalid");
					while(1) {
						asm("invalid");
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						if( *_t305 > 0) {
							break;
						}
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						_t31 = _t403 - 0x79;
						 *_t31 =  *((intOrPtr*)(_t403 - 0x79)) + _t395;
						if( *_t31 > 0) {
							L22:
							if (_t445 > 0) goto L23;
							 *_t306 =  *_t306 + _t306;
							 *_t306 =  *_t306 + _t306;
							_pop(es);
							 *_t306 = _t409;
							_t53 = _t403 + 0x77;
							_t54 = _t406;
							_t406 =  *_t53;
							 *_t53 = _t54;
							if ( *((char*)(_t306 - 0x7e)) - 0x28 > 0) goto L24;
							 *_t306 =  *_t306 + _t306;
							 *_t306 =  *_t306 + _t306;
							_t447 =  *_t306;
							if(_t447 < 0) {
								 *(_t306 + 0x77778788) = _t387;
								if(_t452 > 0) {
									if (_t468 > 0) goto L99;
									if(_t468 > 0) {
										 *_t306 =  *_t306 + _t306;
										goto L100;
									} else {
										if(_t468 < 0) {
											L100:
											 *((intOrPtr*)(_t403 + 0x7f)) =  *((intOrPtr*)(_t403 + 0x7f)) + _t395;
											_push( *((intOrPtr*)(_t306 + 0x7f)));
											_t373 = _t306 /  *_t306;
											 *_t373 =  *_t373 + _t373;
											 *_t373 =  *_t373 + _t373;
											L101:
											 *_t373 =  *_t373 + _t373;
											 *_t373 =  *_t373 + _t373;
											 *_t373 =  *_t373 + _t373;
											 *_t403 =  *_t403 + _t373;
											if( *_t403 > 0) {
												goto L101;
											}
											_t305 = _t373 /  *_t373;
											_t395 = _t373 %  *_t373;
											L104:
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											if( *_t305 <= 0) {
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												asm("invalid");
												asm("invalid");
												asm("invalid");
												_t403 = _t403 + _t403;
												asm("invalid");
												 *((intOrPtr*)(_t403 - 1)) =  *((intOrPtr*)(_t403 - 1)) + _t379;
												asm("lock add [edi], bh");
												_t306 = _t305 + 1;
												 *_t403 =  *_t403 + _t379;
												 *_t306 =  *_t306 + 1;
												 *_t403 =  *_t403 + _t379;
												asm("cld");
												 *_t306 =  *_t306 + _t306;
												asm("aas");
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												_pop(ds);
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												_pop(ds);
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												goto L111;
											}
										} else {
											 *(_t306 - 0xf707778) = _t386;
										}
									}
								} else {
									if (_t452 < 0) goto L42;
									 *_t306 =  *_t306 + _t306;
									 *_t306 =  *_t306 + _t306;
									_t64 = _t306 + 0x22;
									 *_t64 =  *((intOrPtr*)(_t306 + 0x22)) + _t379;
									_t454 =  *_t64;
									if(_t454 < 0) {
										L55:
										 *_t395 =  *_t395 & 0x00000028;
										_t461 =  *_t395;
										_t73 = _t403 + 0x77;
										_t74 = _t406;
										_t406 =  *_t73;
										 *_t73 = _t74;
									} else {
										_t386 = _t387 &  *(_t306 - 0x78d7dd7e);
										 *_t395 =  *_t395 & 0x00000028;
										_t456 =  *_t395;
										_t67 = _t403 + 0x77;
										_t68 = _t406;
										_t406 =  *_t67;
										 *_t67 = _t68;
										L46:
										if(_t456 > 0) {
											L77:
											goto L78;
										} else {
											if(_t456 > 0) {
												L78:
												_push( *((intOrPtr*)(_t306 + 0x77)));
											} else {
												if(_t456 < 0) {
													asm("lock add [eax], al");
													if(_t468 < 0) {
														goto L46;
													} else {
														goto L77;
													}
												} else {
													 *_t306 =  *_t306 + _t306;
													 *_t306 =  *_t306 + _t306;
													_pop(es);
													 *(_t395 + 0x22888822) = _t306;
													 *_t395 = _t306;
													 *((intOrPtr*)(_t403 + 0x77777777)) =  *((intOrPtr*)(_t403 + 0x77777777)) - _t306;
													 *_t306 =  *_t306 + _t306;
													 *_t403 =  *_t403 + _t306;
													_pop(es);
													 *_t395 = _t306;
													L54:
													_t387 = _t386 &  *(_t305 - 0x78d7dd7e);
													goto L55;
												}
											}
										}
									}
								}
							} else {
								 *(_t306 - 0x78d777d8) = _t387;
								if (_t447 > 0) goto L62;
								if(_t447 > 0) {
									 *(_t306 + 0x77ff8888) = _t387;
									goto L63;
								} else {
									if(_t447 > 0) {
										L63:
										 *(_t306 - 0x77880078) = _t387;
										asm("invalid");
										if(_t466 > 0) {
											if(_t473 < 0) {
												L111:
												 *_t403 =  *_t403 + _t379;
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												_pop(ds);
												asm("lock add [eax], al");
												goto L112;
											} else {
												if(_t473 > 0) {
													L112:
													 *_t403 =  *_t403 + _t387;
													asm("lock add [eax], al");
													asm("invalid");
													 *_t306 =  *_t306 + _t306;
													 *_t403 =  *_t403 + _t387;
													asm("lock add [eax], al");
													asm("pavgb mm0, [eax]");
													 *_t403 =  *_t403 + _t306;
													asm("loopne 0x2");
													 *_t403 =  *_t403 + _t306;
													asm("loopne 0x2");
													 *_t403 =  *_t403 + _t306;
													asm("loopne 0x2");
													 *_t403 =  *_t403 + _t306;
													asm("rol byte [eax], 0x0");
													_t307 = _t306 + _t306;
													 *_t307 =  *_t307 + _t307;
													_t308 = _t307 + _t307;
													 *_t308 =  *_t308 + _t308;
													_t309 = _t308 + _t308;
													 *_t309 =  *_t309 + _t309;
													_t305 = _t309 +  *((intOrPtr*)(_t309 - 0x7ff90000));
													 *_t305 =  *_t305 + _t305;
													_pop(ds);
													 *_t305 =  *_t305;
													_t488 =  *_t305;
												} else {
													 *(_t403 + 0x70f7) = _t386;
												}
											}
										} else {
											if (_t466 < 0) goto L65;
											_t89 = _t306 - 0x78;
											 *_t89 =  *((intOrPtr*)(_t306 - 0x78)) + _t379;
											_t467 =  *_t89;
										}
									} else {
										if(_t447 < 0) {
											 *_t306 =  *_t306 + _t306;
											 *_t306 =  *_t306 + _t306;
											_t85 = _t306 - 0x78;
											 *_t85 =  *((intOrPtr*)(_t306 - 0x78)) + _t379;
											_t466 =  *_t85;
										} else {
											 *_t306 =  *_t306 + _t306;
											 *_t306 =  *_t306 + _t306;
											_t56 = _t306 + 0x22;
											 *_t56 =  *((intOrPtr*)(_t306 + 0x22)) + _t379;
											_t449 =  *_t56;
										}
									}
								}
							}
						} else {
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							_t33 = _t403 - 0x78;
							 *_t33 =  *((intOrPtr*)(_t403 - 0x78)) + _t395;
							_t35 = _t403 + 0x77;
							_t36 = _t406;
							_t406 =  *_t35;
							 *_t35 = _t36;
							if ( *_t33 < 0) goto L15;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							if( *_t305 > 0) {
								goto L9;
							} else {
								 *(_t403 + 0x707777) = _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *((intOrPtr*)(_t403 - 0x78)) =  *((intOrPtr*)(_t403 - 0x78)) + _t395;
								 *(_t305 + 0x70777787) = _t386;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								_t41 = _t403 - 0x78;
								 *_t41 =  *((intOrPtr*)(_t403 - 0x78)) + _t395;
								if( *_t41 < 0) {
									goto L11;
								} else {
									 *(_t403 + 0x707777) = _t305;
									 *_t305 =  *_t305 + _t305;
									 *_t305 =  *_t305 + _t305;
									_pop(es);
									if( *_t305 > 0) {
										continue;
									} else {
										_t44 = _t409;
										_t409 =  *_t305;
										 *_t305 = _t44;
										 *(_t305 + 0x77777787) = _t386;
										 *_t305 =  *_t305 + _t305;
										 *_t305 =  *_t305 + _t305;
										 *_t403 =  *_t403 + _t305;
										_t443 =  *_t403;
										 *(_t305 - 0x77dddd8e) = _t386;
										_t47 = _t403 + 0x77;
										_t48 = _t406;
										_t406 =  *_t47;
										 *_t47 = _t48;
										break;
									}
								}
							}
						}
						L114:
						if(_t488 > 0) {
							goto L104;
						}
						 *_t387 =  *_t387 + _t305;
						 *((intOrPtr*)(_t305 - 0x3f00f900)) =  *((intOrPtr*)(_t305 - 0x3f00f900)) + 1;
						 *_t403 =  *_t403 + _t379;
						_push(_t305);
						 *((intOrPtr*)(_t403 - 1)) =  *((intOrPtr*)(_t403 - 1)) + _t379;
						 *_t387 =  *_t387 + 1;
						asm("invalid");
						_t404 = _t403 + 1;
						asm("invalid");
						 *_t305 =  *_t305 - _t305;
						 *_t305 =  *_t305 + _t305;
						asm("adc [eax], al");
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 & _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						while(1) {
							L116:
							 *(_t305 + _t305) =  *(_t305 + _t305) + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							asm("rol byte [eax], 0x0");
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *((intOrPtr*)(_t305 + 0x800000)) =  *((intOrPtr*)(_t305 + 0x800000)) + _t305;
							 *_t305 =  *_t305 + _t305;
							 *((char*)(_t305 + 0x8000)) =  *((char*)(_t305 + 0x8000));
							 *_t305 =  *_t305 + 0x80;
							 *((intOrPtr*)(_t305 - 0x7fffff80)) =  *((intOrPtr*)(_t305 - 0x7fffff80)) + _t305;
							 *((char*)(_t305 - 0x3f3f4000)) =  *((char*)(_t305 - 0x3f3f4000));
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + 1;
							 *_t305 =  *_t305 + _t305;
							_t379 = _t379 + _t379 + _t379 + _t379;
							 *_t305 =  *_t305 + 1;
							 *_t305 =  *_t305 + 1;
							 *_t305 =  *_t305 + _t305;
							while(1) {
								 *_t305 =  *_t305 + 1;
								 *_t305 =  *_t305 + 1;
								asm("invalid");
								 *_t305 =  *_t305 + _t305;
								asm("invalid");
								 *_t305 =  *_t305 + 1;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t404 = _t395;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *(_t305 + 0x77) = _t387;
								 *((intOrPtr*)(_t305 + 0x778828)) =  *((intOrPtr*)(_t305 + 0x778828)) + _t387;
								 *_t305 =  *_t305 + _t305;
								if( *_t305 < 0) {
									goto L116;
								}
								_t387 = _t387 &  *_t305;
								if(_t387 > 0) {
									L131:
									 *((intOrPtr*)(_t305 - 0x7ffffffd)) =  *((intOrPtr*)(_t305 - 0x7ffffffd)) + _t305;
									_t305 = _t305 +  *_t305;
									goto L132;
								} else {
									 *_t305 =  *_t305 + _t305;
									if( *_t305 < 0) {
										L123:
										_t167 = _t404 - 9;
										 *_t167 =  *((intOrPtr*)(_t404 - 9)) + _t379;
										_t497 =  *_t167;
										if(_t497 < 0) {
											goto L134;
										} else {
											if (_t497 > 0) goto L125;
											if (_t497 > 0) goto L126;
											goto L126;
											while(_t497 >= 0) {
												_push( *_t404);
												 *_t305 =  *_t305 + _t305;
												if( *_t305 > 0) {
													continue;
												} else {
													_push( *_t404);
													 *_t305 =  *_t305 + _t305;
													 *_t305 =  *_t305 + _t305;
													if( *_t305 <= 0) {
														 *_t305 =  *_t305 + _t305;
														 *_t305 =  *_t305 + _t305;
														 *_t404 =  *_t404 - 1;
														 *_t305 =  *_t305 + _t305;
														asm("cld");
														_pop(es);
														 *_t305 =  *_t305 + _t305;
														asm("lock pop es");
														 *_t305 =  *_t305 + _t305;
														asm("rol byte [edi], 0x0");
														_t305 =  &(( &(( &((_t305 + _t305)[ *(_t305 + _t305)]))[ &((_t305 + _t305)[ *(_t305 + _t305)])]))[( &((_t305 + _t305)[ *(_t305 + _t305)]))[ &((_t305 + _t305)[ *(_t305 + _t305)])]]);
														goto L131;
													}
												}
												goto L136;
											}
											continue;
											L126:
											_push( *((intOrPtr*)(_t305 - 0x78)));
										}
									} else {
										 *_t305 =  *_t305 - _t387;
										if( *_t305 > 0) {
											L132:
											 *((intOrPtr*)(_t305 - 0x7fffffff)) =  *((intOrPtr*)(_t305 - 0x7fffffff)) + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											_t310 = _t305 +  *_t305;
											 *_t310 =  *_t310 + _t310;
											asm("sldt word [eax]");
											 *_t404 =  *_t404 >> 0;
											_t305 = _t310 + _t395;
											 *_t305 =  *_t305 + 1;
											 *((intOrPtr*)(_t305 + 0x726f4600)) =  *((intOrPtr*)(_t305 + 0x726f4600)) + _t305;
											asm("insd");
											 *_t305 =  *_t305 ^ _t305;
											 *[es:edi] =  *[es:edi] + _t305;
											 *0x2d =  *0x2d + _t395;
											_t379 = 1;
											 *_t305 =  *_t305 + _t305;
											if( *_t305 >= 0) {
												 *_t305 =  *_t305 + _t305;
												_push(0x46000001);
												L134:
												 *_t305 =  *_t305 + _t305;
												_t406 = _t406 + 1;
												_t379 = _t379 + _t379;
											}
											 *(_t305 + _t305) =  *(_t305 + _t305) + 1;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											_t305 = _t305 & 0x00000040;
											 *_t305 =  *_t305 + _t305;
											asm("invalid");
										} else {
											 *_t404 =  *_t404 + _t305;
											 *_t305 = _t387;
											 *(_t305 + 0x7007077) = _t387;
											 *_t395 =  *_t395 & 0x00000082;
											_t404[0x70] = _t404[0x70] - _t395;
											 *_t404 =  *_t404 + _t305;
											 *_t305 = _t387;
											 *_t305 =  *_t305 - 0x77;
											if ( *_t305 > 0) goto L122;
											_pop(es);
											 *(_t395 + 0x77f7ff2f) = _t305;
											 *((intOrPtr*)(_t305 - 0x78)) =  *((intOrPtr*)(_t305 - 0x78)) + _t379;
											asm("invalid");
											goto L123;
										}
									}
								}
								L136:
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + _t379;
								asm("adc al, 0x81");
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x08004040 =  *((intOrPtr*)(0x8004040)) + _t379;
								 *0x8004025 =  *0x8004025 + _t395;
								 *0x8004025 =  *0x8004025 + 0x8004027;
								asm("repne lds ecx, [esi+0x55]");
								_v770282720 = cs;
								asm("das");
								_t407 = _t406 + 1;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x8004025;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("adc [eax], al");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("loope 0x6");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x1000804A =  *((intOrPtr*)(0x1000804a)) + _t387;
								 *_t387 =  *_t387 + 0x44;
								 *_t395 =  *_t395 + 0x44;
								_a64 = _a64 + 0x45;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								_t382 = _t379 + _t379;
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *0x8004025 =  *0x8004025 + 1;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + _t382;
								 *((intOrPtr*)(0x8004025 + _t395 * 4)) =  *((intOrPtr*)(0x8004025 + _t395 * 4)) + _t387;
								 *((intOrPtr*)(0x1000804a)) =  *((intOrPtr*)(0x1000804a)) + _t387;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("in al, 0x1b");
								 *_t387 =  *_t387 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x48;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *((intOrPtr*)(_t387 + _t407 * 8 - 0x4b)) =  *((intOrPtr*)(_t387 + _t407 * 8 - 0x4b)) + _t387;
								asm("sbb eax, [eax]");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *_t404 =  *_t404 + _t387;
								asm("bound eax, [eax]");
								asm("o16 add [ebp], dh");
								if ( *_t404 >= 0) goto L137;
								asm("arpl [eax], ax");
								asm("popad");
								 *0x100080AF =  *((intOrPtr*)(0x100080af)) + _t395;
								 *0x1000806A =  *((intOrPtr*)(0x1000806a)) + 0x8c;
								 *_t407 =  *_t407 + _t387;
								if ( *_t407 != 0) goto L138;
								asm("insd");
								 *_t395 =  *_t395 + 0x8c;
								 *[gs:ecx] =  *[gs:ecx] + 0x44;
								 *((intOrPtr*)(0x1000804a)) =  *((intOrPtr*)(0x1000804a)) + 0x44;
								_t321 = 0;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("invalid");
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								if( *0x8004025 >= 0) {
									_t321 = 1;
									 *((intOrPtr*)(0x8004025 + 0x40 + _t395 * 4)) =  *((intOrPtr*)(0x8004025 + 0x40 + _t395 * 4)) + _t387;
									 *_t387 =  *_t387 + _t382;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *((intOrPtr*)(_t416 + _t382 + 0x40)) =  *((intOrPtr*)(_t416 + _t382 + 0x40)) + _t387;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *((intOrPtr*)(_t416 + _t382 + 0x40)) =  *((intOrPtr*)(_t416 + _t382 + 0x40)) + _t387;
									 *_t404 =  *_t404 + _t387;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + _t395;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *_t387 =  *_t387 + _t395;
								}
								asm("adc [eax], eax");
								 *_t321 =  *_t321 + _t321;
								asm("adc al, [eax]");
								 *_t321 =  *_t321 + _t321;
								asm("adc eax, [eax]");
								 *_t321 =  *_t321 + _t321;
								asm("adc al, 0x0");
								 *_t321 =  *_t321 + _t321;
								asm("adc eax, 0x16000000");
								 *_t321 =  *_t321 + _t321;
								 *_t404 =  *_t404 + _t395;
								 *_t321 =  *_t321 + _t321;
								 *_t321 =  *_t321 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t387 =  *_t387 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t395 =  *_t395 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t382 =  *_t382 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *((intOrPtr*)(_t321 + _t321)) =  *((intOrPtr*)(_t321 + _t321)) + _t382;
								 *_t321 =  *_t321 + _t321;
								asm("sbb eax, 0x1e000000");
								 *_t321 =  *_t321 + _t321;
								 *_t404 =  *_t404 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t387 =  *_t387 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t395 =  *_t395 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t382 =  *_t382 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *((intOrPtr*)(_t321 + _t321)) =  *((intOrPtr*)(_t321 + _t321)) + _t321;
								 *_t321 =  *_t321 + _t321;
								_t322 = _t321 & 0x26000000;
								 *_t322 =  *_t322 + _t322;
								 *_t404 =  *_t404 + _t322;
								 *_t322 =  *_t322 + _t322;
								 *((intOrPtr*)(_t407 + 0x42)) =  *((intOrPtr*)(_t407 + 0x42)) + _t395;
								_t323 = _t322 ^ 0x2a1ff021;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t407 =  *_t407 + _t382;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								_t324 = _t323 |  *_t323;
								 *(_t324 + _t324) =  *(_t324 + _t324) | _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 & _t324;
								_t325 = _t324 + _t395;
								 *_t325 =  *_t325 ^ _t325;
								_t383 = _t382 + _t382;
								asm("invalid");
								 *_t325 =  *_t325 | _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								goto 0x58401cfd;
								asm("sbb eax, [eax]");
								 *_t383 =  *_t383 & _t383;
								_t327 = _t325 + 1 + _t383;
								asm("adc eax, 0x780040");
								 *_t327 =  *_t327 + _t327;
								 *_t327 =  *_t327 + _t327;
								_t328 =  *0xa1000000;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *((intOrPtr*)(_t395 + 0x75)) =  *((intOrPtr*)(_t395 + 0x75)) + _t395;
								asm("outsb");
								_t410 =  &_a1;
								if(_t410 < 0) {
									L146:
									 *((intOrPtr*)(_t328 + _t328 + 0x73)) =  *((intOrPtr*)(_t328 + _t328 + 0x73)) + _t383;
									 *_t410 =  *_t410 + _t328;
									 *[gs:ecx] =  *[gs:ecx] + _t383;
									goto L148;
								} else {
									_t410 =  &_v1;
									asm("gs insd");
									asm("outsd");
									if(_t410 < 0) {
										L153:
										 *((intOrPtr*)(_t328 + _t328 + 0x61)) =  *((intOrPtr*)(_t328 + _t328 + 0x61)) + _t395;
										asm("popad");
										 *((intOrPtr*)(_t328 + _t328 + 0x4c)) =  *((intOrPtr*)(_t328 + _t328 + 0x4c)) + _t383;
										 *_t404 =  *_t404 + _t387;
										goto L155;
									} else {
										 *((intOrPtr*)(_t395 + 0x75)) =  *((intOrPtr*)(_t395 + 0x75)) + _t395;
										asm("outsb");
										_a120 = _a120 & _t328;
										asm("arpl [gs:ebp+0x74], si");
										asm("popad");
										asm("bound ebp, [ebp+0x20]");
										asm("o16 jb 0x72");
										asm("insd");
										_t237 =  &_a101;
										 *_t237 = _a101 & _t387;
										asm("insd");
										asm("outsd");
										if( *_t237 >= 0) {
											 *_t328 =  *_t328 + _t328;
											_t515 =  *_t328;
											if(_t515 < 0) {
												L148:
												 *_t387 =  *_t387 + _t383;
												_t518 =  *_t387;
												if (_t518 < 0) goto L150;
												 *[gs:eax+eax+0x5c] =  *[gs:eax+eax+0x5c] + _t395;
												 *_t387 =  *_t387 + _t328;
												_t519 =  *_t387;
												if (_t519 < 0) goto L151;
												if (_t519 < 0) goto L152;
												 *_t387 =  *_t387 + _t328;
												goto L153;
											} else {
												if(_t515 == 0) {
													_push(0x6b);
													_t410 =  *_t407 * 0x10000;
													_t366 = _t328 +  *_t328 & 0x00000040;
													 *_t366 =  *_t366 + _t366;
													asm("invalid");
													asm("invalid");
													asm("invalid");
													asm("invalid");
													 *_t366 =  *_t366 + _t366;
													 *_t366 =  *_t366 + _t366;
													_t368 = _t366 - 1 + 1;
													 *((intOrPtr*)(_t368 + _t395 * 4)) =  *((intOrPtr*)(_t368 + _t395 * 4)) + _t383;
													_t369 = _t368 + 1;
													 *_t383 =  *_t383 + _t395;
													 *_t369 =  *_t369 + _t369;
													 *((intOrPtr*)(_t410 + _t383 + 0x40)) =  *((intOrPtr*)(_t410 + _t383 + 0x40)) + _t395;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													_t328 = _t416;
													_t416 = _t369;
													asm("sbb eax, 0x5c0040");
													goto L146;
												}
											}
											L155:
											asm("outsd");
											 *_t383 =  *_t383 + _t328;
											asm("popad");
											 *((intOrPtr*)(_t328 + _t328 + 0x5c)) =  *((intOrPtr*)(_t328 + _t328 + 0x5c)) + _t387;
											 *_t410 =  *_t410 + _t387;
											_t328 =  *_t328 * 0x720063;
										}
									}
								}
								asm("outsd");
								 *_t383 =  *_t383 + _t395;
								asm("outsd");
								 *_t407 =  *_t407 + _t328;
								if ( *_t407 == 0) goto L157;
								 *_t404 =  *_t404 + _t395;
								_t329 =  *_t328 * 0x64006e;
								asm("outsd");
								 *_t404 =  *_t404 + _t395;
								if ( *_t404 >= 0) goto L158;
								 *_t410 =  *_t410 + _t329;
								_t526 =  *_t410;
								if (_t526 < 0) goto L159;
								if (_t526 < 0) goto L160;
								asm("insb");
								 *_t404 =  *_t404 + _t387;
								if ( *_t404 < 0) goto L161;
								 *[gs:edx] =  *[gs:edx] + _t395;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								_t330 = _t329 & 0x00000040;
								 *_t330 =  *_t330 + _t330;
								_t384 = _t383 + _t383;
								asm("invalid");
								 *_t330 =  *_t330 + 1;
								 *_t330 =  *_t330 + _t330;
								_t333 = (_t330 + _t387 & 0x90180040) + 1;
								 *((intOrPtr*)(_t333 + _t333)) =  *((intOrPtr*)(_t333 + _t333)) + _t387;
								 *_t333 =  *_t333 + _t333;
								asm("fcomp dword [esi]");
								_t334 = _t333 + 1;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								_t336 = _t334 + _t384 + 1;
								 *_t387 =  *_t387 + _t336;
								 *_t336 =  *_t336 + _t336;
								 *((intOrPtr*)(_t336 + _t407)) =  *((intOrPtr*)(_t336 + _t407)) + _t384;
								_t337 = _t336 + 1;
								 *_t337 =  *_t337 + _t337;
								 *_t337 =  *_t337 + _t337;
								 *_t337 =  *_t337 + _t387;
								ds = ds;
								_t338 = _t337 + 1;
								 *_t387 =  *_t387 + _t338;
								 *_t338 =  *_t338 + _t338;
								 *_t338 =  *_t338 + _t395;
								_pop(ds);
								_t339 = _t338 + 1;
								 *_t339 =  *_t339 + _t339;
								 *_t339 =  *_t339 + _t339;
								_t404[_t384] = _t404[_t384] + _t387;
								_t340 = _t339 + 1;
								 *_t387 =  *_t387 + _t340;
								 *_t340 =  *_t340 + _t340;
								 *_t340 =  *_t340 + _t395;
								_pop(ds);
								_t341 = _t340 + 1;
								 *_t384 =  *_t384 + _t341;
								_t404[0x6c006801] = _t404[0x6c006801] + _t395;
								 *_t341 =  *_t341 + _t384;
								_pop(ds);
								 *((intOrPtr*)(_t387 + _t384 * 4)) =  *((intOrPtr*)(_t387 + _t384 * 4)) + _t384;
								_t343 = _t341 + 2;
								 *_t343 =  *_t343 + _t343;
								 *_t343 =  *_t343 + _t343;
								_t345 = _t343 + _t387 &  *(_t410 + _t343 + _t387 + 0x57);
								 *_t387 =  *_t387 + _t387;
								asm("outsb");
								 *((intOrPtr*)(_t345 + _t345 + 0x6f)) =  *((intOrPtr*)(_t345 + _t345 + 0x6f)) + _t345;
								 *_t404 =  *_t404 + _t395;
								if ( *_t404 >= 0) goto L162;
								 *_t410 =  *_t410 + _t345;
								_t530 =  *_t410;
								if (_t530 < 0) goto L163;
								if (_t530 < 0) goto L164;
								asm("insb");
								 *_t404 =  *_t404 + _t387;
								if ( *_t404 < 0) goto L165;
								 *[gs:edx] =  *[gs:edx] + _t395;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 ^ _t345;
								_pop(_t422);
								 *_t345 =  *_t345 ^ _t345;
								_t346 = _t345 + 1;
								 *_t404 =  *_t404 + _t384;
								 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t395;
								 *_t346 =  *_t346 + _t346;
								asm("insb");
								 *_t346 =  *_t346 ^ _t346;
								asm("invalid");
								asm("invalid");
								 *_t346 =  *_t346 + _t346;
								 *_t346 =  *_t346 + _t346;
								 *_t346 =  *_t346 + _t346;
								 *_t346 =  *_t346 + _t346;
								_pop(ds);
								_t347 = _t346 + 1;
								 *((intOrPtr*)(_t347 + 3)) =  *((intOrPtr*)(_t347 + 3)) + _t395;
								_t424 = _t422 + 2;
								_t348 = _t347 + 0x40307c;
								asm("invalid");
								asm("invalid");
								asm("loopne 0x21");
								_pop(ds);
								_pop(ds);
								_pop(ds);
								_t351 = _t348 + 3;
								 *_t351 =  *_t351 + _t351;
								 *_t351 =  *_t351 + _t351;
								 *_t351 =  *_t351 + _t395 + _t384;
								_pop(ds);
								_t352 = _t351 + 1;
								 *((intOrPtr*)(_t352 + 0x1e)) =  *((intOrPtr*)(_t352 + 0x1e)) + _t352;
								asm("adc eax, 0x15d80040");
								_t354 = _t352 + 2;
								asm("adc eax, 0x40");
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								asm("fcomp dword [edi]");
								_t355 = _t354 + 1;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								_pop(ds);
								_t356 = _t355 + 1;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *((intOrPtr*)(_t387 + _t387 + _t355 + 0x3304246c)) =  *((intOrPtr*)(_t387 + _t387 + _t355 + 0x3304246c)) + _t356;
								 *_t356 =  *_t356 + _t356;
								asm("stosd");
								 *((intOrPtr*)(_t356 - 1)) =  *((intOrPtr*)(_t356 - 1)) + _t356 - 1;
								_a70 = _a70 - 0x33;
								_t425 = _t424 - 0xc;
								 *[fs:0x0] = _t425;
								_a50 = _t425 - 0x1c;
								_a54 = 0x401398;
								_t359 = _a70;
								_a58 = _t359 & 0x00000001;
								_t360 = _t359 & 0xfffffffe;
								_a70 = _t360;
								 *((intOrPtr*)( *_t360 + 4))(_t360, _t404, _t407, _t384,  *[fs:0x0], 0x4013e6, _t410);
								E00403480();
								__imp____vbaSetSystemError();
								_a58 = 0;
								_t362 = _a70;
								 *((intOrPtr*)( *_t362 + 8))(_t362);
								 *[fs:0x0] = _a42;
								return _a58;
							}
						}
					}
					if(_t443 > 0) {
						goto L54;
					} else {
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						_pop(es);
						 *_t305 = _t386;
						_t306 = _t305 &  *_t395;
						_t387 = _t386 &  *_t306;
						_t445 = _t387;
						_t49 = _t403 + 0x77;
						_t50 = _t406;
						_t406 =  *_t49;
						 *_t49 = _t50;
						goto L22;
					}
					goto L114;
				}
			}



















































































                                          0x004015ec
                                          0x004015ec
                                          0x004015ec
                                          0x004015f1
                                          0x004015f6
                                          0x004015f8
                                          0x004015fa
                                          0x004015fc
                                          0x004015fe
                                          0x00401600
                                          0x00401601
                                          0x00401603
                                          0x00401605
                                          0x00401607
                                          0x00401609
                                          0x0040160a
                                          0x0040160c
                                          0x0040160d
                                          0x0040160e
                                          0x0040160f
                                          0x00401610
                                          0x00401611
                                          0x00401614
                                          0x00401615
                                          0x00401617
                                          0x00401619
                                          0x0040161b
                                          0x0040161d
                                          0x0040161f
                                          0x00401621
                                          0x00401623
                                          0x00401625
                                          0x00401627
                                          0x00401627
                                          0x0040162a
                                          0x00401635
                                          0x00401637
                                          0x00401639
                                          0x0040163b
                                          0x0040163d
                                          0x0040163e
                                          0x00401640
                                          0x00401643
                                          0x00401649
                                          0x0040164f
                                          0x00401650
                                          0x00401653
                                          0x00401657
                                          0x0040165a
                                          0x0040165c
                                          0x0040165d
                                          0x0040165e
                                          0x00401665
                                          0x00401666
                                          0x00401668
                                          0x0040166e
                                          0x0040166f
                                          0x00401675
                                          0x00401677
                                          0x00401679
                                          0x0040167b
                                          0x0040167d
                                          0x0040167f
                                          0x00401681
                                          0x00401683
                                          0x00401685
                                          0x00401687
                                          0x00401689
                                          0x0040168b
                                          0x0040168b
                                          0x0040168d
                                          0x0040168f
                                          0x00401691
                                          0x00401693
                                          0x00401695
                                          0x00401698
                                          0x0040169e
                                          0x004016a3
                                          0x004016a4
                                          0x004016a4
                                          0x004016a5
                                          0x00401700
                                          0x00401700
                                          0x00401702
                                          0x00401704
                                          0x00401706
                                          0x00401708
                                          0x0040170a
                                          0x0040170c
                                          0x0040170e
                                          0x00401710
                                          0x00401712
                                          0x00401714
                                          0x00401716
                                          0x00401718
                                          0x0040171e
                                          0x00401720
                                          0x00401723
                                          0x00401723
                                          0x004016a7
                                          0x004016a7
                                          0x004016a8
                                          0x004016aa
                                          0x004016ac
                                          0x004016ad
                                          0x004016af
                                          0x004016b5
                                          0x004016b7
                                          0x004016bc
                                          0x004016c0
                                          0x004016c2
                                          0x004016c4
                                          0x004016c6
                                          0x004016c8
                                          0x004016ca
                                          0x004016cc
                                          0x004016ce
                                          0x004016d0
                                          0x004016d4
                                          0x004016d6
                                          0x004016d8
                                          0x004016da
                                          0x004016dc
                                          0x004016de
                                          0x004016e0
                                          0x004016e2
                                          0x004016e4
                                          0x004016e6
                                          0x004016e8
                                          0x004016ea
                                          0x004016ec
                                          0x004016ee
                                          0x004016f0
                                          0x004016f0
                                          0x004016f1
                                          0x004016f3
                                          0x004016f4
                                          0x004016f6
                                          0x004016f8
                                          0x004016fb
                                          0x004016fd
                                          0x004016ff
                                          0x00000000
                                          0x004016ff
                                          0x004016aa
                                          0x00401726
                                          0x0040172c
                                          0x0040172f
                                          0x00401736
                                          0x0040173a
                                          0x0040173c
                                          0x0040173e
                                          0x00401740
                                          0x00401742
                                          0x00401743
                                          0x00401743
                                          0x00401743
                                          0x00401745
                                          0x00401747
                                          0x00401749
                                          0x0040174b
                                          0x0040174d
                                          0x0040174f
                                          0x00401750
                                          0x00401750
                                          0x00401752
                                          0x00401754
                                          0x00401756
                                          0x00401758
                                          0x0040175a
                                          0x0040175c
                                          0x0040175e
                                          0x00401760
                                          0x00401762
                                          0x00401764
                                          0x00401766
                                          0x00401768
                                          0x0040176a
                                          0x0040176c
                                          0x00000000
                                          0x00000000
                                          0x0040176e
                                          0x00401770
                                          0x00401772
                                          0x00401774
                                          0x00401776
                                          0x00401778
                                          0x0040177a
                                          0x0040177a
                                          0x0040177d
                                          0x004017ef
                                          0x004017ef
                                          0x004017f1
                                          0x004017f3
                                          0x004017f5
                                          0x004017fa
                                          0x004017fc
                                          0x004017fc
                                          0x004017fc
                                          0x004017fc
                                          0x004017ff
                                          0x00401801
                                          0x00401803
                                          0x00401803
                                          0x00401805
                                          0x00401829
                                          0x0040182e
                                          0x004018a9
                                          0x004018aa
                                          0x00401922
                                          0x00000000
                                          0x004018ab
                                          0x004018ab
                                          0x00401924
                                          0x00401924
                                          0x00401927
                                          0x0040192a
                                          0x0040192d
                                          0x0040192f
                                          0x00401930
                                          0x00401930
                                          0x00401931
                                          0x00401933
                                          0x00401935
                                          0x00401937
                                          0x00000000
                                          0x00000000
                                          0x00401939
                                          0x00401939
                                          0x0040193c
                                          0x0040193c
                                          0x0040193e
                                          0x00401940
                                          0x00401942
                                          0x00401944
                                          0x00401946
                                          0x00401948
                                          0x0040194a
                                          0x0040194c
                                          0x0040194e
                                          0x0040194f
                                          0x00401951
                                          0x00401953
                                          0x00401955
                                          0x00401957
                                          0x00401959
                                          0x0040195b
                                          0x0040195d
                                          0x00401960
                                          0x00401963
                                          0x00401965
                                          0x00401967
                                          0x00401969
                                          0x0040196b
                                          0x0040196c
                                          0x0040196e
                                          0x0040196f
                                          0x00401970
                                          0x00401972
                                          0x00401973
                                          0x00401974
                                          0x00401976
                                          0x00401977
                                          0x00401978
                                          0x00000000
                                          0x00401978
                                          0x004018ac
                                          0x004018ac
                                          0x004018ac
                                          0x004018ab
                                          0x00401830
                                          0x00401830
                                          0x00401831
                                          0x00401832
                                          0x00401834
                                          0x00401834
                                          0x00401834
                                          0x00401835
                                          0x00401859
                                          0x00401859
                                          0x00401859
                                          0x0040185c
                                          0x0040185c
                                          0x0040185c
                                          0x0040185c
                                          0x00401837
                                          0x00401837
                                          0x00401839
                                          0x00401839
                                          0x0040183c
                                          0x0040183c
                                          0x0040183c
                                          0x0040183c
                                          0x0040183e
                                          0x0040183e
                                          0x00000000
                                          0x00000000
                                          0x0040183f
                                          0x0040183f
                                          0x004018b7
                                          0x004018b7
                                          0x00401840
                                          0x00401840
                                          0x004018b1
                                          0x004018b4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00401841
                                          0x00401841
                                          0x00401842
                                          0x00401844
                                          0x00401845
                                          0x00401849
                                          0x0040184b
                                          0x00401851
                                          0x00401853
                                          0x00401854
                                          0x00401855
                                          0x00401857
                                          0x00401857
                                          0x00000000
                                          0x00401857
                                          0x00401840
                                          0x0040183f
                                          0x0040183e
                                          0x00401835
                                          0x00401807
                                          0x00401807
                                          0x0040180d
                                          0x0040180e
                                          0x00401886
                                          0x00000000
                                          0x0040180f
                                          0x0040180f
                                          0x00401887
                                          0x00401887
                                          0x0040188d
                                          0x0040188f
                                          0x00401908
                                          0x00401979
                                          0x00401979
                                          0x0040197b
                                          0x0040197c
                                          0x0040197e
                                          0x0040197f
                                          0x00000000
                                          0x00401909
                                          0x00401909
                                          0x00401981
                                          0x00401981
                                          0x00401983
                                          0x00401986
                                          0x00401988
                                          0x00401989
                                          0x0040198b
                                          0x0040198e
                                          0x00401991
                                          0x00401993
                                          0x00401995
                                          0x00401997
                                          0x00401999
                                          0x0040199b
                                          0x0040199d
                                          0x0040199f
                                          0x004019a2
                                          0x004019a4
                                          0x004019a6
                                          0x004019a8
                                          0x004019aa
                                          0x004019ac
                                          0x004019ae
                                          0x004019b4
                                          0x004019b6
                                          0x004019b7
                                          0x004019b7
                                          0x0040190a
                                          0x0040190a
                                          0x0040190a
                                          0x00401909
                                          0x00401891
                                          0x00401891
                                          0x00401893
                                          0x00401893
                                          0x00401893
                                          0x00401893
                                          0x00401810
                                          0x00401810
                                          0x00401881
                                          0x00401882
                                          0x00401883
                                          0x00401883
                                          0x00401883
                                          0x00401811
                                          0x00401811
                                          0x00401812
                                          0x00401814
                                          0x00401814
                                          0x00401814
                                          0x00401814
                                          0x00401810
                                          0x0040180f
                                          0x0040180e
                                          0x0040177f
                                          0x0040177f
                                          0x00401781
                                          0x00401783
                                          0x00401785
                                          0x00401787
                                          0x00401789
                                          0x00401789
                                          0x0040178c
                                          0x0040178c
                                          0x0040178c
                                          0x0040178c
                                          0x0040178f
                                          0x00401791
                                          0x00401793
                                          0x00401795
                                          0x00401797
                                          0x00401799
                                          0x00000000
                                          0x0040179b
                                          0x0040179b
                                          0x004017a1
                                          0x004017a3
                                          0x004017a5
                                          0x004017a7
                                          0x004017aa
                                          0x004017b0
                                          0x004017b2
                                          0x004017b4
                                          0x004017b6
                                          0x004017b6
                                          0x004017b9
                                          0x00000000
                                          0x004017bb
                                          0x004017bb
                                          0x004017c1
                                          0x004017c3
                                          0x004017c5
                                          0x004017c6
                                          0x00000000
                                          0x004017c8
                                          0x004017c8
                                          0x004017c8
                                          0x004017c8
                                          0x004017ca
                                          0x004017d0
                                          0x004017d2
                                          0x004017d4
                                          0x004017d4
                                          0x004017d6
                                          0x004017dc
                                          0x004017dc
                                          0x004017dc
                                          0x004017dc
                                          0x00000000
                                          0x004017dc
                                          0x004017c6
                                          0x004017b9
                                          0x00401799
                                          0x004019ba
                                          0x004019ba
                                          0x00000000
                                          0x00000000
                                          0x004019bc
                                          0x004019be
                                          0x004019c4
                                          0x004019c6
                                          0x004019c8
                                          0x004019cb
                                          0x004019cd
                                          0x004019cf
                                          0x004019d1
                                          0x004019d3
                                          0x004019d5
                                          0x004019d7
                                          0x004019d9
                                          0x004019db
                                          0x004019dd
                                          0x004019df
                                          0x004019e0
                                          0x004019e0
                                          0x004019e0
                                          0x004019e3
                                          0x004019e5
                                          0x004019e7
                                          0x004019ea
                                          0x004019ec
                                          0x004019ee
                                          0x004019f0
                                          0x004019f2
                                          0x004019f4
                                          0x004019f6
                                          0x004019f8
                                          0x004019fa
                                          0x004019fc
                                          0x004019fe
                                          0x00401a00
                                          0x00401a06
                                          0x00401a08
                                          0x00401a0f
                                          0x00401a12
                                          0x00401a18
                                          0x00401a1f
                                          0x00401a21
                                          0x00401a25
                                          0x00401a27
                                          0x00401a29
                                          0x00401a2b
                                          0x00401a2d
                                          0x00401a2f
                                          0x00401a2f
                                          0x00401a31
                                          0x00401a33
                                          0x00401a35
                                          0x00401a37
                                          0x00401a39
                                          0x00401a3b
                                          0x00401a3d
                                          0x00401a3f
                                          0x00401a41
                                          0x00401a43
                                          0x00401a45
                                          0x00401a47
                                          0x00401a4a
                                          0x00401a4c
                                          0x00401a4e
                                          0x00401a54
                                          0x00401a5a
                                          0x00401a5c
                                          0x00000000
                                          0x00000000
                                          0x00401a5e
                                          0x00401a60
                                          0x00401ad2
                                          0x00401ad2
                                          0x00401ad8
                                          0x00000000
                                          0x00401a62
                                          0x00401a62
                                          0x00401a64
                                          0x00401a8e
                                          0x00401a9a
                                          0x00401a9a
                                          0x00401a9a
                                          0x00401a9d
                                          0x00000000
                                          0x00401aa1
                                          0x00401aa1
                                          0x00401aa3
                                          0x00401aa3
                                          0x00401aa5
                                          0x00401aa7
                                          0x00401aaa
                                          0x00401aac
                                          0x00000000
                                          0x00401aae
                                          0x00401aae
                                          0x00401ab1
                                          0x00401ab3
                                          0x00401ab5
                                          0x00401ab7
                                          0x00401ab9
                                          0x00401abb
                                          0x00401abd
                                          0x00401abf
                                          0x00401ac0
                                          0x00401ac1
                                          0x00401ac3
                                          0x00401ac5
                                          0x00401ac7
                                          0x00401ad0
                                          0x00000000
                                          0x00401ad0
                                          0x00401ab5
                                          0x00000000
                                          0x00401aac
                                          0x00000000
                                          0x00401aa4
                                          0x00401aa4
                                          0x00401aa4
                                          0x00401a66
                                          0x00401a66
                                          0x00401a68
                                          0x00401ada
                                          0x00401ada
                                          0x00401ae0
                                          0x00401ae2
                                          0x00401ae4
                                          0x00401ae6
                                          0x00401ae8
                                          0x00401aea
                                          0x00401aec
                                          0x00401aee
                                          0x00401af0
                                          0x00401af3
                                          0x00401af6
                                          0x00401af8
                                          0x00401afa
                                          0x00401b01
                                          0x00401b02
                                          0x00401b04
                                          0x00401b07
                                          0x00401b0d
                                          0x00401b0f
                                          0x00401b11
                                          0x00401b13
                                          0x00401b15
                                          0x00401b17
                                          0x00401b17
                                          0x00401b19
                                          0x00401b1a
                                          0x00401b1a
                                          0x00401b1b
                                          0x00401b1e
                                          0x00401b20
                                          0x00401b22
                                          0x00401b24
                                          0x00401b2a
                                          0x00401b2c
                                          0x00401a6a
                                          0x00401a6a
                                          0x00401a6c
                                          0x00401a6e
                                          0x00401a74
                                          0x00401a77
                                          0x00401a7a
                                          0x00401a7c
                                          0x00401a7e
                                          0x00401a81
                                          0x00401a83
                                          0x00401a84
                                          0x00401a8a
                                          0x00401a8d
                                          0x00000000
                                          0x00401a8d
                                          0x00401a68
                                          0x00401a64
                                          0x00401b2e
                                          0x00401b2e
                                          0x00401b30
                                          0x00401b32
                                          0x00401b34
                                          0x00401b36
                                          0x00401b3f
                                          0x00401b41
                                          0x00401b43
                                          0x00401b45
                                          0x00401b47
                                          0x00401b49
                                          0x00401b4b
                                          0x00401b4d
                                          0x00401b4f
                                          0x00401b51
                                          0x00401b53
                                          0x00401b57
                                          0x00401b5a
                                          0x00401b5e
                                          0x00401b64
                                          0x00401b6a
                                          0x00401b6b
                                          0x00401b6c
                                          0x00401b6e
                                          0x00401b70
                                          0x00401b72
                                          0x00401b74
                                          0x00401b76
                                          0x00401b78
                                          0x00401b7a
                                          0x00401b7c
                                          0x00401b7e
                                          0x00401b80
                                          0x00401b82
                                          0x00401b84
                                          0x00401b86
                                          0x00401b88
                                          0x00401b8a
                                          0x00401b8c
                                          0x00401b8e
                                          0x00401b90
                                          0x00401b92
                                          0x00401b94
                                          0x00401b96
                                          0x00401b98
                                          0x00401b9a
                                          0x00401b9c
                                          0x00401b9e
                                          0x00401ba3
                                          0x00401ba7
                                          0x00401ba9
                                          0x00401bab
                                          0x00401baf
                                          0x00401bb1
                                          0x00401bb3
                                          0x00401bb5
                                          0x00401bb7
                                          0x00401bb9
                                          0x00401bbb
                                          0x00401bbd
                                          0x00401bbf
                                          0x00401bc3
                                          0x00401bc7
                                          0x00401bca
                                          0x00401bcc
                                          0x00401bcf
                                          0x00401bd1
                                          0x00401bd3
                                          0x00401bd5
                                          0x00401bd7
                                          0x00401bdd
                                          0x00401be7
                                          0x00401be9
                                          0x00401beb
                                          0x00401bed
                                          0x00401bef
                                          0x00401bf1
                                          0x00401bf3
                                          0x00401bf6
                                          0x00401bf8
                                          0x00401bfc
                                          0x00401bfe
                                          0x00401c00
                                          0x00401c01
                                          0x00401c05
                                          0x00401c09
                                          0x00401c0c
                                          0x00401c0e
                                          0x00401c0f
                                          0x00401c12
                                          0x00401c15
                                          0x00401c18
                                          0x00401c1e
                                          0x00401c20
                                          0x00401c22
                                          0x00401c24
                                          0x00401c26
                                          0x00401c28
                                          0x00401c2a
                                          0x00401c2c
                                          0x00401c2e
                                          0x00401c2f
                                          0x00401c33
                                          0x00401c35
                                          0x00401c37
                                          0x00401c3b
                                          0x00401c3d
                                          0x00401c3f
                                          0x00401c41
                                          0x00401c43
                                          0x00401c45
                                          0x00401c47
                                          0x00401c4b
                                          0x00401c4d
                                          0x00401c4f
                                          0x00401c51
                                          0x00401c53
                                          0x00401c53
                                          0x00401c54
                                          0x00401c56
                                          0x00401c58
                                          0x00401c5a
                                          0x00401c5c
                                          0x00401c5e
                                          0x00401c60
                                          0x00401c62
                                          0x00401c64
                                          0x00401c69
                                          0x00401c6b
                                          0x00401c6d
                                          0x00401c6f
                                          0x00401c71
                                          0x00401c73
                                          0x00401c75
                                          0x00401c77
                                          0x00401c79
                                          0x00401c7b
                                          0x00401c7d
                                          0x00401c7f
                                          0x00401c82
                                          0x00401c84
                                          0x00401c89
                                          0x00401c8b
                                          0x00401c8d
                                          0x00401c8f
                                          0x00401c91
                                          0x00401c93
                                          0x00401c95
                                          0x00401c97
                                          0x00401c99
                                          0x00401c9b
                                          0x00401c9d
                                          0x00401c9f
                                          0x00401ca2
                                          0x00401ca4
                                          0x00401ca9
                                          0x00401cab
                                          0x00401cad
                                          0x00401caf
                                          0x00401cb2
                                          0x00401cb7
                                          0x00401cb9
                                          0x00401cbb
                                          0x00401cbd
                                          0x00401cbf
                                          0x00401cc1
                                          0x00401cc3
                                          0x00401cc6
                                          0x00401cc8
                                          0x00401cca
                                          0x00401ccc
                                          0x00401cce
                                          0x00401cd0
                                          0x00401cd2
                                          0x00401cd4
                                          0x00401cd7
                                          0x00401cd9
                                          0x00401cdb
                                          0x00401cdd
                                          0x00401cdf
                                          0x00401ce1
                                          0x00401ce4
                                          0x00401ce6
                                          0x00401ce8
                                          0x00401cea
                                          0x00401cec
                                          0x00401cee
                                          0x00401cf0
                                          0x00401cf2
                                          0x00401cf4
                                          0x00401cf6
                                          0x00401cf8
                                          0x00401cfd
                                          0x00401d00
                                          0x00401d03
                                          0x00401d05
                                          0x00401d0a
                                          0x00401d0e
                                          0x00401d10
                                          0x00401d15
                                          0x00401d17
                                          0x00401d19
                                          0x00401d1b
                                          0x00401d1d
                                          0x00401d1f
                                          0x00401d21
                                          0x00401d23
                                          0x00401d25
                                          0x00401d27
                                          0x00401d2a
                                          0x00401d2b
                                          0x00401d2c
                                          0x00401d93
                                          0x00401d93
                                          0x00401d97
                                          0x00401d98
                                          0x00000000
                                          0x00401d2e
                                          0x00401d2e
                                          0x00401d2f
                                          0x00401d31
                                          0x00401d32
                                          0x00401dad
                                          0x00401dad
                                          0x00401db0
                                          0x00401db1
                                          0x00401db5
                                          0x00000000
                                          0x00401d34
                                          0x00401d34
                                          0x00401d37
                                          0x00401d38
                                          0x00401d3b
                                          0x00401d3f
                                          0x00401d40
                                          0x00401d44
                                          0x00401d47
                                          0x00401d48
                                          0x00401d48
                                          0x00401d4b
                                          0x00401d4c
                                          0x00401d4d
                                          0x00401d4f
                                          0x00401d4f
                                          0x00401d51
                                          0x00401d99
                                          0x00401d99
                                          0x00401d99
                                          0x00401d9c
                                          0x00401d9e
                                          0x00401da3
                                          0x00401da3
                                          0x00401da6
                                          0x00401da8
                                          0x00401dab
                                          0x00000000
                                          0x00401d53
                                          0x00401d53
                                          0x00401d55
                                          0x00401d57
                                          0x00401d60
                                          0x00401d66
                                          0x00401d68
                                          0x00401d6a
                                          0x00401d6c
                                          0x00401d6e
                                          0x00401d70
                                          0x00401d72
                                          0x00401d75
                                          0x00401d77
                                          0x00401d7a
                                          0x00401d7b
                                          0x00401d7d
                                          0x00401d7f
                                          0x00401d86
                                          0x00401d88
                                          0x00401d8a
                                          0x00401d8c
                                          0x00401d8e
                                          0x00401d90
                                          0x00401d90
                                          0x00401d91
                                          0x00000000
                                          0x00401d91
                                          0x00401d53
                                          0x00401db6
                                          0x00401db6
                                          0x00401db7
                                          0x00401dba
                                          0x00401dbb
                                          0x00401dbf
                                          0x00401dc2
                                          0x00401dc2
                                          0x00401d4d
                                          0x00401d32
                                          0x00401dc8
                                          0x00401dc9
                                          0x00401dcc
                                          0x00401dcd
                                          0x00401dd0
                                          0x00401dd3
                                          0x00401dd6
                                          0x00401ddc
                                          0x00401ddd
                                          0x00401de0
                                          0x00401de3
                                          0x00401de3
                                          0x00401de6
                                          0x00401de8
                                          0x00401dea
                                          0x00401deb
                                          0x00401dee
                                          0x00401df0
                                          0x00401df4
                                          0x00401df6
                                          0x00401df8
                                          0x00401dfa
                                          0x00401dfc
                                          0x00401dfe
                                          0x00401e00
                                          0x00401e02
                                          0x00401e04
                                          0x00401e06
                                          0x00401e08
                                          0x00401e0a
                                          0x00401e0c
                                          0x00401e0e
                                          0x00401e10
                                          0x00401e12
                                          0x00401e14
                                          0x00401e16
                                          0x00401e18
                                          0x00401e1a
                                          0x00401e1c
                                          0x00401e1e
                                          0x00401e20
                                          0x00401e22
                                          0x00401e24
                                          0x00401e26
                                          0x00401e28
                                          0x00401e2a
                                          0x00401e2c
                                          0x00401e2e
                                          0x00401e30
                                          0x00401e32
                                          0x00401e34
                                          0x00401e36
                                          0x00401e38
                                          0x00401e3a
                                          0x00401e3c
                                          0x00401e3e
                                          0x00401e40
                                          0x00401e42
                                          0x00401e44
                                          0x00401e46
                                          0x00401e48
                                          0x00401e4a
                                          0x00401e4c
                                          0x00401e4e
                                          0x00401e50
                                          0x00401e52
                                          0x00401e54
                                          0x00401e56
                                          0x00401e58
                                          0x00401e5a
                                          0x00401e5c
                                          0x00401e5e
                                          0x00401e60
                                          0x00401e62
                                          0x00401e64
                                          0x00401e6a
                                          0x00401e6f
                                          0x00401e71
                                          0x00401e73
                                          0x00401e75
                                          0x00401e7e
                                          0x00401e7f
                                          0x00401e82
                                          0x00401e84
                                          0x00401e86
                                          0x00401e87
                                          0x00401e89
                                          0x00401e8b
                                          0x00401e8d
                                          0x00401e8f
                                          0x00401e91
                                          0x00401e96
                                          0x00401e97
                                          0x00401e99
                                          0x00401e9b
                                          0x00401e9e
                                          0x00401e9f
                                          0x00401ea1
                                          0x00401ea3
                                          0x00401ea5
                                          0x00401ea6
                                          0x00401ea7
                                          0x00401ea9
                                          0x00401eab
                                          0x00401ead
                                          0x00401eae
                                          0x00401eaf
                                          0x00401eb1
                                          0x00401eb3
                                          0x00401eb6
                                          0x00401eb7
                                          0x00401eb9
                                          0x00401ebb
                                          0x00401ebd
                                          0x00401ebe
                                          0x00401ebf
                                          0x00401ec1
                                          0x00401ec7
                                          0x00401ec9
                                          0x00401ecb
                                          0x00401ece
                                          0x00401ecf
                                          0x00401ed1
                                          0x00401ed5
                                          0x00401ed9
                                          0x00401edc
                                          0x00401edd
                                          0x00401ee1
                                          0x00401ee4
                                          0x00401ee7
                                          0x00401ee7
                                          0x00401eea
                                          0x00401eec
                                          0x00401eee
                                          0x00401eef
                                          0x00401ef2
                                          0x00401ef4
                                          0x00401ef8
                                          0x00401efa
                                          0x00401efc
                                          0x00401efe
                                          0x00401f00
                                          0x00401f02
                                          0x00401f04
                                          0x00401f06
                                          0x00401f09
                                          0x00401f0c
                                          0x00401f0d
                                          0x00401f10
                                          0x00401f11
                                          0x00401f13
                                          0x00401f16
                                          0x00401f18
                                          0x00401f19
                                          0x00401f1c
                                          0x00401f1e
                                          0x00401f20
                                          0x00401f22
                                          0x00401f24
                                          0x00401f26
                                          0x00401f29
                                          0x00401f2a
                                          0x00401f2b
                                          0x00401f2e
                                          0x00401f2f
                                          0x00401f34
                                          0x00401f36
                                          0x00401f38
                                          0x00401f39
                                          0x00401f3d
                                          0x00401f41
                                          0x00401f42
                                          0x00401f43
                                          0x00401f45
                                          0x00401f47
                                          0x00401f49
                                          0x00401f4a
                                          0x00401f4b
                                          0x00401f51
                                          0x00401f56
                                          0x00401f59
                                          0x00401f5e
                                          0x00401f60
                                          0x00401f62
                                          0x00401f64
                                          0x00401f66
                                          0x00401f68
                                          0x00401f6a
                                          0x00401f6c
                                          0x00401f6e
                                          0x00401f70
                                          0x00401f72
                                          0x00401f74
                                          0x00401f76
                                          0x00401f77
                                          0x00401f79
                                          0x00401f7b
                                          0x00401f7d
                                          0x00401f7f
                                          0x00401f81
                                          0x00401f83
                                          0x00401f85
                                          0x00401f87
                                          0x00401f89
                                          0x00401f8b
                                          0x00401f8d
                                          0x00401f8f
                                          0x00401f91
                                          0x00401f93
                                          0x00401f95
                                          0x00401f97
                                          0x00401f99
                                          0x00401f9b
                                          0x00401f9d
                                          0x00401f9f
                                          0x00401fa1
                                          0x00401fa3
                                          0x00401fa5
                                          0x00401fa7
                                          0x00401fa9
                                          0x00401fab
                                          0x00401fad
                                          0x00401faf
                                          0x00401fb1
                                          0x00401fb3
                                          0x00401fb5
                                          0x00401fb9
                                          0x00401fba
                                          0x00401fbb
                                          0x00401fbd
                                          0x00401fbf
                                          0x00401fc1
                                          0x00401fc3
                                          0x00401fc5
                                          0x00401fc7
                                          0x00401fc9
                                          0x00401fcb
                                          0x00401fcd
                                          0x00401fcf
                                          0x00401fd1
                                          0x00401fd3
                                          0x00401fd5
                                          0x00401fd7
                                          0x00401fdd
                                          0x00401fe1
                                          0x00401fe3
                                          0x00401fe5
                                          0x00406b93
                                          0x00406ba2
                                          0x00406baf
                                          0x00406bb2
                                          0x00406bb9
                                          0x00406bc1
                                          0x00406bc4
                                          0x00406bca
                                          0x00406bcd
                                          0x00406bd0
                                          0x00406bd5
                                          0x00406bdb
                                          0x00406be2
                                          0x00406be8
                                          0x00406bf3
                                          0x00406bfe
                                          0x00406bfe
                                          0x00401a2f
                                          0x004019e0
                                          0x004017de
                                          0x00000000
                                          0x004017e0
                                          0x004017e0
                                          0x004017e1
                                          0x004017e3
                                          0x004017e5
                                          0x004017e6
                                          0x004017e8
                                          0x004017ea
                                          0x004017ea
                                          0x004017ec
                                          0x004017ec
                                          0x004017ec
                                          0x004017ec
                                          0x00000000
                                          0x004017ec
                                          0x00000000
                                          0x004017de

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: #100
                                          • String ID:
                                          • API String ID: 1341478452-0
                                          • Opcode ID: 3c79f1d63829109156ca65ed2c1a82142431f912301f6e4aaa7c85b59915ed51
                                          • Instruction ID: 33eae2e466de30a24540706282549c015ee9e410deb3e1ff04bd6b7cc593eab2
                                          • Opcode Fuzzy Hash: 3c79f1d63829109156ca65ed2c1a82142431f912301f6e4aaa7c85b59915ed51
                                          • Instruction Fuzzy Hash: 975163A590E7C18FC3138BB09C696907FB0AE23254B0E46DBC4D1CF1F3E258185AC726
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0040755D, Relevance: 57.9, APIs: 26, Strings: 7, Instructions: 171COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E0040755D(void* __ebx, void* __ecx, void* __edi) {
				void* _t312;
				void* _t313;
				void* _t435;

				_t435 = __edi;
				_t313 = __ecx;
				_t312 = __ebx;
				_pop(ds);
			}






                                          0x0040755d
                                          0x0040755d
                                          0x0040755d
                                          0x0040755d

                                          APIs
                                          • __vbaGenerateBoundsError.MSVBVM60 ref: 0040756D
                                          • __vbaSetSystemError.MSVBVM60(?,?,000000F8), ref: 004075A0
                                          • __vbaAryUnlock.MSVBVM60(?), ref: 004075A9
                                          • __vbaStrMove.MSVBVM60(2C559A0AA43D1005C9D2341946332CCA461834D2301A45), ref: 004075D7
                                          • __vbaStrMove.MSVBVM60(GaF), ref: 004075F0
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407600
                                          • __vbaStrMove.MSVBVM60(IiiJR), ref: 00407619
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407629
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407639
                                          • __vbaStrMove.MSVBVM60(8768812445710A3A0559260B0B280B), ref: 0040764D
                                          • __vbaStrMove.MSVBVM60(BSCZIT), ref: 00407666
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 00407676
                                          • __vbaStrMove.MSVBVM60(vVv), ref: 0040768F
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 0040769F
                                          • __vbaStrMove.MSVBVM60(00000000), ref: 004076AF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$Move$Error$BoundsGenerateSystemUnlock
                                          • String ID: 2C559A0AA43D1005C9D2341946332CCA461834D2301A45$8768812445710A3A0559260B0B280B$BSCZIT$GaF$IiiJR$PE$vVv
                                          • API String ID: 3067703738-732138114
                                          • Opcode ID: 570256536680db9460fc461fe7e03156a7606e9ec7c93b0f9f863553c18f9f03
                                          • Instruction ID: 1f950ad63f7518035fdc7379bf84a23baee0e5bd73e1a649290c7ec19ad5e4b7
                                          • Opcode Fuzzy Hash: 570256536680db9460fc461fe7e03156a7606e9ec7c93b0f9f863553c18f9f03
                                          • Instruction Fuzzy Hash: D271E5F1D001289BCB24DB50DC94ADEB778EF48300F5085EAA70A73195DA746F89CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406F00, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 156COMMON
                                          Download Yara Rule
                                          APIs
                                          • __vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000007,00000000,660CC33A,?,00000000), ref: 00406F6F
                                          • __vbaVarMove.MSVBVM60 ref: 00406FA0
                                          • __vbaVarMove.MSVBVM60 ref: 00406FCC
                                          • __vbaVarMove.MSVBVM60 ref: 00406FE8
                                          • __vbaVarMove.MSVBVM60 ref: 0040700E
                                          • __vbaVarMove.MSVBVM60 ref: 00407033
                                          • __vbaVarMove.MSVBVM60 ref: 0040705C
                                          • __vbaVarMove.MSVBVM60 ref: 00407085
                                          • __vbaVarMove.MSVBVM60 ref: 004070AE
                                          • #601.MSVBVM60(?,?), ref: 004070B8
                                          • __vbaErase.MSVBVM60(00000000,?), ref: 004070C3
                                          • __vbaVarMove.MSVBVM60 ref: 004070CF
                                            • Part of subcall function 00406E90: __vbaPowerR8.MSVBVM60(00000000,40000000,?,?,?,?,004070DC,?,0000001D), ref: 00406EBA
                                            • Part of subcall function 00406E90: __vbaFpI4.MSVBVM60(?,?,?,?,?,?,004070DC,?,0000001D), ref: 00406EE2
                                          • __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00407102
                                          • __vbaI4Var.MSVBVM60(00000000), ref: 0040710C
                                          • __vbaFreeVar.MSVBVM60 ref: 00407118
                                          • __vbaFreeVar.MSVBVM60(00407145), ref: 0040713E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$Move$Free$#601EraseIndexLoadPowerRedim
                                          • String ID: $@$@
                                          • API String ID: 1180441480-3743272326
                                          • Opcode ID: 426bf9d5200cef7faec0a97437813a9aad631a84fab71374e6951b93d665a577
                                          • Instruction ID: 1eaf6484d2191e39fe9b5a62486ba86ac5c75a8fb0601f41840204c753b0b239
                                          • Opcode Fuzzy Hash: 426bf9d5200cef7faec0a97437813a9aad631a84fab71374e6951b93d665a577
                                          • Instruction Fuzzy Hash: 9A71E2B0D002189FEB18DFA9D998F9DFBB4FF44300F0181AAD51AAB261D774AA45CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405DC0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • __vbaChkstk.MSVBVM60(00000000,004013E6), ref: 00405DDE
                                          • __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948,00000000,004013E6), ref: 00405E0B
                                          • __vbaStrCopy.MSVBVM60 ref: 00405E17
                                          • __vbaAryConstruct2.MSVBVM60(?,00402E34,00000002), ref: 00405E28
                                          • __vbaOnError.MSVBVM60(000000FF), ref: 00405E37
                                          • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 00405E69
                                          • __vbaVar2Vec.MSVBVM60(?,?), ref: 00405E7A
                                          • __vbaAryMove.MSVBVM60(?,?), ref: 00405E8B
                                          • __vbaFreeVar.MSVBVM60 ref: 00405E94
                                          • __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 00405F04
                                          • __vbaI4Var.MSVBVM60(?), ref: 00405F20
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$Copy$#717ChkstkConstruct2ErrorFreeInitMoveVar2
                                          • String ID: /
                                          • API String ID: 1582012848-2043925204
                                          • Opcode ID: 275715ee9b72550f7ce788d4dbee899db6f7053439f2e97fa1232a52deb63d51
                                          • Instruction ID: 3b40b447ad9e69bb096a1d3f86a4aa1dc761d61eab73f4dcac7a8685b1a9836d
                                          • Opcode Fuzzy Hash: 275715ee9b72550f7ce788d4dbee899db6f7053439f2e97fa1232a52deb63d51
                                          • Instruction Fuzzy Hash: 34412CB1800219DFDB10DF94CE49BDEBBB4FB48304F1080A9E646B6691D7781A88CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004066E0, Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                          Download Yara Rule
                                          APIs
                                          • __vbaStrCopy.MSVBVM60(?,660E6C30,660E0EBE), ref: 00406732
                                          • __vbaLenBstr.MSVBVM60(?), ref: 0040673C
                                          • #632.MSVBVM60(?,?,?,?), ref: 004067A0
                                          • __vbaStrVarVal.MSVBVM60(?,?), ref: 004067AE
                                          • #516.MSVBVM60(00000000), ref: 004067B5
                                          • __vbaFreeStr.MSVBVM60(0040686B), ref: 00406864
                                          • __vbaErrorOverflow.MSVBVM60 ref: 00406881
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$#516#632BstrCopyErrorFreeOverflow
                                          • String ID:
                                          • API String ID: 218249059-0
                                          • Opcode ID: 539886d0a48c4e722a1580980c863d91db8bac2050bd20f1ff28d7d441d40b02
                                          • Instruction ID: 2f5de9cf91024ff676a6c33e4378e34fddb06081d7d363696ceab573f79d547b
                                          • Opcode Fuzzy Hash: 539886d0a48c4e722a1580980c863d91db8bac2050bd20f1ff28d7d441d40b02
                                          • Instruction Fuzzy Hash: 4E51D4B1C01218AFDB10DFAADA85A9DFBF8FF58300F10816AE445B7660D7785945CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406DA8, Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406DB5
                                          • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00406DD9
                                          • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00406DE9
                                          • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406DF7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __vba$DestructFreeList
                                          • String ID:
                                          • API String ID: 177195230-0
                                          • Opcode ID: ee16a6bb8f5b265717399fbced6e7f78dcf89f82ccf50147ce55649fa50e2af8
                                          • Instruction ID: f106c9d0d75eab5dad0c2b89877099a8dd59c1bc4e00f4db17bf94ca04e45a52
                                          • Opcode Fuzzy Hash: ee16a6bb8f5b265717399fbced6e7f78dcf89f82ccf50147ce55649fa50e2af8
                                          • Instruction Fuzzy Hash: 7DF0E7B2800118EACB0ADBD0DE88EEEB77DAF48700F14811AF606A6494D7702B49CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%